Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis.
We’ve been depending on multiple tools to carry out reversing, decoding, debugging, code review, and pen-test and this process requires a lot of effort and time. Mobile Security Framework can be used for effective and fast security analysis of Android and iOS Applications. It supports binaries (APK & IPA) and zipped source code.
The static analyzer is able to perform automated code review, detect insecure permissions and configurations, and detect insecure code like ssl overriding, ssl bypass, weak crypto, obfuscated codes, improper permissions, hardcoded secrets, improper usage of dangerous APIs, leakage of sensitive/PII information, and insecure file storage. The dynamic analyzer runs the application in a VM or on a configured device and detects the issues at run time. Further analysis is done on the captured network packets, decrypted HTTPS traffic, application dumps, logs, error or crash reports, debug information, stack trace, and on the application assets like setting files, preferences, and databases. This framework is highly scalable that you can add your custom rules with ease. A quick and clean report can be generated at the end of the tests. This framework is expected to extend to support other mobile platforms like Tizen, WindowsPhone etc. in future.
Mobile Security Framework Requirements
- Python 2.7 – https://www.python.org/downloads/
- Oracle JDK 1.7 or above – http://www.oracle.com/technetwork/java/javase/downloads/
- Oracle VirtualBox – https://www.virtualbox.org/wiki/Downloads
- iOS IPA binary analysis requires MAC OS X and you need to install Command-line tools for MAC OS X http://osxdaily.com/2014/02/12/install-command-line-tools-mac-os-x/
- Hardware Requirements: Min 4GB RAM and 5GB HDD.
NOTE:
- On Linux and Mac, install Oracle Java 1.7 or above and make it the default one.
Installation
Tested on Windows 7, 8, 8.1, 10, Ubuntu, OSX Mavericks
- Windows: Extract the MobSF compressed file to C:\MobSF
- Mac: Extract MobSF compressed file to /Users/[username]/MobSF
- Linux: Extract MobSF compressed file to /home/[username]/MobSF
Configuring Static Analyzer
Install MobSF Python dependencies using pip
Windows
C:\Python27\Scripts\pip.exe install -r requirements.txt
NOTE: If pip.exe is not available in Scripts directory, Download and Re-install latest Python2.7.
Unix
pip.exe install -r requirements.txt
Running MobSF
python manage.py runserver
If you need to run on a specific port number try
python manage.py runserver PORT_NO
If everything goes right, you will get an output like the one below.
Configuring Dynamic Analyzer
Dynamic Anlayzer is available only for Android binaries (APK) and works only if your computer has at least 4GB of RAM and Full Virtualization support.
To Configure Dynamic Analyzer we need 4 things.
- VM UUID
- Snapshot UUID
- Host/Proxy IP
- VM/Device IP
Download MobSF and check their WIKI below
