What's New in Ostorlab 2020.04


Better Management of Scan lifecycle

It is now possible to stop a running or queued scan in the dashboard menu. This is mostly helpful for scans targeting backends to cancel a running scan.

We have also added support for archiving scans. Archived scans won't be listed in the dashboard.

alt text

Export scan results

Scan results can now be fully exported to a zip archive. The archive is composed of several json files with scan information, list of vulnerabilities and full dump of collected artifacts, like decompiled source code, screenshots, device logs and network logs.

  • scan.json: scan information, like target application package name, overall risk rating, etc.
  • vulnerability.json: list of identified vulnerabilities in HTML format.
  • asset.json: technical information about that target asset, like file or backend URLs.
  • artifacts/[0-9]+.json: list of scan artifcats, like screenshots, decompiled source code, device logs or network traffic.

alt text

Subscription

It is now possible to manage all your subscriptions from the new portal. Active subscriptions are listed at scan creation to select the appropriate scan type (Static Analysis, Dynamic Analysis on real devices and Backend Analysis)

  • Static Analysis: The static engine performs an in-depth analysis of the mobile application to ensure high coverage of its attack surface. The scanner inspects the usage of unsafe and dangerous methods and detects the presence of key security protections. The static analysis covers a large array of technologies, including Dalvik bytecode, Xamarin CIL and multiplatform Javascript frameworks.
  • Dynamic Analysis: The dynamic analysis instruments the mobile application to monitor system interactions, like filesystem, network, and API access. The analysis detects risky behaviors, like the insecure use of cryptographic API, presence of weak file permissions, or use of insecure network communications.The dynamic analysis offers false positive free results that detect both privacy and security issues.
  • Backend Analysis: Ostorlab scans collected backends systems identified during dynamic analysis. The analysis performs both passive checks, like detecting the presence of insecure HTTP headers, and active checks, like testing for SQL injection, template injection, cross-site scripting (XSS) … Ostorlab backend analysis focuses on mobile-specific technologies, like GraphQL and REST API to identify backend vulnerabilities.

alt text