Mobile Security Framework – MobSF

Last Release: 08/09/2019     Last Commit: 08/31/2019

Mobile Security Framework – MobSF

Introduction

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pentesting framework capable of performing static, dynamic and malware analysis, as well as web API testing.

MobSF (Mobile Security Framework) banner

MobSF: All-in-one Mobile (Android/iOS) Pentesting Framework

MobSF is an open source and intelligent tool which you can use to perform both static and dynamic analyses on Android/iOS/Windows platforms. It support both binaries (APK, IPA & APPX ) and zipped source code. It also has specific Web API fuzzing capabilities powered by specific web api security scanner – CapFuzz. So, if you are a developer, pentester or security analyst you can identify vulnerabilities in mobile apps at all stages of development.

Features:

  • Information Gathering & Security Headers Analyze
  • Dynamic and static analysis (Dinamic SSL Testing, Dynamic analysis on custom VM/rooted android devices, Static analysis and stats)
  • Fuzzing web APIs for security vulnerabilities (Web API Fuzzer: API rate limiting and session related vulnerabilities.)
  • Free and open-source automated security assessment for both Android/iOS apps
  • Identify Mobile API vulnerabilities (XXE, SSRF, Path Traversal, IDOR)
  • Built-in evasion modules (Android Blue Pill, RootCloak,JustTrustMe, etc.)

Requirements

Static Analysis:

  • Python 3.6+
  • Oracle JDK 1.7 or above
  • Mac OS Users must install Command-line tools
  • iOS IPA Analysis works only on Mac and Linux
  • Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux.

Dynamic Analysis:

  • MobSF x86 Android VM requires Oracle VirtualBox
  • MobSF Android AVD (ARM Emulator), It requires Android Studio and a configured AVD
  • Hardware Requirements: Min 4GB RAM, 5GB HDD/SSD and Virtualization Support for running MobSF VM and Intel HAXM if you are running MobSF ARM Emulator.

Note (Static Analysis):

  • Linux & Mac:  install Oracle Java 1.7+ (make it the default one).
  • Linux: enable 32bit execution support

Install

MobSF Docker image

In case you don’t want to setup Static analysis, use automated prebuilt docker image. Run the following:

$ docker pull opensecurity/mobile-security-framework-mobsf
$ docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Static Analyzer Configuration

MobSF comes bundled with BlackArch Linux. Installation is tested on the following platforms:

  • Windows (7, 8, 8.1, 10), Kali Linux (2016.2), Ubuntu (14.04, 16.04) , OSX (Mavericks, Yosemite, El Capitan), OS (Sierra, High Sierra)

Clone it from the github repo:

$ git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git

Then navigate to the MobSF nad run (Linux/Mac):

$ cd Mobile-Security-Framework-MobSF
$ ./setup.sh

On Windows run:

$ setup.bat

MobSF Static Analysis - Android APK

Dynamic Analyzer Configuration

MobSF Dynamic Analysis currently supports Android:

  1. Android 4.4.2 x86 VirtualBox VM: fast, not all apps work
  2. Rooted Andorid 4.03 – 4.4 Device:  very fast, all apps work
  3. Rooted Android 4.03 – 4.4 VM: not tested

MobSF Dynamic Analysis - Android APK

Update

First you need to migrate your db or you’ll encounter some errors:

[ERROR] Saving to DB (E:\Mobile-Security-Framework-MobSF\StaticAnalyzer\views\android\db_interaction.py, LINE 236 "static_db.save()"): table StaticAnalyzer_staticanalyzerandroid has no column named

Run the following to migrate your db:

$ python3 manage.py makemigrations
$ python3 manage.py migrate

This will remove all previoisly saved scan results. If migration didn’t work, run the following and try commands above again:

$ clean.sh

Then install requirements:

$ pip install -r requirements.txt

Usage

To start it, just run:

$ ./run.sh #Linux
$ ./run.bat #Windows

In case you want to run it on a specific port, try:

$ python manage.py runserver PORT_NO

MobSF Mass Static Analysis

Start server:

$ python manage.py runserver 8000

Then run the following:

$ mass_static_analysis.py
usage: mass_static_analysis.py [-h] [-d DIRECTORY] [-s IPPORT]

optional arguments:
  -h, --help            show this help message and exit
  -d DIRECTORY, --directory DIRECTORY
                        Path to the directory that contains mobile app
                        binary/zipped source code
  -s IPPORT, --ipport IPPORT
                        IP address and Port number of a running MobSF Server.
                        (ex: 127.0.0.1:8000)

Example:

$ python mass_static_analysis.py -s 127.0.0.1:8000 -d /home/files/
Documentation Box
Download Box