Category

Security

Ostorlab has open-sourced two Flutter applications, designed to be intentionally insecure for testing and educational purposes. The apps, one native to iOS and the other a Java/C++/Flutter app, highlight a variety of common mobile app vulnerabilities. Available under the Apache-2.0 license, they serve as practical resources for understanding Flutter security.

Security

zCamera, 100M+ installation app, from remote compromise to data leaks

This article is a technical deep dive, showing how a 100M+ installation image application can exp...

Tue 04 July 2023

Security

Secure Mobile Biometric Authentication: Best Practices and Implementation Guidelines for Kotlin, Swift, and Flutter

In this Article, we define a secure implementation of mobile biometric authentication and provide...

Tue 20 June 2023

Security

Flutter Reverse Engineering and Security Analysis

Article on Static and Dynamic analysis techniques for Reverse engineering Flutter Applications. T...

Thu 15 June 2023

In This article, we analyze the GodFather Android malware, which continues to appear in various formats and primarily targets banking and cryptocurrency applications to steal money and sensitive information for the users.

CVE-2022-42889 is a vulnerability in the Apache Commons Text Library caused by string interpolation abusing powerful handlers and present in popular application like Amazon Shopping, Udemy and Grammarly. This article goes over the applicability and risk of this vulnerability for Mobile Applications.

Latest posts

Attack Surface Insights - part 2

Attack Surface is not just about open ports and services; this article covers key insights beyond the standard technical ones.

Thu 16 June 2022

Mapping your Attack Surface - part 1

Attack surface mapping has become the number one headache of CISO's of most large organization, this article goes over techniques and tools used by Ostorlab to enable powerful and accurate attack surface discovery and monitoring.

Tue 17 May 2022

How did we react to Log4j vulnerability? Read our analysis for mobile applications.

What is the impact of Log4j vulnerability on mobile applications

Mon 20 December 2021

Universal bypass of SSL Pinning ... from theory to a full working PoC with LLDB

This article is about bypassing SSL pinning without needing to. Sounds confusing? We will go over the theory, build a full PoC using LLDB in Python and finally extend it to other cool tasks.

Tue 18 May 2021

5 things every mobile security professional should know about WebViews

This article is about WebViews and the security notions we need to have in mind when using these component in both Android and iOS.

Tue 18 May 2021

Ostorlab detects Dependency Confusion

Dependency Confusion is a new attack with high severity impact. This article is an overview of the vulnerability as well as other supply chain attacks.

Wed 03 March 2021

Finding superhuman XSS polyglot payloads with Genetic Algorithms

The following article is a technical deep dive into how genetic algorithms can be leveraged to create superhuman XSS polyglot payloads.

Mon 01 March 2021

News and Updates of Week 8

This weeks is marked by multiple high profile data breaches affecting Cashalo, Npower, Kia, T-Mobile and Clubhouse.

Sun 28 February 2021