Fri 08 May 2020
New Risk Categories: Hardening and Secure
To clarify the difference between an actual vulnerability that may cause actual harm, from a lack of hardening measures that can ease
the exploitation of a vulnerability, we have added a new category: Hardening.
Measures like absence of stack smashing, automatic reference count and activation of debug mode are reported with the
category Hardening.
Ostorlab will also start reporting successful tests with a Secure category. Test that can provide 100% guarantee that
the application is immune will be added, an example is disabling Debug and Backup on Android.
Mobile Application security testing: UI Automation rules
UI Interaction automation is one of the complex tasks to automate during a mobile application assessment. We have added support for writing custom rules to express complex interaction.
A recent successful example was automating a two step authentication that requires interacting with a web application to trigger a push notification.
The UI Automation rules are written using Behavior Driven Development (BDD) to enhance the expressiveness of the tests. We will dedicate new blog posts on topic once the technology matures.
CVSSv3
CVSS is the defacto standard in the industry to rate vulnerabilities. Ostorlab has now support for CVSSv3 scoring and exposes the Base Score in the Scan dashboard.
Xamarin Decompilation
Xamarin is a popular .Net framework to build multi-platform mobile applications using .Net technologies. Xamarin based mobile application are compiled into Common Intermediate Language bytecode (CIL) stored in DLL files.
CIL can be decompiled into mostly human readable code. Ostorlab now exposes the decompiled source code in the artifact sections and can be used by auditors to further review or understand the application.
Finding Secrets
Sharing secrets continues to be headache for most mobile applications, leading to unsafe storage within the application. Ostorlab has added a new capability to find several secrets stored in application, like Service Account, API keys, Oauth secrets, private SSH keys, etc.
Detection of deprecated TLS protocols
The TLS and SSL protocols has evolved over time to address serious security flaws that were identified over time. Browsers has deprecated TLSv.1.0 and TLSv1.1 on January 2020 leaving room for TLSv.1.2 and TLSv1.3.
Ostorlab will now detect patterns like the following to add support for deprecated protocols, from SSLv2 to TLSv1.1.
sslSocket.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"});
We do newsletters, too
Get the latest news, updates, and product innovations from Ostorlab right in your inbox.