Mobile Security Framework (MobSF) Static Analysis
Mobile Security Framework (MobSF) is an automated, open source, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis. It is suggested by OWASP MSTG for static analysis of security in mobile applications. It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and support both binaries (APK, IPA & APPX ) and zipped source code. MobSF can do dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific security scanner. MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless. It has a graphic UI in the form of web service. Web service consist of a dashboard that presents the results of the analysis, its own documentation site, an integrated emulator & an API that allows users to trigger the analysis automatically. It is hosted on a local environment, so sensitive data never interacts with the cloud.
Static Analysis
In static analysis application is tested from the inside out. It analyzes the source code or binary without executing the application. It does not rely on runtime environment. It can be used to test code during development, caching vulnerabilities early on. Static analysis security testing tools must be run on the application on a regular basis, such as during daily/monthly builds, every time code is checked in, or a code release.
Requirements :
- Python 3.6+ — Python 3.6 Download
- Oracle JDK 1.7 or above — Java JDK Download
- Mac OS Users must install Command-line tools — How to Install Commandline Tools in Mac
- iOS IPA Analysis works only on Mac and Linux.
- Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux. For Windows App Static Analysis, Read Windows App Static Analysis
NOTE:
- On Linux and Mac, install Oracle Java 1.7 or above and make it the default one.
- On Linux, make sure you have 32 bit execution support enabled.
Installation :
1. Configuring static analyzer
Note : Tested on Windows (7, 8, 8.1, 10), Kali (2016.2), Ubuntu (14.04, 16.04) , OSX (Mavericks, Yosemite, El Capitan), OS (Sierra, High Sierra)
Run following commands :
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
./setup.sh # For Linux and Mac
setup.bat # For Windows
2. PDF report generation
- You need to install wkhtmltopdf binary separately for generating PDF reports.
- Check wkhtmltopdf downloads and Installing wkhtmltopdf wiki for more information.
- In Windows, you need to add the folder that contains wkhtmltopdf binary to environment variable PATH.
3. Running MobSF
- For Linux and Mac: ./run.sh
- For Windows: run.bat
If everything goes right, you will get an output like the one below.
You can navigate to http://localhost:8000/
to access the MobSF Web interface.
If you need to run on a specific port number try python manage.py runserver PORT_NO
. To expose MobSF to a particular IP, you can try python manage.py runserver IP:PORT_NO
. This needs to be executed from within the virtualenv.
MobSF Web Interface :
1. Information
Display data such as app icon, app name, size, package name etc.MD5 & SHA1 are also shown. They can be useful to detect known malicious applications.
2. Scan options
· Rescan the application
· Start the dynamic analysis
· Check the java code & the manifest file
3. Signer certificate
· Display certificate info
· Determine if an application has come from its original source.
4. Permissions
· Analyzes the permissions
· Determines its status concerning critically & the description of permissions.
5. Binary analysis
· It is threat assessment & vulnerability testing at the binary code level.
· It can also be used to analyze third party libraries, allowing a richer analysis & better visibility into how applications will interact with libraries.
· This is analysis of binary code to identify security issues. For complex systems using third party libraries for which source code is not available binary code analysis helps to identify issues.
6. Android API
You can view android API used in app like java reflection, location.
7. Browsable activities
That can be safely invoked from a browser.
8. Security analysis
Manifest analysis :
Find vulnerability inside one of the components in the AndroidManifest.xml file.
Code analysis :
· Analysis result of java code by a static analyzer.
· Identifies potential vulnerabilities, determines their severity & the files in which this type of vulnerability was found.
CVSS :
· Common Vulnerability Scoring System
· Vulnerability is assigned a CVSS base score between 0.0 & 10.0.
0.0 → No risk
0.1–3.9 → Low risk
4.0–6.9 → Medium risk
7.0–8.9 → High risk
9.0–10.0 → Critical risk score
CWE :
· Common Weakness Enumeration
· It is a list of software architecture, design or a code weakness.
File analysis :
Shows analysis of files.
9. Malware analysis
Determine the functionality, origin & potential impact of a given malware sample such as virus.
10. Reconnaissance
URL :
Display list of URLs, IP addresses & the files in which they are stores or called. Analyzes where the android app sends the data & where it stores the info.
Emails
Strings :
· Analyzes the text files that are in the res directory.
· May contain sensitive data.
11. Components
Display a complete list of components (activity, service, content provider & receiver), imported libraries & files without defining the extension.