Use IDE: Search And Analysis

The IDE goal is to ease manual assessment and offer the power to write custom checks on top of all the analyses done by Ostorlab, from taint analysis, dynamic call traces, intercepted traffic, and scanned API requests.

Navigation

The IDE navigation is split into:

• Files: APK and IPA are the package file formats for Android and iOS mobile apps, respectively. These files contain all the resources and code needed to install and run the app on a mobile device. The "Files" option can help you inspect the contents of the APK or IPA file. You will see a list of files and directories that make up the app. These files may include the app's code, resources such as images and sounds, configuration files, and other assets used by the app.

• Static: Static analysis navigation is created to help engineers identify potential issues in their code. This can involve reading through the code, examining variable types and functions, and looking for common coding mistakes such as null pointer dereferences, memory leaks, or buffer overflows.

• Call Coverage: Call Coverage is the UI flow of the mobile application that shows you the sequence of screens or pages that the Ostorlab robots go through while using the app. It simulates how the user interacts with the app's user interface to achieve their desired goals. A typical UI flow for a mobile app might include the following steps: landing page, navigation, content pages, authentication, dialogs, and modals.

• API: The API is the network traffic generated by the application when the Ostorlab robots interact with the application. This can help you check HTTP request/response messages that include JSON payloads, HTTP methods, HTTP protocol version, status, and the URI of the requested resource.

Static Analysis

The current release focuses on static analysis and comes with the following features:

• APK and IPA file listing with content access

• Code highlighting for HTML, Javascript, XML, Java, C++

• Binary plist extraction
• Macho and ELF file disassembly and decompilation for ARM and ARM64
• Macho and ELF string listing
• DEX classes listing
• DEX smali listing and java decompilation

• Android resource extraction

• Android manifest extraction

• DEX, Macho, and ELF function call trace analysis with full refs and xrefs generation

• Contextual call trace generation

Search

The search feature in static analysis support multiple keywords, that can be chained together. See the following animation for an example to search for all method containing the word mem:

{
  "search": "mem"
}

The list of supported keywords is:

• search: arbitrary search within all the method or function attributes.
• path: path with the APK or IPA file.
• package: package name if applicable.
• class: class name if applicable.
• method: method name.
• function: function name.
• signature: method or function signature.
• sink: sink category, supports * as wildcard.
• source: source category, supports * as wildcard.
• privacySource: privacy source category, supports * as wildcard.
• input: input category, supports * as wildcard.
• sanitizer: sanitizer category, supports * as wildcard.
• persistRead: persist read category, supports * as wildcard.
• persistWrite: persist write category, supports * as wildcard.
• deprecated: the function or method is deprecated in the latest API.

Function and Method tagging

Function tagging helps identify security hotspots. A simple use-case is to find all methods that can result in a SQL injection, use the call trace feature to see where the method is used and if an attacker potentially controls the input:

The tagging differentiates between:

• Sink: over a dozen sink categories. Sinks are functions or method that can lead to vulnerabilities, like execSQL that can lead to SQL injection if input is controlled by the user
• Source: Source function and methods return untrusted input that could come from the network, IPC, filesystem (external storage) ...
• Privacy Source: Privacy source functions and methods return sensitive input, like user location, SMS, wifi endpoints that can affect the privacy of the user
• Input: Input methods are typically overridable methods that serve as callbacks and whose parameters are untrusted and can be manipulated by an attacker. A typical example is content providers query, update, insert, delete, etc methods.
• Sanitizer: sanitizer functions and methods are used to scrub untrusted input for particular API use.
• Persist Read and Write: Persist read and write are helpful to find 2nd order injection vulnerabilities. Read and Write operations are separate.
• Deprecated: simply deprecated functions and methods.

You can also search for a specific keyword in the all application files using Search option in the left menu:

Dynamic Analysis

Call coverage

The call coverage shows the UI flow exercised during the dynamic analysis, it also provides an easy way to validate the coverage of the application and ensure critical use cases are being covered, like authentication.

API calls

The API option shows the network traffic during the dynamic analysis, it also supports search using multiple keywords, that can be chained together. See the following animation:

The list of supported keywords are:

• search: Arbitrary search within all the http requests and response.
• path: Path component of the URL for the request, the path identifies the resource on the server.
• method: HTTP methods like POST, GET, PUT, PATCH, and DELETE.
• host: Host request header specifies the host of the server.
• port: Port number of the server.
• statusCode: HTTP response status code.

Vulnerabilities

The Vulnerabilities option redirects you to the list of vulnerabilities detected by the static and the dynamic analysis.
Each finding has : name, description, recommendation, references, technical details.