MobSF (Mobile Security Framework) Cheat Sheet¶
Überblick¶
Mobile Security Framework (MobSF) ist ein automatisiertes, All-in-one-Mobile-Anwendung (Android/iOS/Windows) Pen-Testing, Malware-Analyse und Sicherheitsbewertung Framework in der Lage, statische und dynamische Analyse. MobSF bietet umfassende Sicherheitstests wie statische Analyse, dynamische Analyse, Malware-Analyse und API-Sicherheitstests.
ZEIT Warning: Verwenden Sie nur MobSF auf Anwendungen, die Sie besitzen oder haben ausdrückliche Erlaubnis zu testen. Unbefugte Analyse kann gegen die Nutzungsbedingungen oder lokale Gesetze verstoßen.
Installation¶
Docker Installation (empfohlen)¶
```bash
Pull MobSF Docker image¶
docker pull opensecurity/mobsf
Run MobSF container¶
docker run -it --rm -p 8000:8000 opensecurity/mobsf:latest
Run with persistent storage¶
docker run -it --rm -p 8000:8000 -v /host/path:/home/mobsf/.MobSF opensecurity/mobsf:latest
Run in background¶
docker run -d -p 8000:8000 --name mobsf opensecurity/mobsf:latest ```_
Manuelle Installation¶
Linux/macOS¶
```bash
Clone repository¶
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git cd Mobile-Security-Framework-MobSF
Install dependencies¶
pip3 install -r requirements.txt
Setup database¶
python3 manage.py makemigrations python3 manage.py migrate
Create superuser (optional)¶
python3 manage.py createsuperuser
Run MobSF¶
python3 manage.py runserver 0.0.0.0:8000 ```_
Windows¶
```bash
Clone repository¶
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git cd Mobile-Security-Framework-MobSF
Install dependencies¶
pip install -r requirements.txt
Setup database¶
python manage.py makemigrations python manage.py migrate
Run MobSF¶
python manage.py runserver 0.0.0.0:8000 ```_
Voraussetzungen Installation¶
Java Entwicklung Kit¶
```bash
Ubuntu/Debian¶
sudo apt update sudo apt install openjdk-11-jdk
macOS¶
brew install openjdk@11
Windows¶
Download and install from Oracle or OpenJDK website¶
```_
Android SDK (für dynamische Analyse)¶
```bash
Download Android SDK¶
wget https://dl.google.com/android/repository/commandlinetools-linux-8512546_latest.zip unzip commandlinetools-linux-8512546_latest.zip
Set environment variables¶
export ANDROID_HOME=\(HOME/Android/Sdk export PATH=\)PATH:\(ANDROID_HOME/cmdline-tools/latest/bin export PATH=\)PATH:$ANDROID_HOME/platform-tools
Install SDK components¶
sdkmanager "platform-tools" "platforms;android-30" "build-tools;30.0.3" ```_
Basisnutzung¶
Web Interface Zugriff¶
```bash
Access MobSF web interface¶
Default credentials (if authentication enabled)¶
Username: admin¶
Password: (set during installation)¶
```_
Datei Hochladen und Analyse¶
```bash
Upload APK file via web interface¶
Navigate to http://localhost:8000¶
Click "Upload" and select APK/IPA file¶
Analysis starts automatically¶
Supported file formats:¶
Android: APK, XAPK, AAB¶
iOS: IPA, ZIP¶
Windows: APPX¶
```_
Kommandozeilenschnittstelle¶
```bash
Start MobSF server¶
python3 manage.py runserver 0.0.0.0:8000
Run with specific settings¶
python3 manage.py runserver --settings=mobsf.settings.production
Run with debug mode¶
python3 manage.py runserver --debug
Database operations¶
python3 manage.py migrate python3 manage.py collectstatic ```_
API Verwendung¶
REST API Endpunkte¶
```bash
Upload file for analysis¶
curl -X POST -F "file=@app.apk" http://localhost:8000/api/v1/upload
Get scan results¶
curl -X POST -d "hash=
Download report¶
curl -X POST -d "hash=
Delete scan¶
curl -X POST -d "hash=
Python API Client¶
```python
!/usr/bin/env python3¶
import requests import json
class MobSFAPI: def init(self, server_url="http://localhost:8000"): self.server = server_url self.api_key = None
def upload_file(self, file_path):
"""Upload file for analysis"""
url = f"\\\\{self.server\\\\}/api/v1/upload"
files = \\\\{'file': open(file_path, 'rb')\\\\}
response = requests.post(url, files=files)
return response.json()
def scan_file(self, file_hash, scan_type="apk"):
"""Start scan analysis"""
url = f"\\\\{self.server\\\\}/api/v1/scan"
data = \\\\{'hash': file_hash, 'scan_type': scan_type\\\\}
response = requests.post(url, data=data)
return response.json()
def get_report(self, file_hash, scan_type="apk"):
"""Get analysis report"""
url = f"\\\\{self.server\\\\}/api/v1/report_json"
data = \\\\{'hash': file_hash, 'scan_type': scan_type\\\\}
response = requests.post(url, data=data)
return response.json()
def download_pdf(self, file_hash, scan_type="apk"):
"""Download PDF report"""
url = f"\\\\{self.server\\\\}/api/v1/download_pdf"
data = \\\\{'hash': file_hash, 'scan_type': scan_type\\\\}
response = requests.post(url, data=data)
return response.content
Usage example¶
mobsf = MobSFAPI() upload_result = mobsf.upload_file("app.apk") file_hash = upload_result['hash'] scan_result = mobsf.scan_file(file_hash) report = mobsf.get_report(file_hash) ```_
Statische Analysefunktionen¶
Android APK Analyse¶
```bash
Automatic analysis includes:¶
- Manifest analysis¶
- Permission analysis¶
- Certificate analysis¶
- Code analysis (Java/Kotlin)¶
- Resource analysis¶
- Binary analysis¶
- Security issues detection¶
Key areas analyzed:¶
- Hardcoded secrets¶
- Insecure data storage¶
- Cryptographic issues¶
- Network security¶
- Code obfuscation¶
- Anti-debugging measures¶
```_
iOS IPA Analyse¶
```bash
Automatic analysis includes:¶
- Info.plist analysis¶
- Entitlements analysis¶
- Binary analysis¶
- Code analysis (Objective-C/Swift)¶
- Resource analysis¶
- Security configuration¶
Key areas analyzed:¶
- App Transport Security¶
- Keychain usage¶
- URL schemes¶
- File system permissions¶
- Binary protections¶
- Code signing¶
```_
Kundenspezifische Regeln und Unterschriften¶
```python
Add custom security rules¶
Edit mobsf/StaticAnalyzer/views/android/rules/¶
Example custom rule¶
\\{ "rules": [ \\{ "id": "custom_hardcoded_key", "message": "Hardcoded API key detected", "type": "Regex", "pattern": "api_key\s*=\s*['\"][a-zA-Z0-9]\\{32\\}['\"]", "severity": "HIGH", "languages": ["java", "kotlin"], "cwe": "CWE-798" \\} ] \\} ```_
Dynamische Analyse¶
Android Dynamic Analysis Setup¶
```bash
Setup Android emulator or device¶
Enable USB debugging¶
adb devices
Install MobSF agent¶
Download from MobSF interface¶
adb install MobSFy.apk
Configure proxy settings¶
adb shell settings put global http_proxy localhost:1337
Start dynamic analysis from web interface¶
Navigate to Dynamic Analysis tab¶
Select target application¶
Click "Start Dynamic Analysis"¶
```_
iOS Dynamische Analyse Setup¶
```bash
Requires jailbroken iOS device¶
Install MobSF agent via Cydia or manual installation¶
SSH to device¶
ssh root@
Install required tools¶
apt update apt install python3 python3-pip
Install MobSF iOS agent¶
pip3 install frida-tools
Follow MobSF documentation for agent installation¶
```_
Dynamische Analysefunktionen¶
```bash
Runtime analysis capabilities:¶
- API monitoring¶
- File system monitoring¶
- Network traffic analysis¶
- Memory dumps¶
- Method tracing¶
- SSL pinning bypass¶
- Root/jailbreak detection bypass¶
- Screenshot capture¶
- Activity monitoring¶
```_
Erweiterte Konfiguration¶
Individuelle Einstellungen¶
```python
Edit mobsf/settings.py or create local_settings.py¶
Database configuration¶
DATABASES = \\{ 'default': \\{ 'ENGINE': 'django.db.backends.postgresql', 'NAME': 'mobsf_db', 'USER': 'mobsf_user', 'PASSWORD': 'password', 'HOST': 'localhost', 'PORT': '5432', \\} \\}
Security settings¶
ALLOWED_HOSTS = ['localhost', '127.0.0.1', 'your-domain.com'] SECRET_KEY = 'your-secret-key-here'
Analysis settings¶
MOBSF_MAX_FILE_SIZE = 100 * 1024 * 1024 # 100MB MOBSF_TIMEOUT = 300 # 5 minutes
Proxy settings for dynamic analysis¶
PROXY_IP = '127.0.0.1' PROXY_PORT = 1337 ```_
Docker komponiert Setup¶
```yaml
docker-compose.yml¶
version: '3.8'
services: mobsf: image: opensecurity/mobsf:latest ports: - "8000:8000" volumes: - mobsf_data:/home/mobsf/.MobSF environment: - MOBSF_ANALYZER_TIMEOUT=300 restart: unless-stopped
postgres: image: postgres:13 environment: - POSTGRES_DB=mobsf - POSTGRES_USER=mobsf - POSTGRES_PASSWORD=password volumes: - postgres_data:/var/lib/postgresql/data restart: unless-stopped
volumes: mobsf_data: postgres_data: ```_
SSL/TLS Konfiguration¶
```bash
Generate SSL certificate¶
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Configure HTTPS in settings¶
USE_TLS = True TLS_CERT = '/path/to/cert.pem' TLS_KEY = '/path/to/key.pem'
Run with HTTPS¶
python3 manage.py runsslserver 0.0.0.0:8000 --certificate /path/to/cert.pem --key /path/to/key.pem ```_
Automatisierungsskripte¶
Batch Analysis Script¶
```python
!/usr/bin/env python3¶
import os import requests import time import json from pathlib import Path
class MobSFBatchAnalyzer: def init(self, server_url="http://localhost:8000"): self.server = server_url self.session = requests.Session()
def analyze_directory(self, directory_path, output_dir="reports"):
"""Analyze all APK/IPA files in directory"""
Path(output_dir).mkdir(exist_ok=True)
for file_path in Path(directory_path).glob("*.apk"):
print(f"[+] Analyzing \\\\{file_path.name\\\\}")
try:
# Upload file
upload_result = self.upload_file(str(file_path))
file_hash = upload_result['hash']
# Wait for analysis completion
self.wait_for_analysis(file_hash)
# Download report
report = self.get_report(file_hash)
report_path = Path(output_dir) / f"\\\\{file_path.stem\\\\}_report.json"
with open(report_path, 'w') as f:
json.dump(report, f, indent=2)
print(f"[+] Report saved: \\\\{report_path\\\\}")
except Exception as e:
print(f"[-] Error analyzing \\\\{file_path.name\\\\}: \\\\{e\\\\}")
def upload_file(self, file_path):
"""Upload file for analysis"""
url = f"\\\\{self.server\\\\}/api/v1/upload"
files = \\\\{'file': open(file_path, 'rb')\\\\}
response = self.session.post(url, files=files)
return response.json()
def wait_for_analysis(self, file_hash, timeout=300):
"""Wait for analysis to complete"""
start_time = time.time()
while time.time() - start_time < timeout:
status = self.get_scan_status(file_hash)
if status.get('status') == 'completed':
return True
time.sleep(10)
raise TimeoutError("Analysis timeout")
def get_scan_status(self, file_hash):
"""Get scan status"""
url = f"\\\\{self.server\\\\}/api/v1/scan_status"
data = \\\\{'hash': file_hash\\\\}
response = self.session.post(url, data=data)
return response.json()
def get_report(self, file_hash):
"""Get analysis report"""
url = f"\\\\{self.server\\\\}/api/v1/report_json"
data = \\\\{'hash': file_hash, 'scan_type': 'apk'\\\\}
response = self.session.post(url, data=data)
return response.json()
Usage¶
if name == "main": analyzer = MobSFBatchAnalyzer() analyzer.analyze_directory("/path/to/apk/files", "analysis_reports") ```_
CI/CD Integrationsskript¶
```python
!/usr/bin/env python3¶
import sys import requests import json import time
def mobsf_security_gate(apk_path, threshold_score=7.0): """ Security gate for CI/CD pipeline Returns True if app passes security threshold """ mobsf_url = "http://localhost:8000"
# Upload APK
upload_url = f"\\\\{mobsf_url\\\\}/api/v1/upload"
files = \\\\{'file': open(apk_path, 'rb')\\\\}
upload_response = requests.post(upload_url, files=files)
if upload_response.status_code != 200:
print("[-] Upload failed")
return False
file_hash = upload_response.json()['hash']
# Wait for analysis
time.sleep(60) # Wait for analysis to complete
# Get report
report_url = f"\\\\{mobsf_url\\\\}/api/v1/report_json"
report_data = \\\\{'hash': file_hash, 'scan_type': 'apk'\\\\}
report_response = requests.post(report_url, data=report_data)
if report_response.status_code != 200:
print("[-] Report generation failed")
return False
report = report_response.json()
# Calculate security score
high_issues = len([issue for issue in report.get('findings', []) if issue.get('severity') == 'high'])
medium_issues = len([issue for issue in report.get('findings', []) if issue.get('severity') == 'medium'])
# Simple scoring: 10 - (high_issues * 2) - (medium_issues * 1)
security_score = 10 - (high_issues * 2) - (medium_issues * 1)
print(f"[+] Security Score: \\\\{security_score\\\\}/10")
print(f"[+] High Issues: \\\\{high_issues\\\\}")
print(f"[+] Medium Issues: \\\\{medium_issues\\\\}")
if security_score >= threshold_score:
print("[+] Security gate PASSED")
return True
else:
print("[-] Security gate FAILED")
return False
if name == "main":
if len(sys.argv) != 2:
print("Usage: python3 security_gate.py
apk_path = sys.argv[1]
if mobsf_security_gate(apk_path):
sys.exit(0) # Success
else:
sys.exit(1) # Failure
```_
Integrationsbeispiele¶
Jenkins Pipeline Integration¶
```groovy pipeline \\{ agent any
stages \\\\{
stage('Build') \\\\{
steps \\\\{
// Build your Android app
sh './gradlew assembleDebug'
\\\\}
\\\\}
stage('Security Analysis') \\\\{
steps \\\\{
script \\\\{
// Start MobSF container
sh 'docker run -d -p 8000:8000 --name mobsf opensecurity/mobsf:latest'
// Wait for MobSF to start
sleep(30)
// Run security analysis
def result = sh(
script: 'python3 security_gate.py app/build/outputs/apk/debug/app-debug.apk',
returnStatus: true
)
if (result != 0) \\\\{
error("Security analysis failed")
\\\\}
\\\\}
\\\\}
post \\\\{
always \\\\{
// Cleanup
sh 'docker stop mobsf && docker rm mobsf'
\\\\}
\\\\}
\\\\}
\\\\}
\\} ```_
GitHub Aktionen Integration¶
```yaml name: Mobile Security Analysis
on: push: branches: [ main ] pull_request: branches: [ main ]
jobs: security-analysis: runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up JDK 11
uses: actions/setup-java@v2
with:
java-version: '11'
distribution: 'adopt'
- name: Build APK
run: ./gradlew assembleDebug
- name: Start MobSF
run: |
docker run -d -p 8000: 8000 --name mobsf opensecurity/mobsf:latest
sleep 30
- name: Run Security Analysis
run: |
python3 -c "
import requests
import time
# Upload APK
files = \\\\{'file': open('app/build/outputs/apk/debug/app-debug.apk', 'rb')\\\\}
response = requests.post('http: //localhost:8000/api/v1/upload', files=files)
file_hash = response.json()['hash']
# Wait and get report
time.sleep(60)
report_data = \\\\{'hash': file_hash, 'scan_type': 'apk'\\\\}
report = requests.post('http: //localhost:8000/api/v1/report_json', data=report_data)
# Save report
with open('security_report.json', 'w') as f:
f.write(report.text)
"
- name: Upload Security Report
uses: actions/upload-artifact@v2
with:
name: security-report
path: security_report.json
- name: Cleanup
run: docker stop mobsf && docker rm mobsf
```_
Fehlerbehebung¶
Gemeinsame Installationsprobleme¶
```bash
Python dependency issues¶
pip3 install --upgrade pip pip3 install -r requirements.txt --force-reinstall
Database migration issues¶
python3 manage.py migrate --run-syncdb python3 manage.py migrate --fake-initial
Permission issues (Linux/macOS)¶
sudo chown -R \(USER:\)USER . chmod +x manage.py ```_
Docker Issues¶
```bash
Container won't start¶
docker logs mobsf
Port already in use¶
docker ps -a docker stop $(docker ps -q) netstat -tulpn|grep 8000
Volume mount issues¶
docker run -it --rm -v $(pwd)/data:/home/mobsf/.MobSF opensecurity/mobsf:latest
Memory issues¶
docker run -it --rm -m 4g opensecurity/mobsf:latest ```_
Analysethemen¶
```bash
APK analysis fails¶
Check file size (default limit: 100MB)¶
ls -lh app.apk
Check file format¶
file app.apk
Enable debug mode¶
export MOBSF_DEBUG=1 python3 manage.py runserver
Clear cache¶
rm -rf ~/.MobSF/downloads/* rm -rf ~/.MobSF/uploads/* ```_
Dynamische Analyseprobleme¶
```bash
Android emulator not detected¶
adb devices adb kill-server adb start-server
Proxy issues¶
adb shell settings put global http_proxy localhost:1337 adb shell settings put secure http_proxy localhost:1337
Agent installation fails¶
adb uninstall com.mobsf.mobsfy adb install -r MobSFy.apk
Certificate issues¶
adb push mobsf_ca.crt /sdcard/
Install certificate manually in Android settings¶
```_
Leistungsoptimierung¶
```bash
Increase memory allocation¶
export JAVA_OPTS="-Xmx4g -Xms2g"
Optimize database¶
python3 manage.py dbshell VACUUM; REINDEX;
Clean old analyses¶
python3 manage.py shell from StaticAnalyzer.models import *
Delete old records¶
Use SSD storage for better I/O performance¶
Configure database on SSD¶
Use RAM disk for temporary files¶
```_
Ressourcen¶
- Official MobSF Dokumentation
- [MobSF GitHub Repository](LINK_7 -%20MobSF%20API%20Dokumentation
- [MobSF Docker Hub] (LINK_7)
- [OWASP Mobile Security Testing Guide](LINK_7 -%20Android%20Security%20Testing
- [iOS Security Guide](LINK_7
--
*Dieses Cheatsheet bietet eine umfassende Referenz für die Verwendung von MobSF für mobile Anwendungssicherheitstests. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie mobile Anwendungen testen. *