Overview

Ostorlab is a security scanner for mobile application and system backends. Ostorlab covers both Android and iOS platforms and identifies critical vulnerabilities like Command Injection, Mobile XSS,  SQL injection, private data leaks and other classes of vulnerabilities. Ostorlab has been tailored from the start to target Mobile Application and use extensive static analysis coupled with dynamic analysis to ensure high coverage of the application’s attack surface, and false positive free results.

Ostorlab offers a highly reliable, scalable, and cost efficient platform that scans hundreds of thousands of mobile application monthly.

Architecture

Ostorlab architecture focuses on extensibility without sacrificing robustness and resiliency. This extensibility allows Ostorlab team to quickly add and experiment with new scanning capabilities and run at the same time the infrastructure responsable of hundreds of thousands of scans with a near zero maintenance cost.

Infrastructure

Ostorlab scanner relies on a distributed architecture built to support scalability with focus on ease of extensibility. The infrastructure is separated into a Core infrastructure communicating with a set of Universes.

CORE infrastructure is in charge of scan scheduling, reporting, access management, data collection and monitoring.

A Universe is a group of agents that runs the scan logic. All agents communicate using message queues dedicated to the universe and offers each scan a self-contained environments with no interaction with other running scans.

Resiliency

The separation of the scan logic into separate agents offers increased resiliency. The failure of a single agent does not impact the rest of the scan, all agents automatically recover from a failure reducing manual intervention to none.

Failures are monitored and are reported to both a central log collection server and a global scan monitoring system. Metrics of failures are also reported to a separate metric collection container.

Scalability

Ostorlab scanner leverages scalability on different levels:

  • Agents: Each agent performs a specialized task. Agents can be duplicated to perform repetitive intensive tasks that run within a single scan,
  • Universe: The scanner runs multiple universes to support handling multiple scans in parallel. All universes are separate, stateless, self-contained entities
  • Cluster nodes: All scanner components are separate containers that run on a full dedicated cluster. Increasing cluster nodes offers straightforward horizontal scalability.

Updates

Ostorlab updates ar e managed using a private central registry. Updates are pushed automatically to all of the scanner nodes.

Some updates may require human interaction, for instance updates to the database schema in order to ensure migrations has successfully completed and didn’t corrupt any existing data.

Data Storage

All data is collected in a central database. All other components are stateless and don’t store any information locally.

Security

Secret keys and SSL certificate are provisioned using secret management system accessible from within the cluster.

All the data in-transit is encrypted and scanned mobile applications are purged right after the scan.

Access Management

Ostorlab scanner enforces users and groups (organisation) access control with a separation of privileges using role.

Analysis

Ostorlab scanning capabilities use static analysis for high coverage of the attack surface and dynamic analysis for false positive free reports. Ostorlab targets system backends collected during dynamic analysis to identify server-side vulnerabilities.

Static Analysis

Ostorlab’s Static analysis uses multiple techniques to identify vulnerabilities:

  • Validation of common configuration and compilation settings, like Cordova unsafe whitelist, use of non-obfuscated builds or use of debug mode,
  • Identification of dynamically linked libraries and fingerprinting of statically linked libraries to check for known vulnerabilities affecting mobile platforms, like MoPub or Vungle,
  • Ostorlab’s core static technology is its taint engine that computes how taints propagates over several possible execution paths. Ostorlab’s static taint engine takes into account object oriented information and typing information to offer a fast, efficient and near false-positive-free taint info. The taint info is then used by dozens of rules to identify vulnerabilities, like SQL injection, command injection or use of hardcoded keys.

Dynamic Analysis

Ostorlab runs mobile applications in an instrumented sandbox to track all interactions with the external environment, like network, filesystem, keychain, API etc.

The instrumentation engine track calls to standard APIs to identify the use of unsafe arguments, like the use of weak encryption schemes, unsafe RPC calls, code loading from untrusted path or command execution with user input.

Ostorlab instrumentation is capable of accessing encrypted traffic and does not require bypassing SSL pinning. Collected backend are then reused to perform backend analysis.

The dynamic instrumentation uses both system instrumentation techniques, like Fanotify for file system access and a custom non-pervasive runtime instrumentation engine, using JDWP and debug APIs for Android and iOS.

This approach compared to pervasive methods, like inline hooking that requires custom memory manipulation is very robust, offers more capabilities to collect runtime information, particularly for iOS applications built using Objective C and SWIFT and don’t require constant maintenance with every new system release that may bring modification to the underlying system runtime.

Backend

Ostorlab targets collected backends during dynamic analysis to identify server-side vulnerabilities. The analysis is both passive, like detecting the presence of insecure HTTP headers as well as active, like detecting SQL injection or XXE.

Ostorlab active testing uses a probabilistic approach to identify vulnerabilities. This approach has the advantage of avoiding the need to send a full payload which could be blocked, limited to a particular OS, may impact the backend stability or trigger intrusion detection systems or application firewalls.

Ostorlab backend analysis engine supports a large set of serialization schemes and has supported for nested serialization injection.

Probabilistic testing coupled with safe rate limiting protects backend systems from unexpected failures and unwanted denial of service and offers guaranteed false positive free reports.