Category

Security

Ostorlab KEV update for 26th February 2024

New vulnerabilities added to Ostorlab known exploited vulnerabilities catalog

Security

Mapping Dependency Confusion: A Novel Detection Approach using Source Map Files

The article delves into dependency confusion vulnerabilities and introduces a novel detection and exploitation technique then provides actionable steps to mitigate the risks associated with this vulnerabillity.

Tue 13 February 2024

Security

Known Exploitable Vulnerabilities: Catching them all

In this article we will Discover essential tools and empirical insights for identifying critical, high-severity, and actively exploitable vulnerabilities sourced from reputable platforms like CISA KEV, Google’s Tsunami, and the innovative Ostorlab’s Asteroid Project.

Wed 10 January 2024

Security

New OWASP Mobile Top 10

Release of new OWASP Mobile Top 10 with improvements, updates and a behind the scenes.

Mon 27 November 2023

One Scheme to Rule Them All: OAuth Account Takeover

This article delves into the exploitation of OAuth account takeover using app impersonation through custom scheme hijacking, an overlooked vulnerability pattern affecting most OAuth providers and consequently many popular applications including apps with over 1B downloads.

ZIP Exploitation: Critical Vulnerabilities Found in Popular Zip Libraries in Swift and Flutter

Recent in-depth investigations reveal serious vulnerabilities discovered in widely-used zip packages in Flutter and Swift, posing serious security risks for thousands of developers and applications. Our article delves into the technical aspects of these vulnerabilities, explaining their discovery, implications and mitigation strategies.

Latest posts

Ostorlab's Insecure Flutter Apps: A Playground for Learning and Testing Mobile Security

Ostorlab has open-sourced two Flutter applications, designed to be intentionally insecure for testing and educational purposes. The apps, one native to iOS and the other a Java/C++/Flutter app, highlight a variety of common mobile app vulnerabilities. Available under the Apache-2.0 license, they serve as practical resources for understanding Flutter security.

Mon 10 July 2023

zCamera, 100M+ installation app, from remote compromise to data leaks

This article is a technical deep dive, showing how a 100M+ installation image application can expose its user’s images and suffer from remotely exploitable vulnerabilities ranging from SQL injection and intent redirect to arbitrary file download.

Tue 04 July 2023

Secure Mobile Biometric Authentication: Best Practices and Implementation Guidelines for Kotlin, Swift, and Flutter

In this Article, we define a secure implementation of mobile biometric authentication and provide detailed implementations in the 3 main modern mobile languages, namely Kotlin for Android, Swift for iOS, and Dart for Flutter multiplatform applications.

Tue 20 June 2023

Flutter Reverse Engineering and Security Analysis

Article on Static and Dynamic analysis techniques for Reverse engineering Flutter Applications. The article goes over runtime patching, custom ABI interception and traffic interception.

Thu 15 June 2023

GodFather Android Malware Analysis

In This article, we analyze the GodFather Android malware, which continues to appear in various formats and primarily targets banking and cryptocurrency applications to steal money and sensitive information for the users.

Fri 14 April 2023

Text4Shell (CVE-2022-42889) in Mobile Applications ... should I worry?

CVE-2022-42889 is a vulnerability in the Apache Commons Text Library caused by string interpolation abusing powerful handlers and present in popular application like Amazon Shopping, Udemy and Grammarly. This article goes over the applicability and risk of this vulnerability for Mobile Applications.

Mon 24 October 2022

Attack Surface Insights - part 2

Attack Surface is not just about open ports and services; this article covers key insights beyond the standard technical ones.

Thu 16 June 2022

Mapping your Attack Surface - part 1

Attack surface mapping has become the number one headache of CISO's of most large organization, this article goes over techniques and tools used by Ostorlab to enable powerful and accurate attack surface discovery and monitoring.

Tue 17 May 2022


Previous
1 of 3