MobSF (Mobile Security Framework) is a powerful, open-source tool that performs both static and dynamic analysis of mobile applications. Static analysis examines the application's code and components without running it, while dynamic analysis analyzes the app's behavior while it's running. This dual approach allows for a comprehensive security assessment, identifying vulnerabilities and potential risks at different stages of the application's lifecycle.

# Static Analysis

---

Purpose:-

Examines the application's code, components, and configuration files to identify potential vulnerabilities without actually running the application.

How it works:-

MobSF analyzes .apk, .aab, .ipa files or source code to detect issues like hardcoded secrets, insecure data storage, improper cryptography, and risky permissions.

Benefits:-

Enables early identification of vulnerabilities before the app is deployed, saving time and resources in the long run.

Example:-

Detects if sensitive data like API keys or passwords are hardcoded in the app's source code.

Integration:-

Can be integrated into CI/CD pipelines to ensure security checks are performed regularly.

# Dynamic Analysis

---

Purpose:-

Analyzes the application's behavior while it's running, monitoring its network traffic, interactions, and runtime environment.

How it works:-

MobSF uses an Android emulator to run the application and observe its behavior, allowing you to monitor network traffic, simulate user actions, and detect runtime issues.

Benefits:-

Identifies vulnerabilities that might not be apparent during static analysis, such as insecure API calls or exposed data during runtime.

Example:-

Detects if the app is sending sensitive data over an unencrypted connection.

Limitations:-

Currently, MobSF's dynamic analysis is limited to emulators and does not support dynamic analysis on physical devices.

# Configure Static Analyzer

---

1. Enter below command to install latest version of JDK:-

$ sudo apt update
$ sudo apt install git
$ sudo apt install default-jdk

2. Set Python environment and install required components:-

$ curl https://pyenv.run | bash
$ echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
$ echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
$ echo 'eval "$(pyenv init -)"' >> ~/.bashrc
$ source ~/.bashrc
$ sudo apt update && sudo apt upgrade -y
$ sudo apt install -y build-essential libssl-dev zlib1g-dev libbz2-dev libreadline-dev libsqlite3-dev wget curl llvm libncurses5-dev libncursesw5-dev xz-utils tk-dev libxml2-dev libxmlsec1-dev libffi-dev liblzma-dev
$ sudo apt install --reinstall gcc
$ sudo apt install pyenv
$ pyenv install 3.10.13
$ pyenv global 3.10.13
$ python3 -V

3. Download and install MobSF:-

$ git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git

4. Change working directory to Mobile-Security-Framework-MobSF:-

$ cd Mobile-Security-Framework-MobSF

5. Enter below command to proceed installation of MobSF:-

$ ./setup.sh

6. Change working directory to root and setup wkhtmltopdf for MobSF reporting purposes:-

$ cd
$ wget https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6.1-3/wkhtmltox_0.12.6.1-3.bookworm_amd64.deb
$ sudo dpkg -i wkhtmltox_0.12.6.1-3.bookworm_amd64.deb # wkhtmltopdf installation
$ wkhtmltopdf -V

7. Change working directory back to Mobile-Security-Framework-MobSF:-
   

$ cd Mobile-Security-Framework-MobSF

8. Enter below command to run MobSF services:-

$ ./run.sh 127.0.0.1:8000

9. Open host web browser and navigate to http://127.0.0.1:8000
10. Enter username
11. Enter password
12. Click Sign In
13. Drag and drop the .apk or click Upload & Analyze and choose .apk file
14. Wait until the assessment completed
15. Once the assessment completed, click PDF Report to generate in softcopy or click Print Report to print a hardcopy

The MobSF (Mobile Security Framework) app security score is a metric generated by its Static Analyzer to provide an indication of an application's security posture. The score ranges from 0 to 100, with a higher score indicating a more secure application. It also assigns a risk rating grade from A to F.

Calculation of the MobSF Security Score:-

Starting Point:-

• The initial score is set to 100.

Deductions:-

• High Severity Issues: 15 points are deducted for each identified high-severity issue (e.g., cleartext traffic enabled for apps targeting API level 27 or lower).
• Warning Severity Issues: 10 points are deducted for each identified warning-level issue.

Additions:-

• Secure Items: 5 points are added for each identified secure item or best practice implemented.

Score Capping:-

• If the calculated score exceeds 100, it is capped at 100.
• If the calculated score falls below 0, it is considered "critical."

The score is influenced by various security findings detected during the static analysis, including vulnerabilities, misconfigurations, and adherence to security best practices, often referencing standards like CWE and OWASP. This score helps users quickly assess the overall security of a mobile application and prioritize remediation efforts for identified issues.

# Configure Dynamic Analyzer

---

1. Enter below command to display the list of AVDs:-

$ emulator -list-avds

2. Based on the listed AVDs, choose one and enter below command to launch the device emulator:-

$ emulator -avd Pixel_3a_XL -writable-system -no-snapshot

3. Upon launched, from the right menu click the ⋯
4. Go to Help > About
5. Record the Emulator ADB serial number as this will be needed in the next step.
6. On the terminal, enter below command to edit the config.py file:-

$ sudo nano .MobSF/config.py

7. Edit below line:-

ANALYZER_IDENTIFIER = os.getenv('MOBSF_ANALYZER_IDENTIFIER', '')

to

ANALYZER_IDENTIFIER = os.getenv('MOBSF_ANALYZER_IDENTIFIER', 'emulator-5554')

8. Press Ctrl + o then Ctrl + x to save and exit the file.
9. Change working directory to Mobile-Security-Framework-MobSF:-

$ cd Mobile-Security-Framework-MobSF

10. Enter below command to start the device emulator:-

$ scripts/start_avd.sh device-name # Pixel_3a_XL

11. Once the device emulator up and running, enter below command to activate ADB (Android Device Bridge):-

$ adb kill-server
$ adb start-server
$ adb connect 127.0.0.1:5554

12. Enter below command to run MobSF services:-

$ ./run.sh 127.0.0.1:8000

13. Open host web browser and navigate to http://127.0.0.1:8000
14. Click DYNAMIC ANALYZER
15. On the "MobSF Dynamic Analyzer", click Android Dynamic Analyzer
16. Upon successful connection with the emulator services, the browser screen should display the correct android version under Detected Android Version and its SDK
17. Click MobSFy Android Runtime
18. On the MobSFy Android Runtime, click MobSFy! and once completed, the Status will be displayed as per below:-

    MobSFying Android Runtime
    
    Sucessfully created MobSF Dynamic Analysis environment.
    MobSF agents and Frida server installed.

19. The previous uploaded .apk file for the Static Analysis should be shown in the Apps Available table while the Apps in Device table is empty.
20. Click Start Dynamic Analysis on the preferred .apk in the Apps Available table.
21. If the above method failed, enter below command in the terminal:-

$ adb install example.apk

22. Once installation completed, in the same directory enter below command again:-

$ ./run.sh 127.0.0.1:8000

23. Reload the host web browser and the .apk file should be available in the Apps in Device table
24. Then, click Start Dynamic Analysis on .apk in the Apps in Device

# References

---

• https://kalilinuxtutorials.com/mobsf-mobile-security-framework/