Security
Understanding Android's FLAG_SECURE for Screen Security
What Android’s FLAG_SECURE does, how it prevents screenshots and screen recordings of sensitive app content, how to implement it correctly, where it makes sense to use it, and the key limitations and UX trade-offs developers need to understand, including its behavior with casting and external displays.
Mon 29 December 2025
AI Pentest Engine Discovers Critical WebSocket BFLA in GraphQL Subscriptions
Ostorlab's AI Pentest Engine systematically uncovered a critical Broken Function-Level Authorizat...
Fri 26 December 2025
AI Engine Triggers Account Takeover via API Version Confusion
Methodical analysis beats blind fuzzing as Ostorlab's AI engine discovers cross-version password ...
Mon 15 December 2025
Uncovering a Second-Order Data Exfiltration Chain in Modern SPAs
How a second-order client-side data exfiltration chain was discovered in a modern SPA, transformi...
Wed 10 December 2025
Ostorlab AI Pentest Engine: How it Works
Technical deep dive into Ostorlab AI Pentest Engine inner working, from threat intelligence, risk identification, mobile support to vulnerability validation.
Going Beyond: Ostorlab AI Engine Discovers Unknown Vulnerability Classes
Ostorlab’s reasoning-driven AI engine breaks past rule-based limits to surface previously unknown and hard-to-detect vulnerabilities—including WebView Safe Browsing bypasses, SQLi via projections, WebCrypto key exfiltration, and JWT verification ordering flaws—delivering deeper, smarter, complementary security coverage.
Latest posts
Introducing Ostorlab Security Testing Benchmarks: Real Vulnerabilities, Real Impact
The first open-source benchmark suite featuring 93 realistic vulnerable mobile apps that mirror actual CVE and bug bounty findings - not theoretical textbook examples.
Mon 22 September 2025
Banking Report 2025: Security at the Core of Mobile Finance
Large-scale security analysis of 500+ top mobile banking apps reveals widespread vulnerabilities, decade-old codebases, and concerning backend centralization patterns.
Mon 15 September 2025
Automating Security Research: AI Engine Exploits Complex Blind Code Injection
Precision beats payload spray using Ostorlab's AI engine to systematically land RCE on Titiler and proves exfiltration without a single stack trace.
Thu 04 September 2025
AI-Powered Pentesting: A Deep Dive into Android Intent Redirection
This article showcases Ostorlab's AI Pentest Engine's process for analyzing an Android application for Intent Redirection vulnerabilities. Follow the engine's journey from static analysis and initial findings to rigorous dynamic validation, demonstrating its ability to not only identify potential threats but also to meticulously discard false positives.
Sun 31 August 2025
Automating Security Research: AI Engine Exploits GCP Service Account Secret
This article presents a thorough, hands-on analysis and real-world exploitation of a hardcoded GCP service account with overprivileged Pub/Sub access discovered in a HackerOne mobile app. It details how Ostorlab’s AI-powered pentesting engine automated the full cycle—from authentication and permission enumeration to end-to-end message injection/interception—enabling remediation within four days.
Thu 28 August 2025
From Signal to the Android SDK: Chaining Path Traversal, Mimetype Confusion, Security Check Bypass and File Descriptor Bruteforce for Arbitrary File Access
This technical analysis reveals how sophisticated attack chains—combining path traversal, symbolic link manipulation, and Android SDK quirks—can breach Signal Android's defenses to extract sensitive internal files, despite its legendary encryption remaining intact. While Signal patched these vulnerabilities within days, the discoveries offer crucial lessons about how seemingly minor bugs can be chained into powerful exploits, and why even the best security architecture needs multiple layers of defense
Mon 11 August 2025
Automating Security Research: AI Engine Exploits Report Portal XXE (CVE-2021-29620)
This article presents a thorough, hands-on analysis and proof of concept for exploiting an OOB XXE vulnerability CVE-2021-29620 in Report Portal. It details how Ostorlab's AI-powered pentesting engine was used to automate the full cycle.
Thu 07 August 2025
Automating Security Research: AI Engine Exploits Zulip Stored XSS (CVE-2025-52559)
This article presents a thorough, hands-on analysis and proof of concept for exploiting the stored XSS vulnerability CVE-2025-52559 in Zulip. It details how Ostorlab's AI-powered pentesting engine was used to automate the full cycle.
Mon 28 July 2025