An open-source mobile security testing framework-MobSF

An open-source mobile security testing framework-MobSF

 

 

The Mobile Security Framework (MobSF) is an intelligent and integrated automatic testing framework for open-source mobile apps (Android/iOS, able to perform static and dynamic analysis on the above two mobile apps (currently, only Android is supported for dynamic analysis ).

It can audit and analyze application APK and IPA files and compressed Source Code effectively and quickly. At the same time, MobSF can also use its API Fuzzer function module to detect the security of Web APIs, such as collecting information, analyzing security header information, and identifying specific mobile API vulnerabilities, such as XXE, SSRF, path traversal, IDOR, and other logic problems related to session and API call rate limits.

Running Environment

? For Python 2.7, click Python 2.7.

? To download Oracle JDK 1.7 or later, click: Oracle JDK;

? To download the Oracle VirtualBox, click: VirtualBox;

? To download the command line tool (Mac) required for iOS IPA Analysis (which must be executed on Mac), click Conmand-line tool;

? Hardware configuration: 4 GB memory or above, 5 GB hard disk space.

Download

Latest Version of MobSF: MobSF;

MobSF VM 0.2 ova file: MobSF. VM.

Install

Currently, this framework is only tested on Windows 7, 8, 8.1, 10, Ubuntu, OSX Mavericks, and other system platforms.

? Windows: Decompress the MobSF compressed file to C: \ MobSF;

? Mac: Decompress the MobSF compressed file to/Users/[username]/MobSF;

? Linux: Decompress the MobSF compressed file to/home/[username]/MobSF.

Configure static analyzer

Install the Python dependency package of MobSF Through pip. the following commands are executed for different systems,

Windows

 

C:\Python27\Scripts\pip.exe install -r requirements.txt

 

If pip.exe is unavailable in the script directory, download and reinstall the latest version of Python2.7.

Unix

 

pip install -r requirements.txt

 

Run MobSF

 

python manage.py runserver

To run the command on a specific port, run the following command,

python manage.py runserver port_number

If the above steps are successfully executed, we will see the following output,

 

Configure a dynamic analyzer

Configure MobSF VM

Currently, the dynamic analyzer only supports analysis of Android APK files. The hardware environment requires a computer with 4 GB of memory and full virtualization..

First, to configure the dynamic analyzer, we need to obtain the following information,
(1) VM UUID

(2) snapshot UUID

(3) host/Proxy IP Address

(4) VM/device IP Address

Procedure

1. Open VirtualBox (this document uses VirtualBox as an example), select File> Import Application, and select the MobSF_VM_X.X.ova file (which can be viewed in the previous article );

 

2. During the import process, do not change any configuration. Follow the default settings to go to the next step;

3. Once the OVA file is imported successfully, we will see a new entry named MobSF_VM_X.X in VirtualBox;

4. Right-click the MobSF VM and select Settings. On the network tab, We need to configure two network adapters;

(1) Adapter 1 is enabled and in attached to, select Host-only Adapter mode, and rename the Adapter name, because we need to identify the Host/Proxy IP through this name, as shown in the configuration;

 

(2) Enable adapter 2 and enable it in attached to. Select NAT mode, as shown in.

 

5. Save the preceding settings to start the MobSF VM. When the VM is started, write down the vm ip address;

 

6. Once the VM is started, it will remain in a lock screen state, and the default unlock password is 1234;

 

7. Obtain the host/Proxy IP Address

(1) Windows: Enter ipconfig in the command prompt and write down the IP address of the adapter with the same name as adapter 1;

 

(2) Unix: Enter ifconfig in the command prompt and write down the IP address of the adapter with the same name as adapter 1;

 

8. Then, select the Wi-Fi settings in the MobSF Vm and set the proxy IP address (the IP address obtained in the previous step) and Port (1337 );

 

9. Save the settings and return to the Home page of the MobSF VM. Wait about 30 seconds and then save the snapshot of the MobSF VM;

 

10. Once the snapshot is saved, right-click the MobSF Vm and select "display in Explorer" or "display in Finder ";

 

11. Open the MobSF_VM_X.X.vbox file in any editor (sublime is used here) and write down the vm uuid and snapshot UUID;

 

Next, we have the information required to configure the dynamic analyzer as mentioned above,

(1) VM UUID

(2) snapshot UUID

(3) host/Proxy IP Address

(4) VM/device IP Address

12. Next, open the MobSF/settings. py file and set the parameter values as follows,

(1) UUID = VM UUID

(2) SUUID = Snapshot UUID

(3) VM_IP = VM IP

(4) PROXY_IP = Host/Proxy IP

The following is a configuration sample,

 

Finally, we can re-open the server to run. Some functions are as follows:

Static analysis Android APK

 

 

IOS IPA

 

Dynamic Analysis of Android APK

 

 

 

Web API Fuzzer