Question

How To Proceed With A Suspect Application?

Hi,

A freelance developper has to send me an application he developped for me.
I found this person on internet and don't know much about him.
I highly suspect these files might either be infected or hide a feature that transfers data of mine to an external server.
So I really want to make sure that :
1. the files he sends me are not infected
2. the files he sends me can't include a trojan
3. the application he sends me can't communicate with internet to steal information from my PC (this application should not need internet to work).
How do you recommend proceeding in this specific case?

Thank you

PS : I use Windows 10, 64 bits, and I use Bitdefender Antivirus Plus 2015.
I don't use other security programm or firewall. If I should, feel free to let me know what you recommend.

Discussion is locked
Follow
Reply to: How To Proceed With A Suspect Application?
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: How To Proceed With A Suspect Application?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Answer
Here's a thing.

Just for a test we wrote Hello World in C++ and compiled it using Visual Studio and the antivirus claimed it's a trojan. How can that be?

After much haranguing about why this is or is not, we learned that many antivirus seem to be more touchy than an IED by the roadside. So why not ask for source code plus how to build it yourself?

- Collapse -
This is probably a good idea, but...

... I don't know how to do that.
I don't know how to code or build a software.

+ I wouldn't even be able to look at the code and notice if there was a malware or anything dangerous.
So I might rebuild it with the dangerous code inside.

- Collapse -
Kees covers it next.

You need to get a coder in your camp. Sometimes apps are not purposely infected by the author. Read what happened in China because coders there wanted the dev tools faster.

http://www.cnet.com/news/apple-struck-by-its-first-major-cyber-attack/

"The developers using XcodeGhost were likely unaware that they were using spurious software. Chinese developers often download Xcode from unofficial, local sites due to the slow download speed associated with sourcing it from Apple's faraway US servers. The attackers took advantage by slipping the counterfeit versions in among the regular programs."

- Collapse -
How to check the source code?

I asked the developper to send me the source code instead of the .exe
I plann to build it with this : http://www.qt.io/
I hope it's simple... I'll go deeper into that subject later.

So, before building the .exe, I need to check everything's OK in the code.
But I am a noob in coding. Never did that in my life, although I have some knowledge in computers/IT.
So here's my question : how do you check everything's safe in the source code???

- Collapse -
You can't today.

While there are red flags you can look for such as any hard coded IP Addresses, URLs that you don't know and more. I can't write what to look for since there are so many today.

If you read http://www.sans.edu/research/security-laboratory/article/log-bmb-trp-door at the end are over a dozen other methods of attack folk place in code. I'm not an expert in all of these but have read far too much code over the years looking for Waldo.

- Collapse -
so what's the solution?

Your original tip was to ask for source code and build it myself, but this implies that I check it before building the exe file, doesn't it?
Is there a difference between using the exe file he sends me and building the exe file myself without checking his source code?

If there's no way to check the code, then we are back to the original point : how to make sure I won't be hacked or data of mine won't be stolen?

- Collapse -
Answer
Re: suspect application

Having the source code is always a good idea, just in case you want something changed and you can't find the developer any more. If you don't have the source, that's impossible, and somebody else would have to write it all over.
If you pay him to develop it, you've every right of the world to have that source code, being the owner of the application. Of course, he might put something in the contract, so that if you sell it to somebody else he gets a part of the price, but that's not unreasonable. Or even that you aren't allowed to resell it.

Then all you've got to do is to find another developer to the tech work, such as checking the source code and building the application.

Kees

CNET Forums