Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
MobSF support mobile app binaries (APK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.
Screenshots:
- Static Analysis – Android
Requirements:
- Mac:
- Install Git
- Install Python 3.6 – 3.7 (3.8 is not supported)
- macOS Catalina users must uninstall existing python3 and install the one from Python.org. After installation, go to /Applications/Python 3.7/ and run Install Certificates.command and Update Shell Profile.command
- Install JDK 8+
- Install command line tools xcode-select –install
- Download & Install wkhtmltopdf as per the wiki instructions
- macOS Mojave users, install headers if available:
- Ubuntu/Debian based Linux:
- Install Git sudo apt get install git
- Install Python 3.6 – 3.7 sudo apt-get install python3
- Install JDK 8+ sudo apt-get install openjdk-8-jdk
- Install the following dependencies
- Install the following requirements on the VM
- Python 3
- rsa (via python -m pip install rsa)
- Download the setup.py script and run it
- There is some manual interaction, but if there are no errors, everything is good and the RPC-Server should be running.
Remember: Use separate Windows-VM for MobSF and don’t expose it to a network range where an attack might be coming from. The best solution is to set it to host-only mode.
- To integrate a Windows-VM into MobSF, please follow these steps.
- Get the IP of you VM and set in the MobSF/settings.py-File (search for WINDOWS_VM_IP)
- (If not yet done:) Copy the private rsa key from the vm to MobSF
If you see errors like this:
MobSF setup script assume that your VM or host Windows box have a C Drive and you have all the permissions to perform read/write operations in C:MobSF. This error occurs if you don’t have proper read/write permissions.
- Set JAVA_HOME environment variable.
- iOS IPA Analysis works only on Mac, Linux and Docker containers.
Dynamic Analysis:
- Dynamic Analysis will not work if you use MobSF docker container or setup MobSF inside a Virtual Machine.
- Install Genymotion
Installation:
Tested on Windows 10, Ubuntu (18.04, 19.04) , macOS Catalina
Running MobSF
- For Linux and Mac: ./run.sh
- For Windows: run.bat
You can navigate to http://localhost:8000/ to access MobSF web interface.
Configuring Dynamic Analyzer
Run a Genymotion Android VM before starting MobSF. Everything will be configured automatically at runtime. MobSF requires Genymotion Android x86 VMs version 4.1 to 9.0 for dynamic analysis. We recommend using Android 7.0 and above.
Android versions 5 and above are automatically MobSFyed on first run. For Android versions less than 5, you must MobSFy the Android Runtime prior to Dynamic Analysis for the first time. Click MobSFy Android Runtime button in Dynamic Analysis page to MobSFy the android runtime environment.
HTTPS Proxy
- For Android versions 4.4 – 9.0, global proxy settings are automatically applied at runtime.
- For Android version 4.1 – 4.3, set Android VM proxy as displayed in Dynamic Analysis page.
If Dynamic Analyzer doesn’t detect your android device, you need to manually configure ANALYZER_IDENTIFIER in MobSF/settings.py. Example: ANALYZER_IDENTIFIER = ‘192.168.56.101:5555’. You can find the Android Device IP from the Genymotion title bar and the default port is 5555.
MobSF Docker Container
Lazy to setup MobSF? Use the latest MobSF docker image (Dynamic Analysis is not supported)
MobSF e-Learning Courses & Certification
We have 2 self paced e-learning courses that covers MobSF and other Android Security tools.
- OpSecX – Automated Mobile Application Security Assessment with MobSF – MAS (Currently being updated)
- OpSecX – Android Security Tools Expert – ATX
Updating MobSF
If you are updating MobSF, In most cases you might have to perform database migrations or you will see errors such as
Run the below command to migrate your db
If the above changes didn’t work, you might have to run setup.sh or setup.bat again which will delete your previous scan results.
APKiD
APKiD is enabled by default. To disable it, set APKID_ENABLED to False in MobSF/settings.py.
VirusTotal Scan
VirusTotal Scan is disabled by default. You need to add your VirusTotal API Key before enabling it.
AppMonsta Android Play Store Information
We use AppMonsta API to fetch details from Google Play Store as a fail safe to our primary implementation. It is disabled by default. To enable it, you need AppMonsta API Key.
- Get AppMonsta API Key from: AppMonsta API Key
- In MobSF/settings.py, add your API Key to APPMONSTA_KEY and restart MobSF.
Mass Static Analysis
MobSF supports mass static analysis. Here is how to run a mass static analysis:
- Run mass_static_analysis.py
Example: python mass_static_analysis.py -s 127.0.0.1:8000 -d /home/files/
Using Postgres DB instead of SQLite:
Install psycopg2: pip3 install psycopg2-binary
Go to MobSFsettings.py
Comment the following:
Now uncomment the following:
Create a database in Postgres named mobsf and configure the above settings with correct username, password and other details.
Apply Migrations:
Now you can start MobSF server and you have successfully configured Postgres as your database.
If you want all user uploads, downloads and user configurations to be created in home directory, enable home directory support:
To provide personalized version of MobSF to multiple users on an OS or to bundle MobSF with a pentesting distro you might need the home directory support enabled.
To enable Home Directory support, go to settings.py and set USE_HOME to True.
