Configuration vulnerability analysis and management in Device Farm - AWS Device Farm

Configuration vulnerability analysis and management in Device Farm

Device Farm allows you to run software that is not actively maintained or patched by the vendor, such as the OS vendor, hardware vendor, or phone carrier. Device Farm makes a best-effort attempt to maintain up to date software, but makes no guarantees that any particular version of the software on a physical device is up to date, by design allowing potentially vulnerable software to be put into use.

For example, if a test is performed on a device running Android 4.4.2, Device Farm makes no guarantee that the device is patched against the vulnerability in Android known as StageFright. It is up to the vendor (and sometimes the carrier) of the device to provide security updates to devices. A malicious application that uses this vulnerability is not guaranteed to be caught by our automated quarantining.

Private devices are maintained as per your agreement with AWS.

Device Farm makes a best-faith effort to prevent customer applications from actions such as rooting or jailbreaking. Device Farm removes devices that are quarantined from the public pool until they have been manually reviewed.

You are responsible for keeping any libraries or versions of software that you use in your tests, such as Python wheels and Ruby gems, up to date. Device Farm recommends that you update your test libraries.

These resources can help keep your test dependencies up to date:

  • For information about how to secure Ruby gems, see Security Practices on the RubyGems website.

  • For information about the safety package used by Pipenv and endorsed by the Python Packaging Authority to scan your dependency graph for known vulnerabilities, see the Detection of Security Vulnerabilities on GitHub.

  • For information about the Open Web Application Security Project (OWASP) Maven dependency checker, see OWASP DependencyCheck on the OWASP website.

It is important to remember that even if an automated system does not believe there are any known security issues, it does not mean that there are no security issues. Always use due diligence when using libraries or tools from third parties and verify cryptographic signatures when possible or reasonable.