The document introduces MobSF, an open-source mobile application security tool designed for static and dynamic analysis, aiding developers, security engineers, and malware analysts in identifying security issues in mobile applications. It outlines the history, functionality, and contributions of MobSF, highlighting its integration with CI/CD pipelines and support for various file formats. Additionally, the document provides insights into the tool's operation, audience, and enterprise support offerings.

1. Ajin Abraham
Android and iOS Application
Security with MobSF
Mobile Application Security simpli
fi
ed

2. #whoami
• Senior Application Security Engineer @ Chime Financial
• Application Security & Security Engineering ~10 years
• Authored couple of open source security projects
• MobSF, nodejsscan, OWASP Xenotix etc.
• Published research at Hack In Paris, Hack In the Box, PHDays, OWASP
AppSec, Blackhat Arsenal, Nullcon etc.
• Security Blog: ajinabraham.com
Consultancy: opensecurity.ca
Disclaimer: All images used in this presentation belongs to their respective owners.

3. What is MobSF?
Free & Open Source Mobile Application Security tool
• Shipped as dockerized Python Django web application.
• Supports all the popular binary and source code formats.
• Supports Dynamic Analysis & Instrumented Security testing with popular
emulators and virtual machines.

4. History & Stats
MobSF Timeline
• Open Source, licensed under GPL v3.
• Started out in Dec 2014 as an automation for repetitive task at work.
• Today we have contributors (90+) from all over the world.
• Actively developed and maintained.
• Free Slack Community Support Channel.
• 1450+ closed issues, 870+ pull requests, 44 releases.

5. Before MobSF
How do I analyze Mobile applications in-house?
• Static Analysis:
• Di
ff
erent tools for decompiling, disassembling, SAST, converting, reporting
• Convert binary
fi
les to readable formats (ex: Binary XML/PLIST -> Text XML/PLIST)
• Disassemble & Decompile (ex: APK (DEX) -> JAR -> SMALI/JAVA)
• Binary Analysis of MachO/ELF/DEX/.so/.dylib
• Specialized tools for parsing and data extraction
• SAST, SCA, Secret Scanning etc. on code and con
fi
guration
fi
les
• Dynamic Analysis:
• Con
fi
guring a rooted and jail broken device/virtual machine
• Con
fi
gure HTTPs proxy and install certi
fi
cates
• Bypass TLS/cert pinning, root detection, anti-debug checks
• Install and setup instrumentation tools
• Log analysis, memory analysis,
fi
le system analysis.

6. After MobSF
Tada 🎉!

7. Target Audience
How can MobSF help you?
• Developers: Identify security issues as and when applications are being
developed.
• Security Engineers/Pentesters: Perform interactive security assessment of
Mobile apps.
• DevSecOps Engineers: Integrate MobSF in your CI/CD pipeline for shift left
coverage.
• Malware Analysts: Identify malicious behaviour, patterns in code and at runtime.
• Layman: Anyone who is concerned about the privacy and security of the mobile
applications they are using.

8. How does it work?
Static Analysis
[INFO] 14/Jun/2024 20:21:05 - MIME Type: application/vnd.android.package-archive FILE: beetlebug.apk
[INFO] 14/Jun/2024 20:21:05 - Performing Static Analysis of Android APK
[INFO] 14/Jun/2024 20:21:05 - Scan Hash: 6ea61e5468c39ef4b9650661849a843e
[INFO] 14/Jun/2024 20:21:05 - Starting Analysis on: beetlebug.apk
[INFO] 14/Jun/2024 20:21:05 - Generating Hashes
[INFO] 14/Jun/2024 20:21:05 - Unzipping
[INFO] 14/Jun/2024 20:21:05 - APK Extracted
[INFO] 14/Jun/2024 20:21:05 - Getting Hardcoded Certificates/Keystores
[INFO] 14/Jun/2024 20:21:05 - Getting AndroidManifest.xml from APK
[INFO] 14/Jun/2024 20:21:05 - Converting AXML to XML
[INFO] 14/Jun/2024 20:21:07 - Parsing AndroidManifest.xml
[INFO] 14/Jun/2024 20:21:07 - Parsing APK with androguard
[INFO] 14/Jun/2024 20:21:07 - Starting analysis on AndroidManifest.xml
[INFO] 14/Jun/2024 20:21:07 - Extracting Manifest Data
[INFO] 14/Jun/2024 20:21:07 - Performing Static Analysis on: Beetlebug (app.beetlebug)
[INFO] 14/Jun/2024 20:21:07 - Fetching Details from Play Store: app.beetlebug
[INFO] 14/Jun/2024 20:21:07 - Manifest Analysis Started
[INFO] 14/Jun/2024 20:21:08 - App Link Assetlinks Check - [app.beetlebug.ctf.DeeplinkAccountActivity] https://beetlebug.com
[INFO] 14/Jun/2024 20:21:08 - Checking for Malware Permissions
[INFO] 14/Jun/2024 20:21:08 - Fetching icon path
[INFO] 14/Jun/2024 20:21:08 - Library Binary Analysis Started
[INFO] 14/Jun/2024 20:21:08 - Reading Code Signing Certificate
[INFO] 14/Jun/2024 20:21:08 - Getting Signature Versions
[INFO] 14/Jun/2024 20:21:08 - Running APKiD 2.1.5
[INFO] 14/Jun/2024 20:21:10 - Trackers Database is up-to-date
[INFO] 14/Jun/2024 20:21:10 - Detecting Trackers
[INFO] 14/Jun/2024 20:21:12 - APK -> JAVA
[INFO] 14/Jun/2024 20:21:12 - Decompiling to Java with jadx
[INFO] 14/Jun/2024 20:21:20 - DEX -> SMALI
[INFO] 14/Jun/2024 20:21:20 - Converting classes9.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes8.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes11.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes10.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes3.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes2.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes6.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes7.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes5.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes4.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Code Analysis Started on - java_source
[INFO] 14/Jun/2024 20:22:03 - Android SAST Completed
[INFO] 14/Jun/2024 20:22:03 - Android API Analysis Started
[INFO] 14/Jun/2024 20:22:47 - Android Permission Mapping Started
[INFO] 14/Jun/2024 20:22:53 - Android Permission Mapping Completed
[INFO] 14/Jun/2024 20:22:53 - Finished Code Analysis, Email and URL Extraction
[INFO] 14/Jun/2024 20:22:53 - Extracting Data from APK
[INFO] 14/Jun/2024 20:22:53 - Extracting Data from Source Code
[INFO] 14/Jun/2024 20:22:54 - Detecting Firebase URL(s)
[INFO] 14/Jun/2024 20:22:55 - Performing Malware Check on extracted Domains
[INFO] 14/Jun/2024 20:22:55 - Maltrail Database is up-to-date
[INFO] 14/Jun/2024 20:22:56 - Saving to Database
}Extract app binary, generate hashes
}Convert Plist/Manifest Files,
Analyze Plist/Manifest
fi
les for vulnerabilities and miscon
fi
gurations
Analyze Application Permissions, Network con
fi
gurations, IPC con
fi
gurations
}Perform Binary Analysis on Shared/Dynamic libs
Run specialized binary analysis tools against the application
Identify privacy concerns such as trackers
}Convert binaries to human readable code formats
Decompile the code to SAST friendly languages
} SAST, API Analysis and Permission Mapping
} Information Gathering, Secrets and other sensitive data extraction
Geolocation, malicious domain check

9. DEMO: Static Analysis
Android SAST
AppSec Scorecard
iOS SAST

10. How does it work?
Dynamic Analysis
Android APK
iOS IPA
Jailbroken iOS VM
/
Rooted Android VM
Corellium API
MobSF
Agents
MobSF
Agents
MobSF Agents
Scripts Helpers
HTTPs Proxy
Report,
Logs,
Raw data

11. DEMO: Dynamic Analysis
Dynamic Analyzer
Report Generation

12. DEMO: Deeplink Exploitation
Static Analysis
Dynamic Veri
fi
cation

13. DEMO: Solve CTF Challenges
Android CTF Challenge
iOS CTF Challenge

14. DEMO: Defeat a Malware
Static Analysis Hints
Dynamic Analysis

15. DevSecOps
MobSF in CI/CD: REST APIs

16. DevSecOps
MobSF SAST in CI/CD
• pip install mobsfscan
mobsfscan <source_code_path>
• CLI and Library
mobsfscan GitHub action

17. Enterprise Ready
Enterprise support services
• Multi user authentication and access control
• SAML 2.0 SSO support
• SLA bound priority feature requests, bug
fi
xes & consultancy (paid)
• Everything goes back to the community

18. Question?
Thanks for listening
• Kudos 🎉 to core contributors Magaofei, Matan, &
Vincent
• Github: https://github.com/MobSF/Mobile-
Security-Framework-MobSF
• Documentation: https://mobsf.github.io/docs/
• Support Slack Channel: https://mobsf.slack.com
• Contact: ajin<AT>opensecurity.in | @ajinabraham