MobSF – Mobile Security Framework Is An Automated All-In-One Mobile Application

Mobile Security Framework or MobSF is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and support both binaries (APK, IPA & APPX ) and zipped source code. It can do dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz.

Static Analyzer Docker Image

Automated prebuilt docker image of MobSF Static Analyzer is available from DockerHub

docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Also ReadHeadless Burp – Automate security tests using Burp Suite

Requirements

Static Analysis

Python 3.6+
Oracle JDK 1.7 or above
Mac OS Users must install Command-line tools
iOS IPA Analysis works only on Mac and Linux.
Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux.

NOTE:

On Linux and Mac, install Oracle Java 1.7 or above and make it the default one.
On Linux, make sure you have 32 bit execution support enabled.

Dynamic Analysis

If you are going to use MobSF x86 Android VM, it requires Oracle VirtualBox – VirtualBox Download.
If you are going to use MobSF Android AVD (ARM Emulator), It requires Android Studio and a configured AVD.
Hardware Requirements: Min 4GB RAM, 5GB HDD/SSD and Virtualization Support for running MobSF VM and Intel HAXM if you are running MobSF ARM Emulator.

Installation

Tested on Windows (7, 8, 8.1, 10), Kali (2016.2), Ubuntu (14.04, 16.04) , OSX (Mavericks, Yosemite, El Capitan), OS (Sierra, High Sierra)

Configuring Static Analyzer

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
pip3 install virtualenv
virtualenv -p python3 venv
source venv/bin/activate
pip3 install -r requirements.txt

PDF Report Generation

You need to install wkhtmltopdf binary separately for generating PDF reports.
Check wkhtmltopdf downloads and Installing wkhtmltopdf wiki for more information.
In Windows, you need to add the folder that contains wkhtmltopdf binary to environment variable PATH.

Running

python3 manage.py runserver

If you need to run on a specific port number try python3 manage.py runserver PORT_NO. To expose MobSF to a particular IP, you can try python3 manage.py runserver IP:PORT_NO.

If everything goes right, you will get an output like the one below.

You can navigate to http://localhost:8000/ to access the MobSF Web interface.

Configuring Dynamic Analyzer with MobSF Android 4.4.2 x86 VirtualBox VM

Dynamic Anlayzer is available only for Android binaries (APK) and works only if your computer has at least 4GB of RAM and Full Virtualization support.

NOTE: If you are configuring MobSF VM in VirtualBox for Dynamic Analysis, you must have configured MobSF in the host OS and not inside any VM.

To Configure Dynamic Analyzer we need 4 things.

VM UUID
Snapshot UUID
Host/Proxy IP
VM/Device IP

Steps to Follow

Open VirtualBox, Go to File -> Import Appliance and select the MobSF_VM_X.X.ova file.

Proceed with the import process. Do not alter anything.
Once the OVA is Imported Successfully, you will see a new entry in VirtualBox named MobSF_VM_X.X
Right Click MobSF VM and Choose Settings, Go to Network tab. Here we need to configure two Network Adapters.
- Adapter 1 should be enabled and attached to Host-only Adapter. Remember the name of the adapter. We need the name to Identify the Host/Proxy IP.

- Adapter 2 should be enabled and attached to NAT

Save the settings and Start MobSF VM. While the VM is Booting up. Note down the VM IP.

Once the VM Boots up, It will present a Lock Screen. The password for the Lock Screen is 1234.

NOTE: If the VM does not boot up properly then you cannot perform Dynamic Analysis with MobSF VM.

Getting the Host/Proxy IP
- Windows : Issue the command ipconfig in command prompt and note down the IP corresponding to the name of the Host-only Adapter.

- Unix : Issue the command ifconfig in terminal and note down the IP corresponding to the name of the Host-only Adapter.

NOTE: The VirtualBox Host-Only Adapter IP and MobSF VM IP should be in the same network range. If your MobSF VM IP and Adapter IP are in different network range, modify the Adapter IP to be in the same network range as that of MobSF VM IP.

Go to Wi-Fi Settings in MobSF VM and set the Proxy IP as the Host/Proxy IP which you have obtained from the previous step and port no as 1337.

Save the settings and Navigate to the Home Screen of MobSF VM. Wait for 30 seconds and save a snapshot of the MobSF VM in VirtualBox

Once the Snapshot is saved, right click MobSF VM and select Show in Explorer or Show in Finder.

Open the File MobSF_VM_X.X.vbox in any Text Editor and note down the VM UUID and Snapshot UUID.

Here the value of uuid is the VM UUID and currentSnapshot is the Snapshot UUID.

Now we have all the things needed to configure the Dynamic Analyzer (Host/Proxy IP, VM IP, VM UUID and Snapshot UUID)
Go to MobSF/settings.py and set the appropriate values as
- UUID = VM UUID
- SUUID = Snapshot UUID
- VM_IP = VM IP
- PROXY_IP = Host/Proxy IP
In MobSF/settings.py, set ANDROID_DYNAMIC_ANALYZER = "MobSF_VM" (default)
This will configure MobSF to use Android VirtualBox VM for Dynamic Analysis.

Configuring Dynamic Analyzer with with MobSF Android 4.1.2 arm Emulator

Make sure Android Studio is installed and an AVD is created. (Nexus 5 with Lollipop image is recommended)
Extract MobSF_ARM_Emulator.zip
Run scripts/mobsfy_AVD.py script and specify the directory that contains the files extracted from MobSF_ARM_Emulator.zip.
In MobSF/settings.py, set ANDROID_DYNAMIC_ANALYZER = "MobSF_AVD"
This will configure MobSF to use Android arm Emulator for Dynamic Analysis.

Manual Configuration (not recommended)

If mobsfy_AVD.py script is not running successfully, you need to set the values for AVD_EMULATOR and AVD_PATH in MobSF/settings.py manually.
Follow the README inside the emulator zip and change all the path fields according to your system
edit MobSF/settings.py and modify

AVD_EMULATOR = r'/Users/[USERNAME]/Library/Android/sdk/tools/emulator'
# This can be /Users/[USERNAME]/Library/Android/Sdk/emulator/emulator for newer versions of android SDK
 AVD_PATH = r'/Users/[USERNAME]/.android/avd'  # Path to the avd folder where you extracted the emulator

In MobSF/settings.py, set ANDROID_DYNAMIC_ANALYZER = "MobSF_AVD"

Configuring Dynamic Analyzer with Rooted Android 4.03 – 4.4 Device

MobSFy the Rooted Android Device, Follow the instructions here: Configure MobSF Dynamic Analysis Environment in Android Device
In MobSF/settings.py, set ANDROID_DYNAMIC_ANALYZER = "MobSF_REAL_DEVICE"
Set DEVICE_IP and DEVICE_ADB_PORT with the IP and PORT that you got from WiFi ADB

Configuring Dynamic Analyzer with Rooted Android 4.03 – 4.4 VM

MobSFy the Custom VM, Follow the instructions here: Configure MobSF Dynamic Analysis Environment in Custom VM
VM on Virtual Box: If the VM is hosted on VirtualBox, follow the same steps that you have followed for configuring MobSF x86 VirtualBox VM and set appropriate VM UUID, Snapshot UUID, Host/Proxy IP, VM IP and set ANDROID_DYNAMIC_ANALYZER = "MobSF_VM"
Any Other VM: Configure it as a Real device. Set ANDROID_DYNAMIC_ANALYZER = "MobSF_REAL_DEVICE" and specify DEVICE_IPand DEVICE_ADB_PORT. Snapshot feature is only available with VM(s) hosted in VirtualBox.

Updating MobSF

If you are updating MobSF, In most cases you might have to perform database migrations or you will see errors such as

[ERROR] Saving to DB (E:\Mobile-Security-Framework-MobSF\StaticAnalyzer\views\android\db_interaction.py, LINE 236 "static_db.save()"): table StaticAnalyzer_staticanalyzerandroid has no column named

Run the below command to migrate your db

python3 manage.py makemigrations
python3 manage.py migrate

If the above changes didn’t work, you might have to run clean.sh(present in scripts) in Mac/Linux. After that run the above commands.

NOTE: This will remove the previously saved scan results.

Disabled Components

Some components are disabled by default as they are experimental

APKiD

APKiD is disabled by default. Before enabling you will have to install the rednaga fork of yara-python.

git clone --recursive https://github.com/rednaga/yara-python-1 yara-python
cd yara-python
python3 setup.py build --enable-dex install

Enable APKiD in settings.py by setting APKID_ENABLED to True.

Running Tests

Basic Static Analyzer unit tests – run MobSF and navigate to http://127.0.0.1:8000/runtest/
MobSF REST API unit tests – run MobSF and navigate to http://127.0.0.1:8000/runapitest/