Welcome to the first of a series of posts diving into the functionality and usage of the tool Mobile Security Framework, also known as MobSF. This tool not only provides static and dynamic analysis of both Android and iOS mobile applications, but can also provide a great deal of guidance for mobile application penetration testing. Throughout this series, we will explore the different capabilities of this tool and discuss how it can be used to augment mobile app pentesting. Let’s first go through an overview of the tool’s core features and set the stage for some deep dives.
What is MobSF?
The creators of MobSF define it as “an automated, all-in-one mobile application (Android/iOS/Windows) pentesting, malware analysis, and security assessment framework capable of performing static and dynamic analysis.” I think this description is accurate, however a common pitfall we’ve seen associated with this tool happens when individuals take the output of the tool at face-value and assume that any issues in the applications will be displayed in the summary report. Contrary to that, the best usage that we have found for MobSF is to use it as a “launch point” for an assessment, which locates issues that may not have been as easy to locate without MobSF helping to point us in the right direction.
Getting Started With MobSF
If you’re a hands-on learner, like many of us here, then you may want to dive into this tool while following along. We find that the best way to learn and develop new skills is to try it out for ourselves. With that being said, let’s quickly go over the options on how to set up MobSF so you can grasp it as we go.
The MobSF team has provided the initial installation process, which we may refer to during the set-up phase. MobSF can be cloned locally from the GitHub repository located at https://github.com/MobSF/Mobile-Security-Framework-MobSF or through a prebuilt Docker image that can be found on DockerHub at https://hub.docker.com/r/opensecurity/mobile-security-framework-mobsf/. This post will cover the GitHub repository for now. Before installation, it’s important to make sure that all the appropriate pre-requisites are in place depending on which operating system you’re using (which can be found at https://mobsf.github.io/docs/#/requirements).
Once these are in place, and you have cloned the repository from GitHub, you can proceed to run setup.sh or setup.bat for Mac/Linux or Windows, respectively. If this setup completes with no issues or errors, you can then proceed to run the appropriate file as detailed at https://mobsf.github.io/docs/#/running, and navigate to “http://localhost:8000” in your browser to begin using MobSF!
Using Mobile Security Framework
Once MobSF is up and running, you are now able to upload any mobile application file (most commonly files with extensions such as .apk or .ipa) and MobSF will analyze the file and create a report to summarize the functionality within the application, as well as potential issues that should be noted and checked out. If you are testing or analyzing multiple files at once, you can also re-visit the generated reports at any time through the “Recent Scans” tab which will show all the files that have been uploaded to MobSF. These reports can also be exported in PDF format for review outside of the application or shared with other teams.
These reports will contain information on everything from if a file is securely signed and how that was done, to the functionality that the application will utilize once installed on a device. If this the first time you have looked at a report from MobSF, it may seem overwhelming due to the size and sheer amount of information it generates but, in further blog posts, we will break down each of these sections to help you focus on the important aspects that will augment any testing being performed and isolate potential issues and risks within the application.
If you want to test this out yourself, some example files can be found here:
More example applications can be found at https://mobile-security.gitbook.io/mobile-security-testing-guide/appendix/0x08-testing-tools#vulnerable-applications.
As always, be cautious with any files you download and audit them yourself to ensure their safety before loading them on any machine.
MORE FROM WHITE OAK SECURITY
White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.