What's New in Ostorlab Mobile Security Scanner 2020.05.08

Xamarin decompilation, deprecated TLS protocols, hardcoded secrets and even more, Owasp top 10

Fri 08 May 2020

New Risk Categories: Hardening and Secure

To clarify the difference between an actual vulnerability that may cause actual harm, from a lack of hardening measures that can ease the exploitation of a vulnerability, we have added a new category: Hardening.

Measures like absence of stack smashing, automatic reference count and activation of debug mode are reported with the category Hardening.

Ostorlab will also start reporting successful tests with a Secure category. Test that can provide 100% guarantee that the application is immune will be added, an example is disabling Debug and Backup on Android.

alt text

Mobile Application security testing: UI Automation rules

UI Interaction automation is one of the complex tasks to automate during a mobile application assessment. We have added support for writing custom rules to express complex interaction.

A recent successful example was automating a two step authentication that requires interacting with a web application to trigger a push notification.

The UI Automation rules are written using Behavior Driven Development (BDD) to enhance the expressiveness of the tests. We will dedicate new blog posts on topic once the technology matures.

alt text


CVSS is the defacto standard in the industry to rate vulnerabilities. Ostorlab has now support for CVSSv3 scoring and exposes the Base Score in the Scan dashboard.

alt text

Xamarin Decompilation

Xamarin is a popular .Net framework to build multi-platform mobile applications using .Net technologies. Xamarin based mobile application are compiled into Common Intermediate Language bytecode (CIL) stored in DLL files.

CIL can be decompiled into mostly human readable code. Ostorlab now exposes the decompiled source code in the artifact sections and can be used by auditors to further review or understand the application.

Finding Secrets

Sharing secrets continues to be headache for most mobile applications, leading to unsafe storage within the application. Ostorlab has added a new capability to find several secrets stored in application, like Service Account, API keys, Oauth secrets, private SSH keys, etc.

alt text

Detection of deprecated TLS protocols

The TLS and SSL protocols has evolved over time to address serious security flaws that were identified over time. Browsers has deprecated TLSv.1.0 and TLSv1.1 on January 2020 leaving room for TLSv.1.2 and TLSv1.3.

Ostorlab will now detect patterns like the following to add support for deprecated protocols, from SSLv2 to TLSv1.1.

sslSocket.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"});