Security
Security, what opportunities and challenges for 2019?
Use the start of the year to contemplate how the previous year went, and prepare for the upcoming is an important exercise to put things into perspective and reevaluate some of our choices.
Mon 07 January 2019
DOM XSS Fuzzing strategies - Part 1
XSS are still by far the most common type of vulnerabilities, this article presents strategies to...
Sat 22 December 2018
Hardcoded AWS keys in Mobile Applications
This article is about how to manage AWS access keys when using AWS services in your mobile application.
Thu 20 December 2018
Reinforcement Learning & Automated Testing - part 1
I will be sharing through a series of blog posts our past experimentations with the use of reinfo...
Mon 22 January 2018
Finding security bugs in Android applications the hard way
Ostorlab is a community effort to build a mobile application vulnerability scanner to help developers build secure mobile applications. One of the new key components of the scanner detection capabilities is a new shiny static taint engine for Android Dalvik Bytecode that was heavily optimized for performance and low false positives.
Latest posts
New Taint Engine ... more vulnerabilities found
We have been for the last few months hard at work developing a new scan engine to identify new classes of vulnerabilities. The new scan engine is capable of identifying SQL injections, intent hijacking, insecure random seed, insecure cryptography etc.
Sun 23 April 2017
Testing Cordova Applications
Hybrid frameworks like Cordova offers the advantage of building one app for multiple platform (support for Android, iOS, Windows Phone, FireOS, FirefoxOS ...) . The framework is easy and fast to develop with and offers generally a single API for all platforms.
Thu 24 November 2016
Android, SQL and ContentProviders or Why SQL injections aren't dead yet ?
Before we get into SQL injections and what might go wrong, we'll start by covering some technical information on Content Providers...
Thu 03 November 2016
Vulnerabilities tested by Google Play Store
Google will start identifying security weaknesses in Apps pushed to the Play Store...
Mon 05 September 2016
New in Android M and N: Runtime Permissions
In Android, the permission system was one of the major security concerns of the platform for many reasons...
Fri 27 May 2016
SSL Pinning on Android: Best Practices, OkHttp & Retrofit Examples (2026)
Learn how SSL pinning works on Android, what threats it helps mitigate, where it can break, and how to implement it safely with OkHttp, Retrofit, and Android Network Security Configuration. Includes rotation guidance, testing checklist, and legacy library examples.
Wed 11 May 2016
Reversing JNI, or how Facebook is crashing their own application
Apparently Facebook is crashing their apps intentionally in order to test users reaction and evaluate their adherence to Facebook service. This post is however not about the user's behavioral analysis, but about the technical aspects of how it is done - or just an excuse to dive into JNI reversing.
Thu 07 January 2016
What every pentesters should learn in 2016
The last years have come with meaningful changes in the way IT professionals operate and the way we approach security...
Sat 02 January 2016