Ostorlab is a mobile application security testing platform built around an open-source scanning engine called OXO with 560 GitHub stars and 60 forks.

GitHub: Ostorlab/ostorlab | Latest Release: v1.10.0 (February 2026)

The platform performs static and dynamic analysis of Android and iOS applications with instrumentation capabilities based on OpenTelemetry.

The open-source core has been battle-tested on hundreds of thousands of scans across over 200 releases, while enterprise features provide additional capabilities for larger organizations.

What is Ostorlab?

Ostorlab provides mobile security testing through a unique architecture that combines an open-source orchestration engine with a cloud platform.

The OXO scanner is freely available and can be self-hosted, while the commercial Ostorlab platform adds features like team collaboration, continuous monitoring, and advanced reporting.

The platform takes an orchestration approach to security scanning.

Rather than relying on a single analysis engine, Ostorlab coordinates multiple tools including Nmap, OpenVAS, Tsunami, Nuclei, and custom mobile-specific scanners.

This multi-tool strategy provides broader coverage than any single scanner could achieve alone.

Ostorlab supports both Android APK/AAB and iOS IPA files.

The dynamic analysis capability uses instrumentation to observe runtime behavior, network communications, and data handling patterns.

Key Features

OXO Orchestration Engine

OXO is the open-source core of Ostorlab.

It orchestrates security scanning workflows, coordinating multiple analysis tools and aggregating their results.

The engine handles task scheduling, dependency management, and result normalization across different scanner outputs.

OXO uses a modular agent architecture where each scanner runs as an independent component.

This design allows teams to add custom scanners or disable tools that are not relevant to their use case.

Static Analysis

Static analysis examines mobile application binaries without execution.

The scanner decompiles APKs and IPAs to analyze:

Source code patterns and vulnerabilities
Manifest and configuration files
Embedded secrets and credentials
Third-party library identification
Permission analysis

Dynamic Analysis

Dynamic analysis runs applications in instrumented environments to observe runtime behavior.

Based on OpenTelemetry, the instrumentation captures:

Network traffic and API calls
File system access patterns
Cryptographic operations
Inter-process communication
Sensitive data handling

Attack Surface Discovery

Ostorlab maps the attack surface of mobile applications by identifying all external interfaces and communication channels.

This includes API endpoints, deep links, custom URL schemes, and broadcast receivers that could be targeted by attackers.

Multi-Tool Integration

The platform integrates with established security tools:

Nmap: Network discovery and port scanning
OpenVAS: Vulnerability scanning
Tsunami: Google’s network security scanner
Nuclei: Template-based vulnerability detection
Custom agents: Organization-specific scanners

Installation

OXO Open-Source Installation

Install the OXO orchestrator using pip:

# Install OXO
pip install ostorlab

# Verify installation
oxo version

# Run a basic scan
oxo scan run --install \
  --agent agent/ostorlab/mobile_sast \
  --agent agent/ostorlab/mobile_dast \
  file app.apk

Docker Deployment

Run Ostorlab using Docker for isolated scanning:

# Pull the scanner image
docker pull ostorlab/oxo:latest

# Run a scan
docker run --rm \
  -v $(pwd):/scan \
  ostorlab/oxo:latest \
  scan run \
  --agent agent/ostorlab/mobile_sast \
  file /scan/app.apk

Local Development Setup

For development and customization:

# Clone repository
git clone https://github.com/Ostorlab/oxo.git
cd oxo

# Create virtual environment
python3 -m venv venv
source venv/bin/activate

# Install in development mode
pip install -e .

# Run tests
pytest tests/

Integration

GitHub Actions

name: Ostorlab Mobile Security

on:
  push:
    branches: [main]
  pull_request:

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build APK
        run: ./gradlew assembleRelease

      - name: Install Ostorlab
        run: pip install ostorlab

      - name: Run Security Scan
        run: |
          oxo scan run --install \
            --agent agent/ostorlab/mobile_sast \
            --agent agent/ostorlab/android_manifest \
            --agent agent/ostorlab/secrets_detection \
            file app/build/outputs/apk/release/app-release.apk

      - name: Export Results
        run: |
          oxo scan list --format json > scan-results.json

      - name: Upload Results
        uses: actions/upload-artifact@v4
        with:
          name: ostorlab-results
          path: scan-results.json

GitLab CI

stages:
  - build
  - security

build:
  stage: build
  script:
    - ./gradlew assembleRelease
  artifacts:
    paths:
      - app/build/outputs/apk/release/

ostorlab-scan:
  stage: security
  image: python:3.11
  before_script:
    - pip install ostorlab
  script:
    - |
      oxo scan run --install \
        --agent agent/ostorlab/mobile_sast \
        --agent agent/ostorlab/mobile_dast \
        file app/build/outputs/apk/release/app-release.apk
    - oxo scan list --format json > ostorlab-report.json
  artifacts:
    paths:
      - ostorlab-report.json
    reports:
      security: ostorlab-report.json

Jenkins Pipeline

pipeline {
    agent any
    stages {
        stage('Build') {
            steps {
                sh './gradlew assembleRelease'
            }
        }
        stage('Security Scan') {
            steps {
                sh '''
                    pip install ostorlab

                    oxo scan run --install \
                      --agent agent/ostorlab/mobile_sast \
                      --agent agent/ostorlab/secrets_detection \
                      --agent agent/ostorlab/android_permissions \
                      file app/build/outputs/apk/release/app-release.apk

                    oxo vulnz list --format json > ostorlab-vulnerabilities.json
                '''
            }
        }
    }
    post {
        always {
            archiveArtifacts artifacts: 'ostorlab-vulnerabilities.json', allowEmptyArchive: true
        }
    }
}

CLI Commands

Common OXO CLI operations:

# List available agents
oxo agent list

# Install specific agents
oxo agent install agent/ostorlab/mobile_sast

# Start a scan with multiple agents
oxo scan run --install \
  --agent agent/ostorlab/mobile_sast \
  --agent agent/ostorlab/mobile_dast \
  --agent agent/ostorlab/secrets_detection \
  file app.apk

# Check scan status
oxo scan list

# View vulnerabilities
oxo vulnz list --scan-id SCAN_ID

# Export results
oxo vulnz list --scan-id SCAN_ID --format json > results.json

# Delete old scans
oxo scan delete SCAN_ID

When to Use Ostorlab

Ostorlab is a good fit for teams that value open-source foundations with the option to scale to enterprise features.

Consider Ostorlab when:

You want an open-source core that you can self-host and customize
Multi-tool orchestration aligns with your security testing strategy
You need flexibility to add custom scanning agents
Docker-based deployment fits your infrastructure

The platform works well for security teams that already use tools like Nuclei or Nmap and want to incorporate them into mobile application testing.

The orchestration approach allows teams to maintain existing tool investments while adding mobile-specific capabilities.

For organizations starting with the free OXO engine, the migration path to the commercial platform is straightforward when team collaboration and managed hosting become necessary.