From Signal to the Android SDK: Chaining Path Traversal, Mimetype Confusion, Security Check Bypass and File Descriptor Bruteforce for Arbitrary File Access
This technical analysis reveals how sophisticated attack chains—combining path traversal, symbolic link manipulation, and Android SDK quirks—can breach Signal Android's defenses to extract sensitive internal files, despite its legendary encryption remaining intact. While Signal patched these vulnerabilities within days, the discoveries offer crucial lessons about how seemingly minor bugs can be chained into powerful exploits, and why even the best security architecture needs multiple layers of defense
Mon 11 August 2025
Automating Security Research: AI Engine Exploits Report Portal XXE (CVE-2021-29620)
This article presents a thorough, hands-on analysis and proof of concept for exploiting an OOB XX...
Thu 07 August 2025
From Random to Intelligent: How AI-Powered Monkey Testing Achieves 10x Mobile App Coverage
Ostorlab’s AI Monkey Tester transforms mobile app security testing by using natural language prom...
Fri 01 August 2025
Automating Security Research: AI Engine Exploits Zulip Stored XSS (CVE-2025-52559)
This article presents a thorough, hands-on analysis and proof of concept for exploiting the store...
Mon 28 July 2025
SSL Scanner Overhaul and Improved UI Call Coverage Powered by User-Defined Prompts
This release introduces major enhancements to our AI-powered UI exploration engine, delivering smarter and more adaptive dynamic scanning across modern applications. We've overhauled our SSL scanner to detect 15+ critical SSL/TLS vulnerabilities with improved precision, and rebuilt the taint analysis engine for deeper and more reliable vulnerability detection. The release also expands coverage for secrets detection, mobile misconfigurations, and modern CVEs. Across the board, platform performance has been refined for greater speed, stability, and accuracy.
Know Your App's Data Habits: A Deep Dive into Our Comprehensive Privacy Analysis
Ostorlab's Privacy Scan automatically detects mismatches between what your app's privacy policy says and what it actually does. This comprehensive analysis of policy text, permissions, code, and UI elements helps mobile developers avoid compliance violations and build user trust through accurate privacy practices.
Latest posts
Ostorlab Security Scanner GitHub Integration
The Ostorlab Security Scanner GitHub Integration enhances mobile app development workflows by embedding automated security directly into the CI/CD pipeline. It offers a GitHub Action for scanning mobile application on every code push. It adds inline vulnerability insights directly to pull requests, highlighting the exact code changes that introduced issues and suggesting one-click fixes developers can apply without leaving GitHub.
Wed 21 May 2025
Scan, Sync, Remediate: Ostorlab Meets Vanta for Faster Audits
This article announces the new integration between Ostorlab and Vanta, explains how it works, outlines the setup process, and highlights the key benefits for security and compliance teams.
Tue 20 May 2025
Expanded Privacy Analysis, Attack Surface Profiling, and GitHub Source Mapping Improvements
Ostorlab's May 2025 update delivers comprehensive privacy analysis capabilities with 21 new data collection categories and enhanced verification tools. This release introduces specialized Attack Surface scan profiles for optimized security assessments, adds GitHub source code integration for precise vulnerability mapping, and implements QPS rate limiting for controlled scanning. Additional improvements include mobile scan URL regex controls, streamlined Jira integration, and expanded fingerprinting capabilities for improved detection accuracy.
Mon 12 May 2025
Bypassing Obfuscation in Android Apps: A Dual Approach with DalvikFLIRT and LLM-Powered Rewrites
This research introduces a pioneering dual approach that combines signature-based matching (DalvikFLIRT) with LLM-powered code transformation to bypass sophisticated Android app obfuscation, enabling automated security analysis of previously impenetrable code.
Wed 16 April 2025
CNIL Standard Integration, SARIF Support, Copilot Enhancements, and Smarter Vulnerability Analysis.
This release introduces CNIL standard support, SARIF export, and improved vulnerability insights with locations and advanced search. Copilot is more powerful, performance is faster, and asset and remediation workflows are smoother.
Mon 07 April 2025
From Moonshot to Production: Building Ostorlab Copilot
This article outlines our journey in implementing ostorlab copilot, the challenges we encountered, and the lessons we learned along the way.
Mon 24 February 2025
Ostorlab's Security Scanner GitHub App,Ticket Aggregation V2, Copilot Launch, and Enhanced Security Features
February's update introduces Ticket Aggregation V2 and Ostorlab Copilot, alongside improvements to reporting capabilities and detection mechanisms. These updates enhance vulnerability management, user experience, and security analysis across the platform.
Thu 20 February 2025
Effective Vulnerability Ticketing System with Ostorlab
This article announces Ostorlab's vulnerability ticketing system V2 and how it automates and streamlines the entire process of managing, and remediating security vulnerabilities through features like automated ticket creation, lifecycle management, policy enforcement, and integration with existing tools.
Tue 18 February 2025
Changelog
View all changesMobile Benchmarking, Monkey Tester Reliability, and Deeper Web Crawling
Tue 23 September 2025