Mobile Security Framework – MobSF

Introduction

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pentesting framework capable of performing static, dynamic and malware analysis, as well as web API testing.

MobSF: All-in-one Mobile (Android/iOS) Pentesting Framework

MobSF is an open source and intelligent tool which you can use to perform both static and dynamic analyses on Android/iOS/Windows platforms. It support both binaries (APK, IPA & APPX ) and zipped source code. It also has specific Web API fuzzing capabilities powered by specific web api security scanner – CapFuzz. So, if you are a developer, pentester or security analyst you can identify vulnerabilities in mobile apps at all stages of development.

Features:

• Information Gathering & Security Headers Analyze
• Dynamic and static analysis (Dinamic SSL Testing, Dynamic analysis on custom VM/rooted android devices, Static analysis and stats)
• Fuzzing web APIs for security vulnerabilities (Web API Fuzzer: API rate limiting and session related vulnerabilities.)
• Free and open-source automated security assessment for both Android/iOS apps
• Identify Mobile API vulnerabilities (XXE, SSRF, Path Traversal, IDOR)
• Built-in evasion modules (Android Blue Pill, RootCloak,JustTrustMe, etc.)

Requirements

Install

MobSF Docker image

In case you don’t want to setup Static analysis, use automated prebuilt docker image. Run the following:

$ docker pull opensecurity/mobile-security-framework-mobsf
$ docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Static Analyzer Configuration

MobSF comes bundled with BlackArch Linux. Installation is tested on the following platforms:

• Windows (7, 8, 8.1, 10), Kali Linux (2016.2), Ubuntu (14.04, 16.04) , OSX (Mavericks, Yosemite, El Capitan), OS (Sierra, High Sierra)

Clone it from the github repo:

$ git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git

Then navigate to the MobSF nad run (Linux/Mac):

$ cd Mobile-Security-Framework-MobSF
$ ./setup.sh

On Windows run:

$ setup.bat

Dynamic Analyzer Configuration

MobSF Dynamic Analysis currently supports Android:

1. Android 4.4.2 x86 VirtualBox VM: fast, not all apps work
2. Rooted Andorid 4.03 – 4.4 Device:  very fast, all apps work
3. Rooted Android 4.03 – 4.4 VM: not tested

Update

First you need to migrate your db or you’ll encounter some errors:

[ERROR] Saving to DB (E:\Mobile-Security-Framework-MobSF\StaticAnalyzer\views\android\db_interaction.py, LINE 236 "static_db.save()"): table StaticAnalyzer_staticanalyzerandroid has no column named

Run the following to migrate your db:

$ python3 manage.py makemigrations
$ python3 manage.py migrate

This will remove all previoisly saved scan results. If migration didn’t work, run the following and try commands above again:

$ clean.sh

Then install requirements:

$ pip install -r requirements.txt

Usage

To start it, just run:

$ ./run.sh #Linux
$ ./run.bat #Windows

In case you want to run it on a specific port, try:

$ python manage.py runserver PORT_NO

MobSF Mass Static Analysis

Start server:

$ python manage.py runserver 8000

Then run the following:

$ mass_static_analysis.py

usage: mass_static_analysis.py [-h] [-d DIRECTORY] [-s IPPORT]

optional arguments:
  -h, --help            show this help message and exit
  -d DIRECTORY, --directory DIRECTORY
                        Path to the directory that contains mobile app
                        binary/zipped source code
  -s IPPORT, --ipport IPPORT
                        IP address and Port number of a running MobSF Server.
                        (ex: 127.0.0.1:8000)

Example:

$ python mass_static_analysis.py -s 127.0.0.1:8000 -d /home/files/