Mobile Security Scanner

Changelog

November, December 2020

  • 📢 Release of Android and iOS application analysis environment
  • 🚀 Analysis Env support for APK and IPA file listing with content access
  • 🚀 Analysis Env support for Code highlighting for HTML, Javascript, XML, Java, C++
  • 🚀 Analysis Env support for Binary plist extraction
  • 🚀 Analysis Env support for Macho and ELF file disassembly and decompilation for ARM and ARM64
  • 🚀 Analysis Env support for Macho and ELF string listing
  • 🚀 Analysis Env support for DEX classes listing
  • 🚀 Analysis Env support for DEX smali listing and java decompilation
  • 🚀 Analysis Env support for Android resource extraction
  • 🚀 Analysis Env support for Android manifest extraction
  • 🚀 Analysis Env support for DEX, Macho, and ELF function call trace with full refs and xrefs generation
  • 🚀 Analysis Env support for Dangerous functions tagging to identify security hotspots.
  • 🚀 Analysis Env support for Contextual call trace generation.

October 2020

  • 📢 Release of continuous application monitoring from the store
  • 🔍 Detection of weak Bluetooth connection
  • 🔍 Detection of dynamic broadcast receiver with no permissions
  • 📢 New Jenkins Plugin to integrate CI/CD pipelines with Ostorlab (https://github.com/jenkinsci/ostorlab-plugin)
  • 💐 Email and UI notification to inform of key events (scan completion, password change ...)
  • 💐 Expose API key generation and management from the UI

September 2020

  • 📢 Release of Ostorlab lighthouse continuously scanning public applications
  • 📢 Release of Ostorlab VulnDB UI to access internal known vulnz database
  • 💐 Vulnerability tagged as affecting security and privacy, security only or privacy only
  • 🔍 Detection of several privacy settings in Android manifest
  • 🔍 Detection of facebook SDK debug mode
  • 🔍 Detection of GPS location tracking impacting privacy
  • 🐞 Fix insufficient sink default taint and missing propagation for Array and Const

August 2020

  • 📢 Store search and scan feature
  • 📢 Deep 3rd party dependencies fingerprinting
  • 💐 Markdown vulnerability text and description support

July 2020

  • 📢 Extend 3rd party dependencies rules
  • 🚀 Creation of database of unreported vulnerabilities

June 2020

  • 💐 Report libraries and 3rd party dependencies
  • 🔍 Fingerprinting of Native Android libs, iOS Frameworks, Cordova plugins, Javascript libraries, Xamarin libs and OpenSSL
  • 🚀 Vetted and enhanced vulnerability database with all the known vulnerabilities affecting libraries and 3rd party dependencies
  • 🚀 Indexing support for Maven Jar and AAR, Cocoapod podspecs and NPM packages
  • 🔍 Detect calls to dangerous Bluetooth API

May 2020

  • 📢 Exposure of CVSSv3 score
  • 🤖 Alpha support for UI Automation rules
  • 🎁 Add Xamarin decompiled source code to the list of artifacts
  • 🔍 Detect of secrets (SSH Private Keys, Service Account, Slack Token, etc.)
  • 🔍 Detect use of deprecated TLS protocols (SSLv2, SSLv3, TLSv1.0, TLSv1.1)

April 2020

  • 📊 Add generation of executive summary PDF report
  • 📢 New Secure risk rating to denote secure implementation
  • 📢 New Hardening risk rating to differentiate between actual vulnerability and missing hardening mechanism
  • 📢 Add support for archiving scans
  • 📢 Add support for exporting scans
  • 🔍 Add detection of new sinks and sources leading to insecure file write, insecure TLS and command execution
  • 🚀 Enhance performance of taint analysis and increase coverage
  • 💐 Enhanced representation of taint information
  • 💐 Enhanced representation of stack traces collected in dynamic analysis
  • ⚠️ Fix inconsistency in risk rating
  • 🐞 Fix false positive in iOS detection for missing ARC and Stack Guard protections

March 2020

  • Support for streaming API to create and stops scans
  • Subscription support
  • New KB entry for Webview LoadURL injection
  • Bug fixes to JDWP Hooking engine
  • Dashboard update showing scan plan
  • Support for stopping and archiving scans

February 2020

  • API for scheduling rules
  • Migration to Kubernetes
  • Initial support for streaming API to create scans

January 2020

  • API to manage Inventory (mobile apps, urls, domains, ...)
  • UI to list, create and update Inventory and Assets
  • CI/CD pipeline integration
  • Deprecate old UIs

December 2019

  • Release of the alpha version of the new reporting front end
  • API naming fixes
  • Fix submission of the test credentials
  • New Google Play client to support scanning from the Play Store directly
  • Several New APIs move to GraphQL (Account and Password Management, Artifcats)
  • Worker to handle long-running jobs (PDF generation and Scan Export)

November 2019

  • Progress on the new reporting front end
  • Bug fixes in public website
  • Simplified pagination support in all APIs
  • Experimental API to create Web Scans

October 2019

  • Release of an open source Android application to benchmark vulnerability scanners
  • Extensions to the GraphQL API adding support for pagination, vulnerability search and switch from passing applications in Base64 to multi-part support
  • Progress on the new reporting front end

September 2019

August 2019

  • Major migration of all existing infra and data to the new backends.

June 2019

  • Infra refactoring into a micro-service architecture.
  • Separation of user portal and public website to prepare moving to serverless.
  • Separation of backend and add an orchestration backend to prepare moving from Swarm to k8s.

Mai 2019

  • Refactoring of API adding support for GraphQL.
  • Migration of website, user portal and orchestrator to GraphQL.

April 2019

  • Extending vulnerability test bed.
  • Add support for template injection of 4 new Java template engines.
  • Add support detection of Ruby code injection.
  • Add support detection of Node.js code injection.

March 2019

  • Multiple bug fixes and performance enhancements.
  • Fix false positive detection of Template Injection.
  • Add support detection of python code injection.
  • Add support detection of pickle deserialization injection.

February 2019

  • Multiple bug fixes and performance enhancements.
  • Enhance detection of XSS adding support for multiple callbacks vectors.

January 2019

  • New alpha system to detect vulnerabilities in backends from previously collected ones.
  • Creation of a new vulnerability test bed.

December 2018

  • Add support for detection of stored XSS.
  • Complete rework of the scan authentication module. It works well and sends fewer requests.
  • Brand new subscription menu.
  • Bug cleaning season.

November 2018

  • Add support for multi-step submitting of Forms.
  • Enhancement to automatic detection of CSRF fields and auto-update of CSRF tokens.
  • Alpha version of Fingerprinting agents.

October 2018

  • Major enhancement coverage of XSS contexts, long live Polyglot payloads.

September 2018

  • Enhance CSRF handling for web scanning.
  • Add scan export and import feature for on-premise scanning support.
  • Implementation of ADB Proxy agent for on-premise scanning support.
  • Add collection of screenshots and logcat traffic during dynamic analysis.
  • New security rules for Android Network Security Configuration.
  • Fix false positives in Cryptography rules using static taint.
  • Rework of all rules formatting.
  • Fix PDF generation and add support for code highlighting.
  • Add support for kown pathes crawling
  • Add Artifact panel to store extracted source code, screenshots and traffic logs.
  • Add Xamarin source code decompilation.
  • Fix duplicate request testing by backend and XSS scanner.
  • Initial work on CSRF token detection and generation for POST request fuzzing.
  • Add support for inserting payloads in sub-pathes.

August 2018

  • Extensive bug fixes month of all core components.
  • Enhance testability of the scanning engine.
  • Enhance reporting features.

July 2018

  • Enhanced detection of template injection vulnerabilities.
  • New scanner for detecting XSS vulnerabilities.
  • Ehanced supported for nested serialization formats.
  • Major rework for scan scheduling engine for increased scalability.

June 2018

  • New backend scanning engine with beta support for SQL injection and XXE
  • Adding beta support for crawling of HTML content.

May 2018

  • Bumping free scanner coverage limit from 100 to 300.
  • New detector for encrypted IPA.
  • Fix false positive in dynamic rules detecting weak encryption.

April 2018

  • Porting LLDB for iOS to work on Linux.
  • New backend scan engine.
  • New experimental crawler.

February 2018

  • Adding Support for authenticated scan.
  • Final version of Java hook engine with stack trace support and full context inspection.
  • Major enhancement to the taint engine reducing false positives.
  • Multiple bug fixes affecting PDF generation and false positive declaration.
  • Adding feature to report false positives and remove them from the final report.
  • Multiple new dynamic rules to trace sensitive function call.
  • New agent to detect sensitive material files, like private encryption keys.

January 2018

  • Surface static taint analysis coverage in the scan report.

December 2017

  • Unsafe Transport App Security settings in iOS apps are reported as vulnerabilities.
  • Performance enhancement for the support of large multidex files.
  • Bug fix in method xref for multidex files.
  • Enhance vulnerability de-duplication.
  • Multiple bug fixes for iOS scan rules.

November 2017

  • Advanced option to detect weak files permission for both Android and iOS. (OWASP Mobile Top 10 - M2)
  • Advanced option to detect Personal Identifiable Information (PII) leakage for both Android and iOS. (OWASP Mobile Top 10 - M2)
  • Advanced option to detect clear-text traffic for both Android and iOS. (OWASP Mobile Top 10 - M3)
  • Advanced option to detect insecure TLS/SSL validation for both Android and iOS. (OWASP Mobile Top 10 - M3)
  • Advanced option to support iOS call to weak Cryptographic API. (OWASP Mobile Top 10 - M5)
  • Advanced option to support download PDF report.

September 2017

  • Stabilizing unlimited scan feature with bug fixes.
  • Correction of false positives in Insecure Encryption Mode.
  • Correction of false positives in ASLR detection for iOS Apps.
  • Move to a clustered architecture to support increase scan load.
  • Final version to support dedicated unlimited scans.

August 2017

  • New feature to support dedicated scans.
  • Tweaks and updates to the user interface to support fast uploading.

July 2017

  • New backend system to support the increased load.
  • Major code refactoring of all agents to support the new backend system.
  • Multiple bug fixes.

June 2017

  • New static taint engine for Android Bytecode.
  • Multiple bug fixes and performance tweaks.
Last Updated: 1/15/2021, 1:35:25 PM