Changelog
November, December 2020
- 📢 Release of Android and iOS application analysis environment
- 🚀 Analysis Env support for APK and IPA file listing with content access
- 🚀 Analysis Env support for Code highlighting for HTML, Javascript, XML, Java, C++
- 🚀 Analysis Env support for Binary plist extraction
- 🚀 Analysis Env support for Macho and ELF file disassembly and decompilation for ARM and ARM64
- 🚀 Analysis Env support for Macho and ELF string listing
- 🚀 Analysis Env support for DEX classes listing
- 🚀 Analysis Env support for DEX smali listing and java decompilation
- 🚀 Analysis Env support for Android resource extraction
- 🚀 Analysis Env support for Android manifest extraction
- 🚀 Analysis Env support for DEX, Macho, and ELF function call trace with full refs and xrefs generation
- 🚀 Analysis Env support for Dangerous functions tagging to identify security hotspots.
- 🚀 Analysis Env support for Contextual call trace generation.
October 2020
- 📢 Release of continuous application monitoring from the store
- 🔍 Detection of weak Bluetooth connection
- 🔍 Detection of dynamic broadcast receiver with no permissions
- 📢 New Jenkins Plugin to integrate CI/CD pipelines with Ostorlab (https://github.com/jenkinsci/ostorlab-plugin)
- 💐 Email and UI notification to inform of key events (scan completion, password change ...)
- 💐 Expose API key generation and management from the UI
September 2020
- 📢 Release of Ostorlab lighthouse continuously scanning public applications
- 📢 Release of Ostorlab VulnDB UI to access internal known vulnz database
- 💐 Vulnerability tagged as affecting security and privacy, security only or privacy only
- 🔍 Detection of several privacy settings in Android manifest
- 🔍 Detection of facebook SDK debug mode
- 🔍 Detection of GPS location tracking impacting privacy
- 🐞 Fix insufficient sink default taint and missing propagation for Array and Const
August 2020
- 📢 Store search and scan feature
- 📢 Deep 3rd party dependencies fingerprinting
- 💐 Markdown vulnerability text and description support
July 2020
- 📢 Extend 3rd party dependencies rules
- 🚀 Creation of database of unreported vulnerabilities
June 2020
- 💐 Report libraries and 3rd party dependencies
- 🔍 Fingerprinting of Native Android libs, iOS Frameworks, Cordova plugins, Javascript libraries, Xamarin libs and OpenSSL
- 🚀 Vetted and enhanced vulnerability database with all the known vulnerabilities affecting libraries and 3rd party dependencies
- 🚀 Indexing support for Maven Jar and AAR, Cocoapod podspecs and NPM packages
- 🔍 Detect calls to dangerous Bluetooth API
May 2020
- 📢 Exposure of CVSSv3 score
- 🤖 Alpha support for UI Automation rules
- 🎁 Add Xamarin decompiled source code to the list of artifacts
- 🔍 Detect of secrets (SSH Private Keys, Service Account, Slack Token, etc.)
- 🔍 Detect use of deprecated TLS protocols (SSLv2, SSLv3, TLSv1.0, TLSv1.1)
April 2020
- 📊 Add generation of executive summary PDF report
- 📢 New
Secure
risk rating to denote secure implementation - 📢 New
Hardening
risk rating to differentiate between actual vulnerability and missing hardening mechanism - 📢 Add support for archiving scans
- 📢 Add support for exporting scans
- 🔍 Add detection of new sinks and sources leading to insecure file write, insecure TLS and command execution
- 🚀 Enhance performance of taint analysis and increase coverage
- 💐 Enhanced representation of taint information
- 💐 Enhanced representation of stack traces collected in dynamic analysis
- ⚠️ Fix inconsistency in risk rating
- 🐞 Fix false positive in iOS detection for missing ARC and Stack Guard protections
March 2020
- Support for streaming API to create and stops scans
- Subscription support
- New KB entry for Webview LoadURL injection
- Bug fixes to JDWP Hooking engine
- Dashboard update showing scan plan
- Support for stopping and archiving scans
February 2020
- API for scheduling rules
- Migration to Kubernetes
- Initial support for streaming API to create scans
January 2020
- API to manage Inventory (mobile apps, urls, domains, ...)
- UI to list, create and update Inventory and Assets
- CI/CD pipeline integration
- Deprecate old UIs
December 2019
- Release of the alpha version of the new reporting front end
- API naming fixes
- Fix submission of the test credentials
- New Google Play client to support scanning from the Play Store directly
- Several New APIs move to GraphQL (Account and Password Management, Artifcats)
- Worker to handle long-running jobs (PDF generation and Scan Export)
November 2019
- Progress on the new reporting front end
- Bug fixes in public website
- Simplified pagination support in all APIs
- Experimental API to create Web Scans
October 2019
- Release of an open source Android application to benchmark vulnerability scanners
- Extensions to the GraphQL API adding support for pagination, vulnerability search and switch from passing applications in Base64 to multi-part support
- Progress on the new reporting front end
September 2019
August 2019
- Major migration of all existing infra and data to the new backends.
June 2019
- Infra refactoring into a micro-service architecture.
- Separation of user portal and public website to prepare moving to serverless.
- Separation of backend and add an orchestration backend to prepare moving from Swarm to k8s.
Mai 2019
- Refactoring of API adding support for GraphQL.
- Migration of website, user portal and orchestrator to GraphQL.
April 2019
- Extending vulnerability test bed.
- Add support for template injection of 4 new Java template engines.
- Add support detection of Ruby code injection.
- Add support detection of Node.js code injection.
March 2019
- Multiple bug fixes and performance enhancements.
- Fix false positive detection of Template Injection.
- Add support detection of python code injection.
- Add support detection of pickle deserialization injection.
February 2019
- Multiple bug fixes and performance enhancements.
- Enhance detection of XSS adding support for multiple callbacks vectors.
January 2019
- New alpha system to detect vulnerabilities in backends from previously collected ones.
- Creation of a new vulnerability test bed.
December 2018
- Add support for detection of stored XSS.
- Complete rework of the scan authentication module. It works well and sends fewer requests.
- Brand new subscription menu.
- Bug cleaning season.
November 2018
- Add support for multi-step submitting of Forms.
- Enhancement to automatic detection of CSRF fields and auto-update of CSRF tokens.
- Alpha version of Fingerprinting agents.
October 2018
- Major enhancement coverage of XSS contexts, long live Polyglot payloads.
September 2018
- Enhance CSRF handling for web scanning.
- Add scan export and import feature for on-premise scanning support.
- Implementation of ADB Proxy agent for on-premise scanning support.
- Add collection of screenshots and logcat traffic during dynamic analysis.
- New security rules for Android Network Security Configuration.
- Fix false positives in Cryptography rules using static taint.
- Rework of all rules formatting.
- Fix PDF generation and add support for code highlighting.
- Add support for kown pathes crawling
- Add Artifact panel to store extracted source code, screenshots and traffic logs.
- Add Xamarin source code decompilation.
- Fix duplicate request testing by backend and XSS scanner.
- Initial work on CSRF token detection and generation for POST request fuzzing.
- Add support for inserting payloads in sub-pathes.
August 2018
- Extensive bug fixes month of all core components.
- Enhance testability of the scanning engine.
- Enhance reporting features.
July 2018
- Enhanced detection of template injection vulnerabilities.
- New scanner for detecting XSS vulnerabilities.
- Ehanced supported for nested serialization formats.
- Major rework for scan scheduling engine for increased scalability.
June 2018
- New backend scanning engine with beta support for SQL injection and XXE
- Adding beta support for crawling of HTML content.
May 2018
- Bumping free scanner coverage limit from 100 to 300.
- New detector for encrypted IPA.
- Fix false positive in dynamic rules detecting weak encryption.
April 2018
- Porting LLDB for iOS to work on Linux.
- New backend scan engine.
- New experimental crawler.
February 2018
- Adding Support for authenticated scan.
- Final version of Java hook engine with stack trace support and full context inspection.
- Major enhancement to the taint engine reducing false positives.
- Multiple bug fixes affecting PDF generation and false positive declaration.
- Adding feature to report false positives and remove them from the final report.
- Multiple new dynamic rules to trace sensitive function call.
- New agent to detect sensitive material files, like private encryption keys.
January 2018
- Surface static taint analysis coverage in the scan report.
December 2017
- Unsafe Transport App Security settings in iOS apps are reported as vulnerabilities.
- Performance enhancement for the support of large multidex files.
- Bug fix in method xref for multidex files.
- Enhance vulnerability de-duplication.
- Multiple bug fixes for iOS scan rules.
November 2017
- Advanced option to detect weak files permission for both Android and iOS. (OWASP Mobile Top 10 - M2)
- Advanced option to detect Personal Identifiable Information (PII) leakage for both Android and iOS. (OWASP Mobile Top 10 - M2)
- Advanced option to detect clear-text traffic for both Android and iOS. (OWASP Mobile Top 10 - M3)
- Advanced option to detect insecure TLS/SSL validation for both Android and iOS. (OWASP Mobile Top 10 - M3)
- Advanced option to support iOS call to weak Cryptographic API. (OWASP Mobile Top 10 - M5)
- Advanced option to support download PDF report.
September 2017
- Stabilizing unlimited scan feature with bug fixes.
- Correction of false positives in Insecure Encryption Mode.
- Correction of false positives in ASLR detection for iOS Apps.
- Move to a clustered architecture to support increase scan load.
- Final version to support dedicated unlimited scans.
August 2017
- New feature to support dedicated scans.
- Tweaks and updates to the user interface to support fast uploading.
July 2017
- New backend system to support the increased load.
- Major code refactoring of all agents to support the new backend system.
- Multiple bug fixes.
June 2017
- New static taint engine for Android Bytecode.
- Multiple bug fixes and performance tweaks.