MobSF: Complete Guide to Android App Security Analysis

Mobile applications handle sensitive user data, financial transactions, and personal communications, making them prime targets for attackers. Mobile Security Framework (MobSF) is an automated, all-in-one mobile application security testing framework that can perform static and dynamic analysis on Android, iOS, and Windows mobile apps. In this comprehensive guide, we’ll focus on using MobSF for Android application security analysis.

What is MobSF?

MobSF (Mobile Security Framework) is an open-source, intelligent, automated pen-testing framework capable of performing both static and dynamic analysis on mobile applications. Developed by Ajin Abraham, MobSF has become the industry standard for mobile application security assessment.

The framework can analyze Android APK, AAB, and source code, iOS IPA and source code, as well as Windows APPX packages. It provides detailed security reports covering everything from hardcoded credentials to insecure data storage, cryptographic weaknesses, and vulnerable components.

Key Features

• Static Analysis - Decompile and analyze app code without running it
• Dynamic Analysis - Real-time analysis of running applications
• Malware Analysis - Detect malicious behavior and patterns
• Web API Testing - Analyze API endpoints and responses
• Comprehensive Reporting - Detailed PDF and JSON reports
• REST API - Integrate into CI/CD pipelines

Installation and Setup

MobSF can be installed in several ways. The Docker installation is the quickest and most reliable method.

Method 1: Docker Installation (Recommended)

The easiest way to get MobSF up and running:

# Pull the latest MobSF image
docker pull opensecurity/mobile-security-framework-mobsf:latest

# Run MobSF
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Access MobSF at http://localhost:8000 in your browser.

Method 2: Manual Installation

For Linux/macOS users who prefer a native installation:

# Install dependencies
sudo apt-get update
sudo apt-get install -y git python3 python3-pip openjdk-11-jdk

# Clone MobSF repository
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF

# Install Python requirements
pip3 install -r requirements.txt

# Run setup script
./setup.sh

# Start MobSF
./run.sh

Initial Configuration

On first run, MobSF will generate an API key. Save this key if you plan to use the REST API for automation.

Static Analysis of Android Apps

Static analysis examines the application code without executing it, uncovering vulnerabilities in the codebase, configuration, and resources.

Uploading an APK

Getting started with static analysis is straightforward:

1. Navigate to http://localhost:8000
2. Click “Upload” or drag and drop your APK file
3. MobSF will automatically begin analysis
4. Wait for the analysis to complete (typically 2-5 minutes)

Understanding the Static Analysis Report

MobSF’s static analysis provides comprehensive insights into various security aspects:

1. Application Information

• Package name, version, and target SDK
• Permissions requested and their risk levels
• App components (Activities, Services, Receivers, Providers)
• Signing certificate information

2. Security Analysis

MobSF checks for common security issues including:

• Insecure data storage
• Weak cryptography
• Hardcoded secrets (API keys, passwords)
• Certificate pinning implementation
• Debug mode enabled
• Backup settings
• Network security configuration
• Code obfuscation status

3. Code Analysis

The framework performs deep code inspection:

• Decompiled Source Code - Browse and search through decompiled Java/Kotlin code
• Dangerous APIs - Identifies use of potentially dangerous methods
• URL and Domains - Extracts all URLs and domains from the app
• Email Addresses - Finds embedded email addresses
• Strings - Extracts all readable strings from the binary

4. Manifest Analysis

MobSF thoroughly analyzes the AndroidManifest.xml:

• Exported components that could be exploited
• Intent filters and their security implications
• Insecure permission settings
• Backup and debugging flags

Practical Example: Finding Hardcoded Secrets

One of the most common vulnerabilities is hardcoded API keys. Here’s how MobSF helps identify them:

1. Upload your APK to MobSF
2. Navigate to the “Code Analysis” section
3. Check the “Hardcoded Secrets” subsection
4. MobSF will highlight potential API keys, tokens, and passwords

Example findings:

- AWS API Key: AKIAIOSFODNN7EXAMPLE
- Firebase URL: https://myapp-12345.firebaseio.com
- Hardcoded Password: "admin123" in LoginActivity.java

Dynamic Analysis

Dynamic analysis involves running the application in a controlled environment and monitoring its behavior in real-time. This is crucial for identifying runtime vulnerabilities.

Setting Up Dynamic Analysis

MobSF supports dynamic analysis using either an Android emulator or a rooted physical device:

Option 1: Using Genymotion (Recommended)

# Download and install Genymotion
# Create an Android VM (Android 7.0 or higher recommended)
# Configure MobSF to use Genymotion

# In MobSF settings:
1. Go to "Dynamic Analyzer" settings
2. Configure Genymotion VM name
3. Ensure ADB can connect to the emulator

Option 2: Using Android Studio Emulator

# Create an AVD without Google Play
avd create avd -n MobSF_AVD -k "system-images;android-29;default;x86_64"

# Launch the emulator
emulator -avd MobSF_AVD -writable-system

Performing Dynamic Analysis

1. Ensure your emulator or device is running and connected
2. In MobSF, click “Dynamic Analyzer” for your uploaded APK
3. MobSF will install the app and instrumentation tools
4. Interact with the app through the web interface
5. MobSF captures network traffic, API calls, and runtime behavior

Dynamic Analysis Capabilities

During dynamic analysis, MobSF monitors and captures:

• Network Traffic - HTTP/HTTPS requests and responses via built-in proxy
• Exported Activity Testing - Automatically test exported activities for vulnerabilities
• File System Changes - Track files created, modified, or deleted
• Logcat Logs - Capture system and application logs
• Database Operations - Monitor SQLite database activities
• Clipboard Data - Detect sensitive data in clipboard

Practical Example: API Traffic Analysis

Here’s how to analyze API calls made by an Android app:

1. Start dynamic analysis for your target app
2. Navigate to the “Frida Logs” or “Network Traffic” section
3. Perform actions in the app (login, data submission, etc.)
4. Review captured API endpoints, parameters, and responses

Example captured traffic:

POST https://api.example.com/v1/login
Headers:
  Content-Type: application/json
  User-Agent: MyApp/1.0
Body:
  {"username": "user@email.com", "password": "plaintext123"}
  
Issues found:
- Password transmitted in plaintext
- Missing certificate pinning
- No authentication token expiration

Advanced Features

REST API for Automation

Integrate MobSF into your CI/CD pipeline using its REST API:

# Upload and scan an APK via API
curl -X POST http://localhost:8000/api/v1/upload \
  -H "Authorization: YOUR_API_KEY" \
  -F "file=@/path/to/app.apk"

# Get scan results
curl -X POST http://localhost:8000/api/v1/scan \
  -H "Authorization: YOUR_API_KEY" \
  -d "hash=<file_hash>"

# Generate PDF report
curl -X POST http://localhost:8000/api/v1/download_pdf \
  -H "Authorization: YOUR_API_KEY" \
  -d "hash=<file_hash>" \
  -o report.pdf

Comparing Multiple Scans

MobSF allows you to compare different versions of the same app:

1. Upload and scan multiple versions of your app
2. Use the comparison feature to identify new vulnerabilities
3. Track security improvements over time

Custom Rules and Patterns

Create custom security rules for organization-specific requirements:

# Add custom patterns in MobSF/settings.py
CUSTOM_SECRETS = {
    'Company API Key': r'company_key_[a-zA-Z0-9]{32}',
    'Internal Token': r'internal_token=[a-zA-Z0-9]+',
}

# Add custom permission checks
CUSTOM_PERMISSIONS = {
    'com.company.dangerous.PERMISSION': 'Dangerous - Company specific permission',
}

Common Vulnerabilities Discovered

Based on real-world MobSF scans, here are the most common Android security issues:

1. Insecure Data Storage

// Vulnerable code found in SharedPreferences
SharedPreferences prefs = getSharedPreferences("user_data", MODE_WORLD_READABLE);
prefs.edit().putString("password", userPassword).apply();

// Issue: Password stored in plaintext, accessible by other apps

2. Insufficient Transport Security

// No certificate pinning or SSL validation
TrustManager[] trustAllCerts = new TrustManager[]{
    new X509TrustManager() {
        public void checkClientTrusted(X509Certificate[] chain, String authType) {}
        public void checkServerTrusted(X509Certificate[] chain, String authType) {}
        public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }
    }
};

3. Exported Components

<!-- Vulnerable manifest entry -->
<activity android:name=".SecretActivity"
          android:exported="true">
    <intent-filter>
        <action android:name="com.example.SECRET_ACTION"/>
    </intent-filter>
</activity>

<!-- Can be exploited by any app to access SecretActivity -->

Best Practices for Using MobSF

1. Regular Scanning - Integrate MobSF into your development lifecycle, not just before release
2. Baseline First - Scan apps early in development to establish security baselines
3. Prioritize Findings - Focus on high and critical severity issues first
4. Verify Manually - Automated tools can produce false positives; verify findings
5. Dynamic + Static - Always perform both types of analysis for comprehensive coverage
6. Keep Updated - Regularly update MobSF to get latest vulnerability signatures
7. Test Third-Party SDKs - Analyze libraries and SDKs bundled with your app
8. Document Remediation - Track how vulnerabilities were fixed

Integrating MobSF into DevSecOps

Make security testing part of your automated pipeline:

// Example Jenkins pipeline script
pipeline {
    agent any
    stages {
        stage('Build APK') {
            steps {
                sh './gradlew assembleRelease'
            }
        }
        stage('MobSF Security Scan') {
            steps {
                script {
                    // Upload to MobSF
                    def response = sh(
                        script: """
                            curl -F "file=@app/build/outputs/apk/release/app-release.apk" \
                            -H "Authorization: ${MOBSF_API_KEY}" \
                            http://mobsf:8000/api/v1/upload
                        """,
                        returnStdout: true
                    )
                    
                    // Fail build if critical issues found
                    if (response.contains('"severity": "high"')) {
                        error "Critical security issues detected!"
                    }
                }
            }
        }
    }
}

Remediation Guidance

MobSF identifies issues, but fixing them is crucial. Here are quick remediation tips for common findings:

For Hardcoded Secrets

// Instead of hardcoding
String apiKey = "sk_live_abc123xyz";

// Use BuildConfig or environment variables
String apiKey = BuildConfig.API_KEY;

// Or secure storage
String apiKey = getSecureString("api_key");

For Insecure Network Configuration

<!-- res/xml/network_security_config.xml -->
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="false">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
    <domain-config cleartextTrafficPermitted="false">
        <domain includeSubdomains="true">api.yourdomain.com</domain>
        <pin-set>
            <pin digest="SHA-256">your-cert-pin-hash</pin>
        </pin-set>
    </domain-config>
</network-security-config>

For Exported Components

<!-- Set exported="false" for internal components -->
<activity android:name=".InternalActivity"
          android:exported="false"/>

<!-- Use permissions for components that must be exported -->
<activity android:name=".ProtectedActivity"
          android:exported="true"
          android:permission="com.yourapp.permission.RESTRICTED"/>

Real-World Impact

MobSF has been instrumental in discovering vulnerabilities across thousands of applications:

• Identified data leakage in popular banking apps
• Uncovered hardcoded credentials in healthcare applications
• Found insecure storage in e-commerce platforms
• Detected malicious behavior in repackaged apps

Case Study: A financial services company used MobSF to scan their mobile banking app before release. The scan revealed hardcoded AWS credentials in the app’s source code that could have led to a major data breach. The issue was fixed before deployment, potentially saving millions in damages and reputation loss.

Conclusion

Mobile Security Framework (MobSF) is an indispensable tool for Android app security analysis. Its comprehensive static and dynamic analysis capabilities, combined with an easy-to-use interface and automation features, make it perfect for developers, security professionals, and penetration testers alike.

By incorporating MobSF into your development workflow, you can identify and fix security vulnerabilities before they reach production, protecting both your users and your organization from potential security breaches.

Remember that security is not a one-time check but an ongoing process. Regular scans, staying updated with the latest security practices, and combining automated tools like MobSF with manual security reviews will give you the best protection.

Security Tip: Never test mobile apps on production infrastructure or with real user data. Always use isolated environments, test accounts, and sanitized datasets to prevent accidental data exposure or service disruption.

Ready to secure your Android applications? Start using MobSF today and make mobile security an integral part of your development process. Want to master mobile application security testing and advance your skills? Contact CyberBros Security for professional training and upskilling programs in mobile security and penetration testing.