Mobile Security Framework for Android
Links:
https://github.com/MobSF/Mobile-Security-Framework-MobSF
https://mobsf.github.io/docs/#/
Starting MobSF
To run the application:
-
Change into the
Mobile-Security-Framework-MobSFdirectory -
To launch the app, execute the
run.shscript -
Open a web browser to http://localhost:8000
Analyzing the APK
To start the analysis of the APK, drag & drop the APK file to the web browser instance running MobSF. It may take several minutes for the analysis to complete.
Information
Once the analysis is complete, the app will take you to the "Information" section. This will provide basic information of the app, plus a security score and third-party tracker information.
MobSF Scorecard
One item in the Information section is the MobSF Scorecard. This outlines the security score, risk rating, and privacy risk. It provides a quick view into the attack surface of the app.
In the upper right corner, there is a PDF icon to save the Scorecard as a PDF.
Android Components
One thing to look for are the components of the app that are exported. MobSF makes this easy. Make a note of the exported components for ideas on how they can be exploited later on.
Security Analysis
MobSF has a security analysis section which outlines some of the app configurations and binary analysis.
Certificate Analysis
The certificate analysis will determine if there are any vulnerabilities with the certificate signing versions. For example, under certain circumstances, the app could be vulnerable to the Janus vulnerability. It will also evaluate if the app is signed with a code-signing certificate.
