This article describes the usage of Ostorlab Insecure Application.


Application Security Testing on non-Jailbroken iOS from Linux

How to perform security checks of an iOS application file on a non-jailbroken iPhone from a Linux Machine.

Tue 08 October 2019


Security, what opportunities and challenges for 2019?

Use the start of the year to contemplate how the previous year went, and prepare for the upcoming is an important exercise to put things into perspective and reevaluate some of our choices.

Mon 07 January 2019


DOM XSS Fuzzing strategies - Part 1

XSS are still by far the most common tyope of vulnerabilities, this article presents strategies to automate the search for XSSes.

Sat 22 December 2018

This article is about how to manage AWS access keys when using AWS services in your mobile application.

I will be sharing through a series of blog posts our past experimentations with the use of reinforcement learning for automated testing, to both chase bugs and find vulnerabilities.

Latest posts

Critical attack surface of mobile applications

the Attack Surface of mobile applications.

Wed 17 January 2018

Finding security bugs in Android applications the hard way

Ostorlab is a community effort to build a mobile application vulnerability scanner to help developers build secure mobile applications. One of the new key components of the scanner detection capabilities is a new shiny static taint engine for Android Dalvik Bytecode that was heavily optimized for performance and low false positives.

Fri 16 June 2017

New Taint Engine ... more vulnerabilities found

We have been for the last few months hard at work developing a new scan engine to identify new classes of vulnerabilities. The new scan engine is capable of identifying SQL injections, intent hijacking, insecure random seed, insecure cryptography etc.

Sun 23 April 2017

Testing Cordova Applications

Hybrid frameworks like Cordova offers the advantage of building one app for multiple platform (support for Android, iOS, Windows Phone, FireOS, FirefoxOS ...) . The framework is easy and fast to develop with and offers generally a single API for all platforms.

Thu 24 November 2016

Android, SQL and ContentProviders or Why SQL injections aren't dead yet ?

Before we get into SQL injections and what might go wrong, we'll start by covering some technical information on Content Providers...

Thu 03 November 2016

Vulnerabilities tested by Google Play Store

Google will start identifying security weaknesses in Apps pushed to the Play Store...

Mon 05 September 2016

New in Android M and N: Runtime Permissions

In Android, the permission system was one of the major security concerns of the platform for many reasons...

Fri 27 May 2016

Android SSL certificate pinning to prevent Man-in-the-middle attack

Implementing SSL certificate pinning in mobile apps to secure the communication between the user's device and the backend

Wed 11 May 2016