Some feature suggestions

[victorxstc]

Hi
Thanks a lot for your nice website and service, all done single-handedly.

I had a few suggestions:

1. Similar to VirusTotal, please check the HASH of the to-be-uploaded file, before attempting the upload. It is possible that you have already received a certain APK file before. So the rest of the uploads from many users would be redundant. This will go hard on both the website server as well as those non-first-uploader users (especially those with not-so-fast internet connections who need to wait a lot).
This way, if you have already analyzed that file before, you can simply show the results of that previous analysis each time a new user intends to upload a file, simply by checking the HASH of the to-be-uploaded file (instead of really doing the upload).

---

2. Most of the items shown on the website are quite technical and not at all easy to understand for the average user (like myself). I mean at least 90% to 95% of the whole content of your website is vague or worse, not at all understandable (at least to me). I am not just throwing a number; I carefully read the whole report of various aspects of the analyses shown by Pithus for a couple of APK files, and thought I have no clue what the website is actually talking about.

So if possible, please create popup (as well as hyperlinked) help mesages for almost every item shown on the website, so that a confused user can understand what is going on.

• For example, every text item can have a small circle with an "i" in the beginning of it, hovering which will explain that item.
• The items that look like buttons (for example, they are encircled within square frames) can themselves trigger popup messages upon hovering.
• Or they can be clicked, so that a new browser tab opens, showing details about that particular button.
• There can also be some links within the popup help messages for those who want to read much more details about that particular item shown on the website.

---

2A. Currently, some items have very brief explanations.** For example, it is written "A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported."
But in such situations, the explanation itself is extremely vague. For example, what is a "Broadcast Receiver" to begin with? Here, popup help messages may help.

---

2B. UPDATE: I saw the website has already a help page (currently called About) that explains some of the items very briefly. I appreciate it very much. Perhaps, this About page should be expanded a lot, and get divided into different, more specialized pages (like About, Help, etc). Currently, the help items shown in the About page are not visible in the main page. I thought the About page would be something about the website, its goal, its developer, etc., and not about the technical items.

So a differentiated help page would be good. But I think popup and linked help messages that appear for each item would be much better, much more effective, and much more convenient, than a separate Help page.

---

3. Important: Please note that viruses get detected days or months after the file is sent to a particular antivirus lab for the first time. (And VirusTotal sends the newly received files to all the antivirus labs). So in many cases, the result of VirusTotal can be the "First" assessment of that particular file by various antivirus labs, and therefore, very prone to a high false-negative error rate. Therefore, it is always good to check for the "Threat status" of a file on VirusTotal, not only once, but also some days later after the initial submission of the file.

However, Pithus only asks VirusTotal to analyze the file, once. Right now I am looking at a file analysis report generated in early 2021, and its VirusTotal result shows 0/58. This indicates that the results are old and for the time there were only 58 antiviruses in VirusTotal (and not like now, 67 antiviruses).

So the Pithus report regarding the "Threat Intel." of a file may be quite misleading at times, if the file was actually virus-infected but the virus was quite new and submitted to VirusTotal for the first time (or very recently).

I think it would be good to also update the linked result of VirusTotal after some time [by asking VirusTotal to Re-analyze the file after some time]. This may (but not should) be, for example, each time a user asks for analyzing the very same file. However, this can inflate the traffic of VirusTotal.

So perhaps, it would be good to ask VirusTotal to Re-analyze the file (again), once after for example 7 days from the initial receipt of the suspicious APK file at Pithus, and after that, once every month (by asking VirusTotal to Re-analyze the file again every month). So to be clear, it would be something like this: First VirusTotal results (immediately upon the first submission of an APK file to Pithus), 7-day VirusTotal results (7 days after that first submission of that particular APK), and then every-month VirusTotal result updates (each update being performed 1 month after that 7th day).

Or something like the above strategy that suits the website as well as the users the best.

[evilcel3ri]

Hi @victorxstc!

Thank you for your suggestions and the time you took to write them!

Before anything, keep in mind that Pithus is an open-source project fueled by volunteer energy. We are just a small team contributing to the project, you are welcome to join us on our Discord server: https://discord.gg/PgdKfp4VMQ

1. Similar to VirusTotal, please check the HASH of the to-be-uploaded file

This is already the case. Check the code in front/view.py#basic_upload_view.py

2. Most of the items shown on the website are quite technical and not at all easy to understand for the average user (like myself). I mean at least 90% to 95% of the whole content of your website is vague or worse, not at all understandable (at least to me). I am not just throwing a number; I carefully read the whole report of various aspects of the analyses shown by Pithus for a couple of APK files, and thought I have no clue what the website is actually talking about.

Pithus is a tool made for technical analysts and reverse engineers, it is intended to feature a large amount of precise information about the APKs. It is not intended for the average user. To this intent, I would recommend you to look into https://exodus-privacy.eu.org/en/ which is a tool aimed at the general public.

3. Important: Please note that viruses get detected days or months after the file is sent to a particular antivirus lab for the first time. (And VirusTotal sends the newly received files to all the antivirus labs). So in many cases, the result of VirusTotal can be the "First" assessment of that particular file by various antivirus labs, and therefore, very prone to a high false-negative error rate. Therefore, it is always good to check for the "Threat status" of a file on VirusTotal, not only once, but also some days later after the initial submission of the file.

We are very aware of that. VirusTotal, AnyRun, MalwareBazaar, JoeSandBox, Triage and the others have the same issue. Only VirusTotal can afford to rerun the analysis over time to indicate possible new detections. Those operations are increadibly expensive to run, not only on the computational part but also the cost of recalling the VT API constantly on our side. This is why you will encounter the same issue on other plateforms at the exception of VT.

But we have a script that you can run locally if you self-host your instance of Pithus:

docker-compose -f local.yml run --rm django python manage.py update_reports SHA256 *

You can find the specific options in core/management/commands/update_reports.py so you can choose which analysis you'd like to rerun. You can of course set up a script to do it periodically (like a cronjob).

Let me know if you have further questions.

[victorxstc]

Hi @evilcel3ri

Thanks a lot for your prompt response. Just some follow-up comments:

This is already the case. Check the code in front/view.py#basic_upload_view.py

Thanks. Sorry, I am not much of a programmer and am not familiar with Github too; I just joined to write my ideas about Pithus.
But at least, from my current experience on Firefox, each file gets uploaded repeatedly, without any HASH checking. I just tested it on Chrome too, and it again started uploading the file without any HASH-checking (although I had already sent this file before). Maybe I am missing something.

---

Pithus is a tool made for technical analysts and reverse engineers, it is intended to feature a large amount of precise information about the APKs. It is not intended for the average user. To this intent, I would recommend you to look into https://exodus-privacy.eu.org/en/ which is a tool aimed at the general public.

I see. But Pithus is being recommended on many forums and circles to the average or below-the-average (technical illiterate) users.
I think you can (or perhaps should) put a disclaimer on your website about the fact that Pithus is only for professionals and is not supposed to be understandable by the general public, in the first place. That may save many users a lot of headache and confusion.

Besides that, putting popup (or link) help messages wouldn't hurt anybody. It wouldn't reduce the efficiency of your website, or wouldn't change its purpose. It is just a free extra (but very awesome) feature at no cost. I know it will drain your time to implement it, but I think it is worth investing in. This is because such popup help boxes will (1) make your website become understandable to a MUCH broader audience, and therefore, (2) it would help even those few technical superusers fight and investigate APK malware much more effectively because a larger pool of users means much more APK samples submitted to your website.

If you remove a large part of your audience (the general public), you will automatically lose a lot of potential malware that could have been otherwise submitted to Pithus and its professional superusers.

Also: I just saw that https://exodus-privacy.eu.org/en/ only works with URLs. It doesn't receive APK files from users. So Pithus can be of much use in that department too.

---

But we have a script that you can run locally if you self-host your instance of Pithus:

Thanks again. I am not into these technical steps. But your comment will be useful for future users with the same concern.
Also thanks for explaining the cost of re-analyzing files.

[evilcel3ri]

Thanks. Sorry, I am not much of a programmer and am not familiar with Github too; I just joined to write my ideas about Pithus.
But at least, from my current experience on Firefox, each file gets uploaded repeatedly, without any HASH checking. I just tested it on Chrome too, and it again started uploading the file without any HASH-checking (although I had already sent this file before). Maybe I am missing something.

Right, I see what you mean. The logic will happen on the server-side, we won't analyse them again and the user should be redirected to the ad-hoc report. We won't show a pop-up about it to the user, I understand it could be confusing.

But Pithus is being recommended on many forums and circles to the average or below-the-average (technical illiterate) users.

Really? I am the first happy surprised about it. Could you tell us which forum is that? We never thought that many people would be interested in our tool.

Besides that, putting popup (or link) help messages wouldn't hurt anybody.

Of course it won't but, that kind of improvement is not on our current to-do list for Pithus. If you feel strongly about it, the best thing for us to reach our to-do list is to create issues https://github.com/Pithus/bazaar/issues/new and someone will maybe pick this up. Unfortunately, I am not a UX/UI designer so there is little chance I will look into it in the future.

Also: I just saw that https://exodus-privacy.eu.org/en/ only works with URLs. It doesn't receive APK files from users. So Pithus can be of much use in that department too.

Extracting and uploading APKs is hard for most beginner users, usually they base themselves on the on-device analysis. You can download and install their app and the application will run the analysis for you. It's even easier.

Let me know if you have further questions.

[victorxstc]

Thanks a lot again dear @evilcel3ri

The logic will happen on the server-side

That would be good for the server but still go hard on users who must upload their files. It would become extremely difficult for those with not light-speed internet connections.

Really? I am the first happy surprised about it. Could you tell us which forum is that? We never thought that many people would be interested in our tool.

Yes, rest assured that your website is getting attention. :)

Of course it won't but, that kind of improvement is not on our current to-do list for Pithus. If you feel strongly about it, the best thing for us to reach our to-do list is to create issues https://github.com/Pithus/bazaar/issues/new and someone will maybe pick this up. Unfortunately, I am not a UX/UI designer so there is little chance I will look into it in the future.

Just did.

Extracting and uploading APKs is hard for most beginner users, usually they base themselves on the on-device analysis. You can download and install their app and the application will run the analysis for you. It's even easier.

I didn't know they have such an app. That would be very good.

[evilcel3ri]

Yes you can send me an email at postal+github(at)pksl(dot)es

[victorxstc]

Just created this one too (about HASH-checking on the client side):

#114

[U039b]

Hi there!
@victorxstc thank you very much for your feedback.

I have implemented the feature you suggested regarding checking if a given sample has already been analyzed BEFORE uploading it. It is online, feel free to check it and tell me if it corresponds to the need you described.

Cheers,
Esther

[victorxstc]

Hi @U039b

Wow that was lightning fast! Thanks a lot for your awesome contribution and care. I checked it and it worked very nicely. Now Pithus is so much more desirable to use. Much appreciated! :)

[U039b]

You are welcome.

Another feature will be deployed later today: the user can either upload a sample OR specify a URL from which the APK will be downloaded by Pithus.

[U039b]

Done :)

[victorxstc]

Wow!! You are amazing Esther @U039b!! 💯 Very committed and awesome! (Also @evilcel3ri ). Guess at this rate, I Pithus becomes a great thing soon. Best of luck.
If I had any more ideas, would love to share them.

[victorxstc]

I just noted something!

Regarding our previous conversations with @evilcel3ri about Pithus being a technical-only website:

Christopher told me: "Pithus is a tool made for technical analysts and reverse engineers, it is intended to feature a large amount of precise information about the APKs. It is not intended for the average user. To this intent, I would recommend you to look into https://exodus-privacy.eu.org/en/ which is a tool aimed at the general public."

However, the website banner states "Mobile threat intelligence for the masses".

So I think the wiring on the Pithus website may be somehow confusing, as it explicitly states that Pithus is for the masses while it is not (at least currently). I think perhaps you should change it to something clarifying like this:

Mobile threat intelligence for technical analysts and reverse engineers

(Of course, I am fully aware that you are on your way to implementing documentation (and hopefully popup help messages) to make it Also for the masses in the near future.)

[U039b]

Hi!
Pithus is maintained by 2 tech-savvy individuals (@evilcel3ri and me) so it could be tricky for us to figure out what is the appropriate level of information for less tech-savvy people. But we will do our best to lower the technical barrier. It would be difficult to add meaningful pop-up explanation since most of technical indicators are subject to interpretation.

That said, we are working on a narrative summary explaining what is important to look at, what indicators can help the user to figure out if an app is malicious, etc. For the moment, we will focus our efforts on this as we think this summary will be helpful. If it is okay for you, we will ask you for your feedback and insights regarding this summary.

We will do our best to add, implement the features you need. We are conscious that Pithus's reports are really technical. But we should keep in mind that we should not over-simplify them because it would make them misleading and would potentially create a false sense of security. There is a tricky tradeoff to be found between having too technical reports and having misleading reports.

[victorxstc]

Hi @U039b

Pithus is maintained by 2 tech-savvy individuals (@evilcel3ri and me) so it could be tricky for us to figure out what is the appropriate level of information for less tech-savvy people. But we will do our best to lower the technical barrier. It would be difficult to add meaningful pop-up explanation since most of technical indicators are subject to interpretation.

Awesome! :) Thanks a lot for listening. I understand that it would be difficult and subjective. I just thought maybe the word "masses" written on the website can be changed to something more clarifying. Besides, I think any amount of explanation would be better than no explanation at all.

But I am thinking of some solutions to the vagueness and subjective nature and difficulty of knowing what should be added:

1. It is possible that you explain something (for example, in a popup message or in a separate help page hyperlinked to, from that very item); and then in that very help message, put an option for the user to rate the extent of the helpfulness of the comment (for example, a row of 5 stars or 10 stars), so that you can see directly from the users' feedback that what the helpfulness score of each explanation is and if the given explanations need improvement. Over time, you would accumulate a really massive database of usefulness scores, which can allow you "see" from the eye of users, and tailor the website to their needs and preferences.

2. Then, you can put a link on each popup message (or each hyperlinked help) that says "Feedback". This may allow them to send you a rather short feedback message about what exactly they need (that was not in the comment).

3. Besides a row of stars for the usefulness of a feature and its help, you can also put another row of 10 stars for the technicality (technical level) of the help message (either a popup or else), and see for your users (who can be average like me or tech-savvy like yourself or even tech-illiterate), if a particular help message would be too technical or too easy to understand. Again, over time you will amass a very large database of "technicality scores" that allow you to make proper decisions in terms of revising the help message. The 10-star continuum can range from "Completely understandable" to "Completely technical".

4. Finally, you can also put a third question, asking the user about his/her own perceived level of technicality. It can read something like this: What is the level of your computer, mobile, and cybersecurity knowledge? 1. Technical illiterate (I cannot even operate my phone easily) 2. I am comfortable with computers but cannot do any technical fixing 3. I do my fixing myself 4. tech-savvy computer programmer but not familiar with cybersecurity 5. tech savvy computer programmer with extensive knowledge of cybersecurity, etc. (I think you get the idea).

5. You can also have 2 or more different interfaces for your website. For example, upon opening the website, the website shows a question, asking the user to select his/her desired level of technicality. Then, you can show him an interface appropriate for that particular user. For example, you can have 4 different interfaces. The one you currently have can be shown to the "very technical user", while less technical and more average results can be shown to less technical users who select interfaces such as "Very general, Somehow technical, Technical, Very technical".

6. Of course, the user can select the "technicality" level of the website interface, at any time, by simply selecting it from a dropdown menu at the upper-right corner of the website.

7. And you can save the preferred option of the user through cookies, so that in the next use, the website shows the preferred interface for a given user who has previously visited the website.

8. You can also keep the number of different interfaces chosen. This allows you to keep track of different levels of technicality of your users (like the above point 3).

That said, we are working on a narrative summary explaining what is important to look at, what indicators can help the user to figure out if an app is malicious, etc. For the moment, we will focus our efforts on this as we think this summary will be helpful. If it is okay for you, we will ask you for your feedback and insights regarding this summary.

This would be extremely helpful.

1. I myself need to send Pithus reports to some knowledgeable friends to tell me if they believe this particular app is bad or good. It would be extremely useful if you can yourself give such a summarized explanation.

2. Also, a summarized "score of dangerousness" would be very good. For example, saying that:

Based on various factors, it seems that this particular app may be dangerous for about 45% (between 30% and 60%). Disclaimer: This summarized dangerousness score is calculated automatically, and should not replace a careful assessment of the app by professionals.

3. Moreover, you can create a community of technical users who would rate an app (something like VirusTotal community or the "Free Download Manager" community). But such an option should be available only to people who have proven to be really knowledgeable about cybersecurity (but not general users, and not bots). Each tech-savvy user can select a number from 0 to 100 for the dangerousness of a given app. This way, the website will show an indicator of dangerousness based on the Average technical users' votes.

4. You should also show the number of professionals who have rated a particular app.

5. In less technical interfaces of your website, you should show only a Rounded Average score for the technical users' overall judgments (to keep from becoming confusing; for example, "37% malicious, rated by 278 professionals. More details available in more professional interfaces"). But in more professional interfaces, you should also give 95% confidence intervals for the average score as well as the minimum and maximum for the given scores. For example, it can be reported like this:

This app has been rated 37.2% malicious by 278 professionals (with a 95% confidence interval of around 34.0% to 40.4%). The minimum given dangerousness score was 23%, while the maximum given dangerousness score was 71%.

6. I think you should keep both indicators (the automatically generated one (point 2) as well as the user-generated one (point 3).

7. You should also put options for tech-savvy users to add short comments on a given app if they wanted (with credentials showing they are professionals). This should be beside the indicator mentioned in point 3. So it would read like this:

This app has been rated 37.2% malicious by 278 professionals (with a 95% confidence interval of around 34.0% to 40.4%). The minimum given dangerousness score was 23%, while the maximum given dangerousness score was 71%. To see professionals' detailed opinions written by themselves, see this link.

8. You can also show a histogram of professional users' scores given to a given app. This histogram will show how many super-users have given the app for example 34, how many have given it 35, how many 36, how many 37, and this would be given for all the scores given. The range of the histogram will be between the minimum and maximum numbers. Alternatively, a better range for the histogram scores can be between 0 and 100 (for example, how many users gave the score 0? how many 1s? how many 2s? How many 3s? etc.). This histogram will be a very useful visual way of showing the broadness of different opinions (dangerousness scores) as well as the controversy over the opinions of different professional users.

This app has been rated 37.2% malicious by 278 professionals (with a 95% confidence interval of around 34.0% to 40.4%). The minimum given dangerousness score was 23%, while the maximum given dangerousness score was 71%. To see professionals' detailed opinions written by themselves, see this link. To view a histogram of different dangerousness scores given by all 278 professionals, see this link.

9. The histogram can be also shown as a popup message (both as a separate link with more details, and as a popup message with fewer details).

We will do our best to add, implement the features you need. We are conscious that Pithus's reports are really technical. But we should keep in mind that we should not over-simplify them because it would make them misleading and would potentially create a false sense of security. There is a tricky tradeoff to be found between having too technical reports and having misleading reports.

I understand and thank you so much. I am not saying the above just for my own need. I would love to see something great like Pithus (created by very responsive and committed individuals like you) thrive, hence my feedback. I also like the way websites like Pithus and VirusTotal can fight cyberattacks. I used to give feedback to the founder of VirusTotal too (a couple of times, when VT was very young), and like you, he too was very responsive and committed. Not that my feedback is anything special! ^^

For avoiding oversimplification, I guess my above points may help. In short, having various channels of user feedback (to see from their eye), having various interfaces tailored to different levels of users' tech-savviness, and having various indicators of maliciousness (automatically generated versus user-generated) besides proper disclaimers would allow a high degree of confidence in your summarized reports and almost prevent a false sense of security.