Mobile Security Framework Guide
What is Mobile Security Testing?
Mobile application security testing can help ensure there aren’t any loopholes in the software that may cause data loss. The sets of tests are meant to attack the app to identify possible threats and vulnerabilities that would allow external persons or systems to access private information stored on the mobile device.
Mobile Application Security Challenges:
- Integrations with other apps
- Unsecured communications
- Security breaches that allow malware to be installed
- Utilization (and integration) of different authentication procedures
- Test hidden parts of the application
- Open Codes
Mobile Security Framework (MobSF)
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications.
MobSF can do dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific security scanner. MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless.
Reference: https://github.com/MobSF/Mobile-Security-Framework-MobSF/
Features
- Static Analysis (Android/iOS/Windows)
- Dynamic Analysis (Android/iOS/Windows)
- Web API Fuzzer
Types of Analysis in MobSF
- Static Analysis / Mobile app reverse engineering
In static analysis, the application is tested from the inside out. It analyzes the source code or binary without executing the application. It does not rely on the runtime environment. It can be used to test code during development, caching vulnerabilities early on. Static analysis security testing tools must be run on the application on a regular basis, such as during daily/monthly builds, every time code is checked in, or a code release.
2) Dynamic Analysis
Dynamic analysis is performed by executing the application in either a real device or a simulator. The collected information is then examined for:
- Sensitive data access
- Hardcoded details
- Traffic analysis
- Insecure requests
MobSF Installation Guide
Static Analysis
- Python 3.6 or above
- Oracle JDK 7 or above
- Debian based Linux: sudo apt install python3-pip python3-dev build-essential libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev
- For Windows, install Microsoft Visual C++ Build Tools and OpenSSL
- Mac OS Users must install command-line tools
- iOS IPA Analysis works only on Mac, Linux and Docker containers.
- Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux. More Info
NOTE
- On Linux and Mac, install Oracle Java 7 or above and make it the default one.
- On Linux, make sure you have 32-bit execution support enabled.
- On Windows, install git
Configuring Static Analyzer
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
Dynamic Analysis (MobSF Dynamic Analysis currently supports Android)
- Download MobSF Android x86 4.4.2 VM (v0.3) ova file [ https://bit.ly/2RAmQOZ ]
- Oracle VirtualBox 5.2 (if you are using x86 VM)
- VirtualBox 6.0 and above are not supported as x86 support is discontinued.
Docker Installation and Run MobSF Docker image
Lazy to setup Static Analysis? Use the latest MobSF docker image. (Dynamic analysis mostly need you to configure MobSF in host OS than inside a container.)
- Create a Docker Account
- Install Docker in the system
- Run commands in the terminal
- docker pull opensecurity/mobile-security-framework-mobsf
- docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
Reference Link https://github.com/MobSF/Mobile-Security-Framework-MobSF/wiki/1.-Documentation