Skip to main content

Mobile Security Framework (MobSF) - An All-In-One Mobile Application Security Assessment Framework

Mobile Security Framework (MobSF) - An All-In-One Mobile Application Security Assessment Framework

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

MobSF support mobile app binaries (APK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.

Screenshots:

  • Static Analysis - Android
MobSF Android Static Analysis Screenshot

MobSF Android Code Analysis Screenshot

MobSF Android Application Screenshot

  • Static Analysis - iOS
MobSF iOS Static Analyzer Screenshot

MobSF iOS Code Analysis Screenshot

  • Dynamic Analysis - Android APK
MobSF Android Dynamic Analyzer Screenshot

MobSF Android API Monitor Screenshot

MobSF Android Frida API Monitor Base64 Screenshot

  • Web API Viewer
MobSF Web API Viewer HTTP Tools Screenshot

Requirements:

  • Mac:
    • Install Git
    • Install Python 3.6 - 3.7 (3.8 is not supported)
    • macOS Catalina users must uninstall existing python3 and install the one from Python.org. After installation, go to /Applications/Python 3.7/ and run Install Certificates.command and Update Shell Profile.command
    • Install JDK 8+
    • Install command line tools xcode-select --install
    • Download & Install wkhtmltopdf as per the wiki instructions
    • macOS Mojave users, install headers if available: 
sudo installer -pkg /Library/Developer/CommandLineTools/Packages/macOS_SDK_headers_for_macOS_10.14.pkg -target /

  • Ubuntu/Debian based Linux:
    • Install Git sudo apt get install git
    • Install Python 3.6 - 3.7 sudo apt-get install python3
    • Install JDK 8+ sudo apt-get install openjdk-8-jdk
    • Install the following dependencies 
sudo apt install python3-venv python3-pip python3-dev build-essential libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev wkhtmltopdf

If you are running MobSF in Windows host, you do not have to configure anything, apart from interacting with the automated installation script for the first time when you run MobSF. However, if you are using a different host OS, you need to configure a Windows VM. Sadly binskim is only available on Windows. So even for static analysis, a Windows VM is required.

Steps on the Windows-VM:
  • Install the following requirements on the VM
    • Python 3
    • rsa (via python -m pip install rsa)
  • Download the setup.py script and run it
  • There is some manual interaction, but if there are no errors, everything is good and the RPC-Server should be running.
Remember: Use separate Windows-VM for MobSF and don't expose it to a network range where an attack might be coming from. The best solution is to set it to host-only mode.

  • To integrate a Windows-VM into MobSF, please follow these steps. 
    • Get the IP of you VM and set in the MobSF/settings.py-File (search for WINDOWS_VM_IP)
    • (If not yet done:) Copy the private rsa key from the vm to MobSF



If you see errors like this:
Unhandled Exception: System.NotSupportedException: The requested security protocol is not supported.
   at System.Net.ServicePointManager.set_SecurityProtocol(SecurityProtocolType value)
   at NuGet.CommandLine.Program.MainCore(String workingDirectory, String[] args)
   at NuGet.CommandLine.Program.Main(String[] args)
AttributeError: ConfigParser instance has no attribute 'getitem'
MobSF setup script assume that your VM or host Windows box have a C Drive and you have all the permissions to perform read/write operations in C:\MobSF. This error occurs if you don't have proper read/write permissions.

IMPORTANT:
  • Set JAVA_HOME environment variable.
  • iOS IPA Analysis works only on Mac, Linux and Docker containers.

Dynamic Analysis:

  • Dynamic Analysis will not work if you use MobSF docker container or setup MobSF inside a Virtual Machine.
  • Install Genymotion

Installation:

Tested on Windows 10, Ubuntu (18.04, 19.04) , macOS Catalina
# Please make sure that all the requirements mentioned above are installed first.

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
# Linux or Mac users
./setup.sh 
# Windows users
setup.bat
IMPORTANT: Windows users, before running setup.bat close any opened folders of MobSF or text editors with MobSF opened. Either of these can interrupt the setup by causing permission errors.

Running MobSF

  • For Linux and Mac: ./run.sh
  • For Windows: run.bat
You can navigate to http://localhost:8000/ to access MobSF web interface.

    Configuring Dynamic Analyzer

    Dynamic analysis using a real mobile phone is not supported.

    Run a Genymotion Android VM before starting MobSF. Everything will be configured automatically at runtime. MobSF requires Genymotion Android x86 VMs version 4.1 to 9.0 for dynamic analysis. We recommend using Android 7.0 and above.

    Android versions 5 and above are automatically MobSFyed on first run. For Android versions less than 5, you must MobSFy the Android Runtime prior to Dynamic Analysis for the first time. Click MobSFy Android Runtime button in Dynamic Analysis page to MobSFy the android runtime environment.

    HTTPS Proxy
    • For Android versions 4.4 - 9.0, global proxy settings are automatically applied at runtime.
    • For Android version 4.1 - 4.3, set Android VM proxy as displayed in Dynamic Analysis page.
    If Dynamic Analyzer doesn't detect your android device, you need to manually configure ANALYZER_IDENTIFIER in MobSF/settings.py. Example: ANALYZER_IDENTIFIER = '192.168.56.101:5555'. You can find the Android Device IP from the Genymotion title bar and the default port is 5555.


    MobSF Docker Container

    Lazy to setup MobSF? Use the latest MobSF docker image (Dynamic Analysis is not supported)
    docker pull opensecurity/mobile-security-framework-mobsf
    # Static Analysis Only
    docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

    MobSF e-Learning Courses & Certification

    We have 2 self paced e-learning courses that covers MobSF and other Android Security tools.
    • OpSecX - Automated Mobile Application Security Assessment with MobSF – MAS (Currently being updated)
    • OpSecX - Android Security Tools Expert – ATX

      Updating MobSF

      If you are updating MobSF, In most cases you might have to perform database migrations or you will see errors such as
      [ERROR] Saving to DB (E:\Mobile-Security-Framework-MobSF\StaticAnalyzer\views\android\db_interaction.py, LINE 236 "static_db.save()"): table StaticAnalyzer_staticanalyzerandroid has no column named

      Run the below command to migrate your db
      python manage.py makemigrations
      python manage.py makemigrations StaticAnalyzer
      python manage.py migrate
      If the above changes didn't work, you might have to run setup.sh or setup.bat again which will delete your previous scan results.

      APKiD

      APKiD is enabled by default. To disable it, set APKID_ENABLED to False in MobSF/settings.py.

      VirusTotal Scan

      VirusTotal Scan is disabled by default. You need to add your VirusTotal API Key before enabling it.

      AppMonsta Android Play Store Information

      We use AppMonsta API to fetch details from Google Play Store as a fail safe to our primary implementation. It is disabled by default. To enable it, you need AppMonsta API Key.
      • Get AppMonsta API Key from: AppMonsta API Key
      • In MobSF/settings.py, add your API Key to APPMONSTA_KEY and restart MobSF.

      Mass Static Analysis

      MobSF supports mass static analysis. Here is how to run a mass static analysis:
      • Run MobSF server.
      python manage.py runserver 8000
      • Run mass_static_analysis.py 
      usage: mass_static_analysis.py [-h] [-d DIRECTORY] [-s IPPORT]

      optional arguments:
        -h, --help            show this help message and exit
        -d DIRECTORY, --directory DIRECTORY
                              Path to the directory that contains mobile app
                              binary/zipped source code
        -s IPPORT, --ipport IPPORT
                              IP address and Port number of a running MobSF Server.
                              (ex: 127.0.0.1:8000)
      Example: python mass_static_analysis.py -s 127.0.0.1:8000 -d /home/files/ 

      Using Postgres DB instead of SQLite:

      Install psycopg2: pip3 install psycopg2-binary

      Go to MobSF\settings.py

      Comment the following:
      DATABASES = {
          'default': {
              'ENGINE': 'django.db.backends.sqlite3',
              'NAME': DB_DIR,
          }
      }

      Now uncomment the following:
      DATABASES = {
          'default': {
              'ENGINE': 'django.db.backends.postgresql_psycopg2',
              'NAME': 'mobsf',
              'USER': 'postgres',
              'PASSWORD': '',
              'HOST': 'localhost',
              'PORT': '',
          }
      }

      Create a database in Postgres named mobsf and configure the above settings with correct username, password and other details.

      Apply Migrations:
      python3 manage.py makemigrations
      python3 manage.py migrate
      Now you can start MobSF server and you have successfully configured Postgres as your database.

      Home Directory Support:

      If you want all user uploads, downloads and user configurations to be created in home directory, enable home directory support:

      To provide personalized version of MobSF to multiple users on an OS or to bundle MobSF with a pentesting distro you might need the home directory support enabled.

      To enable Home Directory support, go to settings.py and set USE_HOME to True. 
      USE_HOME = True

      This will ensure
      • All the user uploads, database, and downloads are now created in .MobSF directory under user's home directory.
      • User configurations are read from .MobSF/config.py in home directory. If the format is incorrect or the file is not found, user configurations are read from MobSF/settings.py itself.

      Docker Image for MobSF Static Analysis

      Building Image from Dockerfile
      git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
      cd Mobile-Security-Framework-MobSF
      docker build -t mobsf .
      docker run -it -p 8000:8000 mobsf
      This will run MobSF at 0.0.0.0:8000

      Building Image behind a proxy from Dockerfile
      docker build --build-arg https_proxy="http://proxy_ip:proxy_port" --build-arg http_proxy="proxy_ip:proxy_port" --build-arg NO_PROXY="127.0.0.1" -t mobsf .
      (replace `proxy_ip` with the value of your proxy ip address and `proxy_port` with the proxy port used

      Rebuilding Image from Dockerfile from Scratch
      docker rmi ubuntu:18.04
      docker build --no-cache --rm -t mobsf .

      Prebuilt MobSF Docker Image
      https://hub.docker.com/r/opensecurity/mobile-security-framework-mobsf/
      docker pull opensecurity/mobile-security-framework-mobsf
      docker run -it --name mobsf -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

      For persistence
      docker run -it --name mobsf -p 8000:8000 -v :/root/.MobSF opensecurity/mobile-security-framework-mobsf:latest

      For postgres support
      You will need docker-compose : see https://docs.docker.com/compose/install/
      • build the images docker-compose build
      • launch the services docker-compose up -d (in background) or docker-compose up (in foreground)
      Then verify the 2 services are up:
      docker ps
      CONTAINER ID        IMAGE                                   COMMAND                  CREATED             STATUS              PORTS                          NAMES
      7de107c5b853        mobile-security-framework-mobsf_mobsf   "python3 manage.py r…"   5 weeks ago         Up 5 weeks          0.0.0.0:8000->8000/tcp         mobile-security-framework-mobsf_mobsf_1
      149a3ffa61ca        postgres:latest                         "docker-entrypoint.s…"   5 weeks ago         Up 5 weeks          5432/tcp                       mobile-security-framework-mobsf_postgres_1

      If you don't want to use docker-compose, you will need to start a postgres container first , then to start MobSF using the dockerfile and setting POSTGRES variable to True.
      docker build --build-arg POSTGRES=True -t mobsf .

      You can change postgres connection information in postgres_support.sh Do it before building the image 
      #!/bin/bash
      set -e
      POSTGRES=$1
      echo "Postgres support : ${POSTGRES}"
      if [ "$POSTGRES" == True ]; then
       echo "Installing Postgres"
       pip3 install psycopg2-binary
       #Enable postgres support
       sed -i '/# Sqlite3 suport/,/# End Sqlite3 support/d' ./MobSF/settings.py && \
       sed -i "/# Postgres DB - Install psycopg2/,/'''/d" ./MobSF/settings.py && \
       sed -i "/# End Postgres support/,/'''/d" ./MobSF/settings.py && \
       sed -i "s/'PASSWORD': '',/'PASSWORD': 'password',/" ./MobSF/settings.py && \
       sed -i "s/'HOST': 'localhost',/'HOST': 'postgres',/" ./MobSF/settings.py
      fi

      If you have error at first Launch
      docker exec -it mobile-security-framework-mobsf_mobsf_1 python3 manage.py makemigrations
      docker exec --it mobile-security-framework-mobsf_mobsf_1 python3 manage.py migrate

      **To see what's happened in container if launched with -d instead of -it: **
      docker logs -f --tail 100 mobsf

      To have a shell access in the container
      docker exec -it  mobsf /bin/bash

      REST API

      MobSF provides REST APIs. You can access API docs from within the app.

      CI/CD

      For CI/CD you can take advantage of MobSF REST API.

      MobSF CI/CD pipeline integration
      docker-app render omerl/mobsf-ci:0.3.0 --set target_folder= --set target_apk= --set output_folder= | docker-compose -f - up --exit-code-from scan
      To parse the report, use OWASP Glue.

      Usage:
      • Clone the repo
      • Create a folder named target in the root folder, and place the target there (e.g. target/my_app.apk).
      • Run the tests using:
      TARGET_PATH='target/' docker-compose up --build --exit-code-from scan
      • Wait for the command to complete, it will take some time. When the command will be completed, checkout the report under output/report.json.
      • Use OWASP Glue to process the report by running:
      docker run -it -v $(pwd)/output:/app owasp/glue:raw-latest ruby bin/glue -t Dynamic -T /app/report.json --mapping-file mobsf --finding-file-path /app/android.json -z 2

      Running Tests:

      You can run all the unit tests with tox -e lint,test (lint doesn't work on windows) 

      Presentations:

      • OWASP APPSEC EU 2016


      • NULLCON 2016


      • c0c0n 2015

      • G4H Webcast 2015

      Download MobSF



      from Effect Hacking full article here

      Popular posts from this blog

      Chaos in a cup: When ransomware creeps into your smart coffee maker

      When the fledgling concept of the Internet of Things (IoT) was beginning to excite the world almost a decade ago, perhaps no coffee lover at that time would've imagined including the coffee machine in the roster of internet-connected devices—even in jest. True, the simple, utilitarian coffee machine may not be as popular now as it used to back in the day, but its continued availability within office premises and private home kitchens, plus inherent risks—much like any IoT device—may be in equal footing with your smart speaker , smart doorbell , or smart light bulb . Cybersecurity issues surrounding internet-connected coffee machines are further punctuated by the latest news about how Martin Hron, a reverse engineer from Avast, tinkered his Smarter coffee maker to not only beep and spew out hot water but also deprive you of a nice, morning brew and display a short ransom note. Courtesy of Dan Goodin, Ars Technica Yes, Hron turned his coffee maker into a ransomware mach...
      Read more

      A week in security (December 10 – 16)

      Last week on Labs, we took a look at some new Mac malware , a collection of various scraped data dumps , the protection of power grids , and how bad actors are using SMB vulnerabilities .   Other cybersecurity news Millions affected by Facebook photo API bug: An issue granted third-party apps more access to photos than should normally be granted, including images uploaded but not published. (source: Facebook) Bomb threats may be a hoax: An email in circulation urging ransom payments in Bitcoin lest bombs across the US be detonated may well be a fake , according to US law enforcement. (source: The Register) Man jailed for fraud offenses: A man in the UK has been jailed for taking part in fraudulent activities. The main point of interest is surely the spectacular device he built. (source: Met Police) Another Google Plus bug: For six days, developer were able to access profile data not made public by the users. (source: Google) Windows 10 data collection: Reddit use...
      Read more

      Skimmer acts as payment service provider via rogue iframe

      Criminals continue to target online stores to steal payment details from unaware customers at a rapid pace. There are many different ways to go about it, from hacking the shopping site itself, to compromising its supply-chain. A number of online merchants externalize the payment process to a payment service provider (PSP) for various reasons, including peace of mind that transactions will be handled securely. Since some stores will not process payments on their own site, one might think that even if they were compromised, attackers wouldn't be able to steal customers' credit card data. But this isn't always true. RiskIQ previously detailed how Magecart's Group 4 was using an overlay technique that would search for the active payment form on the page and replace it with one prepped for skimming. The one we are looking at today adds a bogus iframe that asks unsuspecting customers to enter their credit card information. The irony here is that the s...
      Read more