Ostorlab is a security scanner for mobile application and system backends. Ostorlab covers both
Android and iOS platforms and identifies critical vulnerabilities like Command Injection, Mobile
XSS, SQL injection, private data leaks and other classes of vulnerabilities. Ostorlab has
been tailored from the start to target Mobile Application and use extensive static analysis
coupled with dynamic analysis to
ensure high coverage of the application’s attack surface, and false positive free results.
Ostorlab offers a highly reliable, scalable, and cost efficient platform that scans hundreds of
thousands of mobile application monthly.
Ostorlab architecture focuses on extensibility without sacrificing robustness and
resiliency. This extensibility allows Ostorlab team to quickly add and experiment with new
scanning capabilities and run at the same time the infrastructure responsable of hundreds of
thousands of scans with a near zero maintenance cost.
Ostorlab scanner relies on a distributed architecture built to support scalability with
focus on ease of extensibility. The infrastructure is separated into a Core infrastructure
communicating with a set of Universes.
CORE infrastructure is in charge of scan scheduling, reporting, access management, data
collection and monitoring.
A Universe is a group of agents that runs the scan logic. All agents communicate using message
queues dedicated to the universe and offers each scan a self-contained environments with no
interaction with other running scans.
The separation of the scan logic into separate agents offers increased resiliency. The failure of
a single agent does not impact the rest of the scan, all agents automatically recover from a
failure reducing manual intervention to none.
Failures are monitored and are reported to both a central log collection server and a global scan
monitoring system. Metrics of failures are also reported to a separate metric collection
Ostorlab scanner leverages scalability on different levels:
- Agents: Each agent performs a specialized task. Agents can be duplicated to perform
repetitive intensive tasks that run within a single scan,
- Universe: The scanner runs multiple universes to support handling multiple scans in
parallel. All universes are separate, stateless, self-contained entities
- Cluster nodes: All scanner components are separate containers that run on a full dedicated
Increasing cluster nodes offers straightforward horizontal scalability.
Ostorlab updates ar e managed using a private central registry. Updates are pushed automatically
to all of the scanner nodes.
Some updates may require human interaction, for instance updates to the database schema in order
to ensure migrations has successfully completed and didn’t corrupt any existing data.
All data is collected in a central database. All other components are stateless and don’t store
any information locally.
Secret keys and SSL certificate are provisioned using secret management system accessible
from within the cluster.
All the data in-transit is encrypted and scanned mobile applications are purged right after the
Ostorlab scanner enforces users and groups (organisation) access control with a separation of
privileges using role.
Ostorlab scanning capabilities use static analysis for high coverage of the attack surface and
for false positive free reports. Ostorlab targets system backends collected during
dynamic analysis to identify server-side vulnerabilities.
Ostorlab’s Static analysis uses multiple techniques to identify vulnerabilities:
- Validation of common configuration and compilation settings, like Cordova unsafe whitelist,
use of non-obfuscated builds or use of debug mode,
- Identification of dynamically linked libraries and fingerprinting of statically linked
libraries to check for known vulnerabilities affecting mobile platforms, like MoPub or
- Ostorlab’s core static technology is its taint engine that computes how taints propagates
over several possible execution paths. Ostorlab’s static taint engine takes into account
object oriented information and typing information to offer a fast, efficient and
near false-positive-free taint info. The taint info is then used by dozens of rules to
identify vulnerabilities, like SQL injection, command injection or use of hardcoded keys.
Ostorlab runs mobile applications in an instrumented sandbox to track all interactions with
the external environment, like network, filesystem, keychain, API etc.
The instrumentation engine track calls to standard APIs to identify the use of unsafe arguments,
like the use of weak encryption schemes, unsafe RPC calls, code loading from untrusted path or
command execution with user input.
Ostorlab instrumentation is capable of accessing encrypted traffic and does not require bypassing
SSL pinning. Collected backend are then reused to perform backend analysis.
The dynamic instrumentation uses both system instrumentation techniques, like Fanotify for file
system access and a custom non-pervasive runtime instrumentation engine, using JDWP and debug
APIs for Android and iOS.
This approach compared to pervasive methods, like inline hooking that requires custom memory
manipulation is very robust, offers more capabilities to collect runtime information,
particularly for iOS applications built using Objective C and SWIFT and don’t require constant
maintenance with every new system release that may bring modification to the underlying
Ostorlab targets collected backends during dynamic analysis to identify server-side
analysis is both passive, like detecting the presence of insecure HTTP headers as well as
active, like detecting SQL injection or XXE.
Ostorlab active testing uses a probabilistic approach to identify vulnerabilities. This approach
has the advantage of avoiding the need to send a full payload which could be blocked, limited to
a particular OS, may impact the backend stability or trigger intrusion detection systems or
Ostorlab backend analysis engine supports a large set of serialization schemes and has supported
for nested serialization injection.
Probabilistic testing coupled with safe rate limiting protects backend systems from unexpected
failures and unwanted denial of service and offers guaranteed false positive free reports.