Introduction to Mob SF
You've just developed a mobile application (android / iOS) and it's about time to go live. You are, however, required (by management, perhaps) to perform security tests to ensure that the new app is devoid of common application vulnerabilities and is secure to be shipped to production.
Or, in a bid to improve your pentesting skills, you want to delve into the world of mobile application testing. As you would find out, there are different approaches to testing mobile apps, and several applications available to make this easier.
We will consider one of these applications in this article: The Mobile Security Framework (Mob SF).
Mob SF is an open-source security application capable of performing static and dynamic analysis on mobile applications (android and IoS), and performing any of pentesting and/or malware analysis (You can find the Mob SF git here). It is one of the most widely used mobile application testing frameworks because of it's ease of installation, easy-to-use graphical user interface, and testing effectiveness. As expected, Mob SF can be installed on Windows, Unix and Mac hosts/virtual machines. For the sake of this demonstration, we will be installing and using Mob SF for static (android application) analysis on a windows host.
INSTALLATION REQUIREMENTS (Windows):
Before Mob SF installation, install the following dependencies on the Windows host:
- Install Git from here
- Python 3.7: This is obtainable from the Python website
- Java JDK 8+ from here
- Visual Studio C++ Build Tools from here
- Install Open SSL from here
- Install wkhtmltopd: This will be required to generate PDF reports and can be downloaded from here
- Add wkhtmltopdf to path: Steps given here
INSTALLING MOB SF
Mob SF can be installed using the following short steps:
1) Clone the Mob SF git on your windows host by entering the following command in Command Prompt:
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
2) Navigate to the Mob SF git directory
cd Mobile-Security-Framework-MobSF
3) Enter the Mob SF setup command
Setup.bat
NB: If you encounter errors, then some of the dependencies may not have been installed appropriately / completely.
The installation is complete when you see this page:
RUNNING MOB SF
1) To use Mob SF, start the application using the run command (in the Mob SF cmd path)
Run.bat
2) The Mob SF user interface can be accessed on any browser via the loopback address on port 8000.
In your browser, enter "localhost:8000" or "127.0.0.1:8000"
The Mob SF web homepage appears like this:
You can upload the file for analysis by dragging and dropping a mobile APK or iOS file or from the "Upload & Analyze" button.
The backend (command prompt) looks like this:
When Mob SF completes the static analysis, it generates the summary report of findings shown below:
You can view details of the different findings by entering any of the sub-sections in the "Static Analyzer" widget.