Mobile-Security-Framework-MobSF

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
Mobile-Security-Framework

Summary

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.

Requirements

Description

Step 1: Open the Webpage

http://localhost:8000

MobSF startpage.PNG

Step 2: Upload Mobile Application

Select the upload button. This could take a while, because MobSF will decompile the apk and analyze all the files and dependencies.

Step 3: Static Analysis

During the static analysis of APKs MobSF collects information performing different tests using several tools, some of the tests are interactive and customizable:After uploading our Mobile Application the report will be generated and we can see the resulting information.

On the starting page we can see a general overview about the results: Modsf Static 1.png

  • Scan Options: defines specific scan options by supression rules
  • Decompiled Code: decompiles to java readable source code or smali code and provides a search in code functionality
  • Playstore information: retrieves some information about usage of the app
  • Signer Certificate: verifies the certificate fields and the signature of the APK file
  • Application Permissions: extracts and evaluates the application permissions fromthe manifest and identifies used dangerous permission of access to phone resources
  • Android API: this listing shows the usage of the Android API giving direct access to the code of the decompiled java files.
  • Browsable Activities: shows activities which provide an intent to the browser and shows the enabled schemes of the intent (https or/and http) and the host domain name.
  • Security Analysis: this section provides the results with risk rating using a scoring of the severity of the findings in high, warning and a reasonable description of the issues.
    • Network Security
    • Certificate Analysis
    • Manifest Analysis: enables the tester to set a supression rule to exclude an issue from the scoring
    • Code Analysis: A detailed list of the findings in the java files with the associated vulnerabilities of the Common Weakness Enumeration (CWE), OWASP Top 10 and OWASP Mobile Application Security Verification Standard 8(OWASP MASVS) It also provides a severity rating of info, warning, high and secure, the latter takes security easurements such as SSL pinning, root detection or code obfuscation into account. Code Analysis enables the tester to set a supression rule to exclude an issue from the scoring.
    • Binary Analysis: if the binaries are included in the APK file, in case of split APKs the analysis has to be done for each file
    • NIAP Analysis: a National Information Assurance Partnership (NIAP) analysis v1.3 is conducted, the tested requirements are definded in the Protection Profile for Application Software Version 1.3, which provides also a security evaluation summary.
    • File Analysis:
  • Malware Analysis
    • APKiD Analysis: APKiD gives information about how an APK was made. It identifies many compilers, packers, obfuscators, and other weird stuff
    • Quark Analysis: Quark Script APIs enable exchange of valuable intelligence to analyze or pentest the targets
    • Server Locations: Shows a map where the app connects to.
    • Domain Malware Check: examines all domains included in the APK file for malware delivery from known domains, also the geolocations of the domains are listed
  • Reconnaissance:
    • URLs: Shows all URLs found in the APK associated with the decompiled JAVA file
    • Firebase DB: the endpoint of an integrated Firebase database is shown. Firebase is a NoSql cloud database, which enables storing and syncing data in real-time to mobile and web clients
    • Emails: Shows identified Email addresses in the APK
    • Trackers: Shows identified embedded trackers based on the 428 known trackers from Exodus database.
    • Strings: Prints out all connected series of readable chars longer than minimum of 6 chars
    • Hardcoded Secrets: Lists possible hardcoded secrets of the APK
  • Components: Lists all Activities, Services, Receivers, Providers, Libraries and Files found in the APK

If MobSF finds CWE's during the code analysis, the results will be shown like this: Modsf Static 2.png

MobSF also gives the user the opportunity to compare different apks if deployed native. Modsf Static 3.png


Modsf Static 4.png


Modsf Static 5.png

Optional Step 4: Dynamic Analysis

If the dynamic analysis is started, a emulation of the app will be started and it is possible to monitor the behaviour and possibly load some Java scripts. Modsf Dynamic 1.png


Modsf Dynamic 2.png


Modsf Dynamic 3.png


Modsf Dynamic 4.png


Courses

  • Sichere Softwareentwicklung (IT-Security 22/23)

References