Skip to content

App Vetting

Ostorlab App Vetting provides automated security, privacy, malware, trust, and maintainability assessment for Android and iOS applications. It combines static analysis, dynamic analysis, and safe containment sandbox execution to evaluate application packages, runtime behavior, third-party services, and risk indicators.

App Vetting Scan

A comprehensive assessment of mobile applications focused on security posture, privacy behavior, malware indicators, trust signals, and maintainability risk.

Key Features

  • Static analysis of Android and iOS application packages.
  • Dynamic analysis of application behavior at runtime.
  • Safe containment sandbox execution for controlled behavioral analysis.
  • Detection of malware indicators, spyware behavior, and suspicious payloads.
  • Identification of security vulnerabilities, insecure configurations, and cryptographic misuse.
  • Analysis of privacy risks, trackers, permissions, and data flows.
  • Assessment of application trust signals, publisher reputation, and distribution source.
  • Maintainability analysis covering outdated components, framework age, and long-term risk.
  • Weighted risk scoring across Malware, Security, Privacy, Trust, and Maintainability dimensions.

Risk Scoring

App Vetting uses a multi-dimension weighted scoring model to evaluate the overall risk of a mobile application.

Key Features

  • Malware risk assessment for malicious behavior, trojans, spyware, and suspicious execution patterns.
  • Security risk assessment for vulnerabilities, insecure implementation patterns, and OWASP Mobile Top 10 issues.
  • Privacy risk assessment for exposed PII, tracker usage, cleartext communication, and unauthorized data flows.
  • Trust assessment based on application reputation, publisher signals, package integrity, and distribution checks.
  • Maintainability assessment for dependency age, framework usage, code health, and future risk exposure.

The default scoring model uses the following weights:

Dimension Weight
Malware 35%
Security 25%
Privacy 20%
Trust 10%
Maintainability 10%

Safe Containment Sandbox

A controlled execution environment used to observe application behavior without exposing production systems or user devices.

Key Features

  • Runtime monitoring of application behavior.
  • Analysis of system API calls and sensitive operations.
  • Inspection of outbound network connections.
  • Detection of telemetry collection and third-party communication.
  • Identification of potential data exfiltration behavior.
  • Behavioral analysis of suspicious or high-risk applications.

Zero-Trust Telemetry Assessment

A telemetry-focused assessment that inspects outbound communication, tracking behavior, and data movement from a zero-trust perspective.

Key Features

  • Detection of third-party trackers and analytics SDKs.
  • Analysis of data flows to external services.
  • Identification of cleartext or weakly protected communications.
  • Review of permission usage against observed behavior.
  • Assessment of privacy-impacting runtime activity.
  • Mapping of telemetry behavior to privacy and compliance risks.

How to Use App Vetting

App Vetting can be used to assess public Android and iOS applications from the Ostorlab dashboard.

Run an App Vetting Scan

To run an App Vetting scan from the Ostorlab dashboard:

  1. Open the dashboard menu.
  2. Click Scanning.
  3. Select App Vetting.
    menu
  4. Enter a public application package or application name to search the scans inventory.
  5. Select the application from the results.
    Search
  6. Open the scan results to review the risk score and findings.
    results

App Vetting retrieves available scan data for the selected public application and displays the assessment results in the scan view.

Review the Risk Score

After opening the scan results, review the overall application risk score and the score breakdown by dimension.

The score is calculated across the following categories:

  • Malware
  • Security
  • Privacy
  • Trust
  • Maintainability

Use the score breakdown to identify which risk areas contribute most to the application’s overall risk.

Results

Review Findings

Open the findings section to review the detected risks and technical details.

Findings may include:

  • Malware indicators.
  • Security vulnerabilities.
  • Privacy risks.
  • Tracker and SDK behavior.
  • Runtime telemetry observations.
  • Outbound network communication.
  • Trust and reputation signals.
  • Maintainability issues.

Each finding includes technical details to support review, triage, and remediation.

Results and Outputs

App Vetting provides structured results that help teams evaluate the risk level of a mobile application.

Key Outputs

  • Overall application risk score.
  • Risk score breakdown by category.
  • Malware indicators and suspicious behavior.
  • Security vulnerabilities and insecure configurations.
  • Privacy risks and data flow observations.
  • Tracker and third-party SDK information.
  • Trust and reputation signals.
  • Maintainability findings.
  • Runtime telemetry observations.
  • Network communication details.
  • Technical evidence for identified findings.

Best Practices

Use App Vetting as part of a continuous mobile application review process.

  • Review applications before enterprise approval or internal use.
  • Re-check applications when a new public version is released.
  • Review both the overall score and the category-level breakdown.
  • Prioritize malware, privacy, and critical security findings first.
  • Validate high-impact findings with the application owner or vendor when needed.
  • Compare applications using the same scoring baseline.
  • Use the findings details to support security, privacy, procurement, or vendor risk decisions.