Comments (13)
yuriiurshuliak
commented on July 1, 2024
Absolutely, it's crucial to ensure you download APK files exclusively from official sources. Also, it's important to remember that third-party websites might not always offer accurate or reliable information.
from osmand.
vshcherb
commented on July 1, 2024
We have no idea what it is and it's probably unrelated to us
from osmand.
mariush444
commented on July 1, 2024
Absolutely, it's crucial to ensure you download APK files exclusively from official sources. Also, it's important to remember that third-party websites might not always offer accurate or reliable information.
What are you talking about?
It is yours https://download.osmand.net/latest-night-build/
from osmand.
mariush444
commented on July 1, 2024
We have no idea what it is and it's probably unrelated to us
In my opinion it is completly unprofessional to close such event without investigation.
Shame
from osmand.
vshcherb
commented on July 1, 2024
What kind of investigation. There is no proof what happened / when, there is no trust in such services that they are always correct.
However I trust my team and we all do double times code review. You also see full history of commits.
from osmand.
vshcherb
commented on July 1, 2024
We can't search something if there is no proof enough, if service would say that part of code or that class is trojan that would be at least something to work with.
If you see strange behavior - ok. If we see something strange on our servers - ok, but I don't see anything, so it's not a rush decision, just quick and that's it. No need to wait to come to this conclusion
from osmand.
mariush444
commented on July 1, 2024
You know that everything can be hacked like previously python: libraries, github, root certificates ...
and it is not about your "trust my team". Some files can be overwritten at anyplace or anytime. It just happens sometimes. Because of that #18664 could be helpful.
(just example https://arstechnica.com/information-technology/2022/08/10-malicious-python-packages-exposed-in-latest-repository-attack/)
What should you do?
Asked for a apk that I download to verify by yourself. You even don't know what version / which day I downloaded your file.
It is possible that it false positive, as I mentioned. In this case you should contact with service and ask what is going on.
They can make mistake but clarification of this can improve their service/solution too.
But from other hand you can get info about you don't know yet.
Other programmers, owners of the code do as I describe. It is obvious and no problem.
Do you noticed huge list "Memory Pattern Urls" that is used by your apk? (http://profile.tut.by - come on)
It seems that you just closed the problem to hide a possible problem from others as quickly as possible.
from osmand.
vshcherb
commented on July 1, 2024
Do you noticed huge list "Memory Pattern Urls" that is used by your apk? (http://profile.tut.by/ - come on)
Where this coming from?
I'm closing issue that we're not going to work with but it might be reopen. Open / Closed issues have the same visibility if I wanted to hide it would be different.
from osmand.
vshcherb
commented on July 1, 2024
From analysis we did that service showed that Free version is "Trojan free" and Paid "Trojan not free", I estimate that it's highly unlikely and My estimation that Service false positive detection much more likely.
So if I get more valuable information, I would continue working on that issue and I don't say that Trojan absolute 0% chance
from osmand.
RZR-UA
commented on July 1, 2024
mariush444
Thank you for your attention to this issue.
The link "profile.tut.by", among with others, came from https://github.com/scribejava/scribejava which we use for OAuth proto.
I've splitted our "trojaned" APK files into parts, scanned the parts with VirusTutal, and have found that only 1 dex-file (compiled classes.dex) was reacted by IKARUS scanner.
In addition, I've installed IKARUS scanner to my Android and it has reacted to nightly APK-files on smartphone, too.
Interestingly that our (OsmAnd made) classes are located in other dex-files (classesX.dex) and not affected, but that 1st dex-file (classes.dex) contains a lot of Android/etc libraries and affected.
If you had some spare time, would you mind checking these files in details?
dex-binary.zip - classes.dex was reacted by VirusTotal
dex-decompiled.zip - decompiled classes.dex (by jadx decompiler)
from osmand.
mariush444
commented on July 1, 2024
good job. I really appreciate your effort.
I let you know if I find something valuable.
from osmand.
mariush444
commented on July 1, 2024
it seems that problem is not directly in a source code but with domains that are used in a code.
especially with: c.tenor.com , 142.251.18.94 , 142.251.31.94.
They are reported as a source of malwers
Because some modules use planty of domains
https://www.virustotal.com/gui/file/41146d1f6641f692e4fdf20f7ab8b7adae7f97162b42f7783b9584d289a572fb/details
so my idea is to make simple test ...
please, rename all .com , .org , .ru, .cn. , .by , .no accordingly to: .1com , .1org , .1ru , .1cn. , .1by , .1no
compile as usually and test in virustotal.
from osmand.
vshcherb
commented on July 1, 2024
We're going to update OAuth-2 library soon, probably it won't have these dependencies.
from osmand.
Related Issues (20)
- Export Track HOT 2
- Address search does not extend beyond 500 km HOT 2
- Beginning of the track by default HOT 2
- Search does not find Scottish parliament despite me hovering over it HOT 3
- “Announce deviation from route” should run with every setting HOT 2
- Excessive heating of the phone when using OsmAnd+ (most of the time with Android Auto) HOT 3
- Required Maps dialogs reappears each time on Back button
- Regression : Opengl crashes OsmAnd and is very slow when Live enabled HOT 5
- Outdated menu item HOT 2
- Add an icon to motorway junctions
- Deletion error from search list HOT 2
- Tertiary links and tertiary roads are displayed the same way in UniRS map style
- Add other App Theme options
- OSM Live changes don't appear in Version 2 rendering, but do in Version 1
- Avoid loop in the announcement of Route Recalculation
- Location Not Yet Known HOT 3
- Introduce a new road-style "pale"
- OsmAnd Online GPS Tracker stuck at Authorization HOT 1
- "position teleport" in track recording after pause/resume
- When changing a recorded track's name before saving, use that name in GPX, too
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from osmand.