MobSF (Mobile Security Framework) Cheat Sheet
Überblick
Mobile Security Framework (MobSF) ist ein automatisiertes, All-in-one-Mobile-Anwendung (Android/iOS/Windows) Pen-Testing, Malware-Analyse und Sicherheitsbewertung Framework in der Lage, statische und dynamische Analyse. MobSF bietet umfassende Sicherheitstests wie statische Analyse, dynamische Analyse, Malware-Analyse und API-Sicherheitstests.
ZEIT Warning: Verwenden Sie nur MobSF auf Anwendungen, die Sie besitzen oder haben ausdrückliche Erlaubnis zu testen. Unbefugte Analyse kann gegen die Nutzungsbedingungen oder lokale Gesetze verstoßen.
Installation
Docker Installation (empfohlen)
```bash
Pull MobSF Docker image
docker pull opensecurity/mobsf
Run MobSF container
docker run -it --rm -p 8000:8000 opensecurity/mobsf:latest
Run with persistent storage
docker run -it --rm -p 8000:8000 -v /host/path:/home/mobsf/.MobSF opensecurity/mobsf:latest
Run in background
docker run -d -p 8000:8000 --name mobsf opensecurity/mobsf:latest ```_
Manuelle Installation
Linux/macOS
```bash
Clone repository
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git cd Mobile-Security-Framework-MobSF
Install dependencies
pip3 install -r requirements.txt
Setup database
python3 manage.py makemigrations python3 manage.py migrate
Create superuser (optional)
python3 manage.py createsuperuser
Run MobSF
python3 manage.py runserver 0.0.0.0:8000 ```_
Windows
```bash
Clone repository
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git cd Mobile-Security-Framework-MobSF
Install dependencies
pip install -r requirements.txt
Setup database
python manage.py makemigrations python manage.py migrate
Run MobSF
python manage.py runserver 0.0.0.0:8000 ```_
Voraussetzungen Installation
Java Entwicklung Kit
```bash
Ubuntu/Debian
sudo apt update sudo apt install openjdk-11-jdk
macOS
brew install openjdk@11
Windows
Download and install from Oracle or OpenJDK website
```_
Android SDK (für dynamische Analyse)
```bash
Download Android SDK
wget https://dl.google.com/android/repository/commandlinetools-linux-8512546_latest.zip unzip commandlinetools-linux-8512546_latest.zip
Set environment variables
export ANDROID_HOME=$HOME/Android/Sdk export PATH=$PATH:$ANDROID_HOME/cmdline-tools/latest/bin export PATH=$PATH:$ANDROID_HOME/platform-tools
Install SDK components
sdkmanager "platform-tools" "platforms;android-30" "build-tools;30.0.3" ```_
Basisnutzung
Web Interface Zugriff
```bash
Access MobSF web interface
http://localhost:8000
Default credentials (if authentication enabled)
Username: admin
Password: (set during installation)
```_
Datei Hochladen und Analyse
```bash
Upload APK file via web interface
Navigate to http://localhost:8000
Click "Upload" and select APK/IPA file
Analysis starts automatically
Supported file formats:
Android: APK, XAPK, AAB
iOS: IPA, ZIP
Windows: APPX
```_
Kommandozeilenschnittstelle
```bash
Start MobSF server
python3 manage.py runserver 0.0.0.0:8000
Run with specific settings
python3 manage.py runserver --settings=mobsf.settings.production
Run with debug mode
python3 manage.py runserver --debug
Database operations
python3 manage.py migrate python3 manage.py collectstatic ```_
API Verwendung
REST API Endpunkte
```bash
Upload file for analysis
curl -X POST -F "file=@app.apk" http://localhost:8000/api/v1/upload
Get scan results
curl -X POST -d "hash=
Download report
curl -X POST -d "hash=
Delete scan
curl -X POST -d "hash=
Python API Client
```python
!/usr/bin/env python3
import requests import json
class MobSFAPI: def init(self, server_url="http://localhost:8000"): self.server = server_url self.api_key = None
def upload_file(self, file_path):
"""Upload file for analysis"""
url = f"\\\\{self.server\\\\}/api/v1/upload"
files = \\\\{'file': open(file_path, 'rb')\\\\}
response = requests.post(url, files=files)
return response.json()
def scan_file(self, file_hash, scan_type="apk"):
"""Start scan analysis"""
url = f"\\\\{self.server\\\\}/api/v1/scan"
data = \\\\{'hash': file_hash, 'scan_type': scan_type\\\\}
response = requests.post(url, data=data)
return response.json()
def get_report(self, file_hash, scan_type="apk"):
"""Get analysis report"""
url = f"\\\\{self.server\\\\}/api/v1/report_json"
data = \\\\{'hash': file_hash, 'scan_type': scan_type\\\\}
response = requests.post(url, data=data)
return response.json()
def download_pdf(self, file_hash, scan_type="apk"):
"""Download PDF report"""
url = f"\\\\{self.server\\\\}/api/v1/download_pdf"
data = \\\\{'hash': file_hash, 'scan_type': scan_type\\\\}
response = requests.post(url, data=data)
return response.content
Usage example
mobsf = MobSFAPI() upload_result = mobsf.upload_file("app.apk") file_hash = upload_result['hash'] scan_result = mobsf.scan_file(file_hash) report = mobsf.get_report(file_hash) ```_
Statische Analysefunktionen
Android APK Analyse
```bash
Automatic analysis includes:
- Manifest analysis
- Permission analysis
- Certificate analysis
- Code analysis (Java/Kotlin)
- Resource analysis
- Binary analysis
- Security issues detection
Key areas analyzed:
- Hardcoded secrets
- Insecure data storage
- Cryptographic issues
- Network security
- Code obfuscation
- Anti-debugging measures
```_
iOS IPA Analyse
```bash
Automatic analysis includes:
- Info.plist analysis
- Entitlements analysis
- Binary analysis
- Code analysis (Objective-C/Swift)
- Resource analysis
- Security configuration
Key areas analyzed:
- App Transport Security
- Keychain usage
- URL schemes
- File system permissions
- Binary protections
- Code signing
```_
Kundenspezifische Regeln und Unterschriften
```python
Add custom security rules
Edit mobsf/StaticAnalyzer/views/android/rules/
Example custom rule
\\{ "rules": [ \\{ "id": "custom_hardcoded_key", "message": "Hardcoded API key detected", "type": "Regex", "pattern": "api_key\s=\s['\"][a-zA-Z0-9]\\{32\\}['\"]", "severity": "HIGH", "languages": ["java", "kotlin"], "cwe": "CWE-798" \\} ] \\} ```_
Dynamische Analyse
Android Dynamic Analysis Setup
```bash
Setup Android emulator or device
Enable USB debugging
adb devices
Install MobSF agent
Download from MobSF interface
adb install MobSFy.apk
Configure proxy settings
adb shell settings put global http_proxy localhost:1337
Start dynamic analysis from web interface
Navigate to Dynamic Analysis tab
Select target application
Click "Start Dynamic Analysis"
```_
iOS Dynamische Analyse Setup
```bash
Requires jailbroken iOS device
Install MobSF agent via Cydia or manual installation
SSH to device
ssh root@
Install required tools
apt update apt install python3 python3-pip
Install MobSF iOS agent
pip3 install frida-tools
Follow MobSF documentation for agent installation
```_
Dynamische Analysefunktionen
```bash
Runtime analysis capabilities:
- API monitoring
- File system monitoring
- Network traffic analysis
- Memory dumps
- Method tracing
- SSL pinning bypass
- Root/jailbreak detection bypass
- Screenshot capture
- Activity monitoring
```_
Erweiterte Konfiguration
Individuelle Einstellungen
```python
Edit mobsf/settings.py or create local_settings.py
Database configuration
DATABASES = \\{ 'default': \\{ 'ENGINE': 'django.db.backends.postgresql', 'NAME': 'mobsf_db', 'USER': 'mobsf_user', 'PASSWORD': 'password', 'HOST': 'localhost', 'PORT': '5432', \\} \\}
Security settings
ALLOWED_HOSTS = ['localhost', '127.0.0.1', 'your-domain.com'] SECRET_KEY = 'your-secret-key-here'
Analysis settings
MOBSF_MAX_FILE_SIZE = 100 * 1024 * 1024 # 100MB MOBSF_TIMEOUT = 300 # 5 minutes
Proxy settings for dynamic analysis
PROXY_IP = '127.0.0.1' PROXY_PORT = 1337 ```_
Docker komponiert Setup
```yaml
docker-compose.yml
version: '3.8'
services: mobsf: image: opensecurity/mobsf:latest ports: - "8000:8000" volumes: - mobsf_data:/home/mobsf/.MobSF environment: - MOBSF_ANALYZER_TIMEOUT=300 restart: unless-stopped
postgres: image: postgres:13 environment: - POSTGRES_DB=mobsf - POSTGRES_USER=mobsf - POSTGRES_PASSWORD=password volumes: - postgres_data:/var/lib/postgresql/data restart: unless-stopped
volumes: mobsf_data: postgres_data: ```_
SSL/TLS Konfiguration
```bash
Generate SSL certificate
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Configure HTTPS in settings
USE_TLS = True TLS_CERT = '/path/to/cert.pem' TLS_KEY = '/path/to/key.pem'
Run with HTTPS
python3 manage.py runsslserver 0.0.0.0:8000 --certificate /path/to/cert.pem --key /path/to/key.pem ```_
Automatisierungsskripte
Batch Analysis Script
```python
!/usr/bin/env python3
import os import requests import time import json from pathlib import Path
class MobSFBatchAnalyzer: def init(self, server_url="http://localhost:8000"): self.server = server_url self.session = requests.Session()
def analyze_directory(self, directory_path, output_dir="reports"):
"""Analyze all APK/IPA files in directory"""
Path(output_dir).mkdir(exist_ok=True)
for file_path in Path(directory_path).glob("*.apk"):
print(f"[+] Analyzing \\\\{file_path.name\\\\}")
try:
# Upload file
upload_result = self.upload_file(str(file_path))
file_hash = upload_result['hash']
# Wait for analysis completion
self.wait_for_analysis(file_hash)
# Download report
report = self.get_report(file_hash)
report_path = Path(output_dir) / f"\\\\{file_path.stem\\\\}_report.json"
with open(report_path, 'w') as f:
json.dump(report, f, indent=2)
print(f"[+] Report saved: \\\\{report_path\\\\}")
except Exception as e:
print(f"[-] Error analyzing \\\\{file_path.name\\\\}: \\\\{e\\\\}")
def upload_file(self, file_path):
"""Upload file for analysis"""
url = f"\\\\{self.server\\\\}/api/v1/upload"
files = \\\\{'file': open(file_path, 'rb')\\\\}
response = self.session.post(url, files=files)
return response.json()
def wait_for_analysis(self, file_hash, timeout=300):
"""Wait for analysis to complete"""
start_time = time.time()
while time.time() - start_time < timeout:
status = self.get_scan_status(file_hash)
if status.get('status') == 'completed':
return True
time.sleep(10)
raise TimeoutError("Analysis timeout")
def get_scan_status(self, file_hash):
"""Get scan status"""
url = f"\\\\{self.server\\\\}/api/v1/scan_status"
data = \\\\{'hash': file_hash\\\\}
response = self.session.post(url, data=data)
return response.json()
def get_report(self, file_hash):
"""Get analysis report"""
url = f"\\\\{self.server\\\\}/api/v1/report_json"
data = \\\\{'hash': file_hash, 'scan_type': 'apk'\\\\}
response = self.session.post(url, data=data)
return response.json()
Usage
if name == "main": analyzer = MobSFBatchAnalyzer() analyzer.analyze_directory("/path/to/apk/files", "analysis_reports") ```_
CI/CD Integrationsskript
```python
!/usr/bin/env python3
import sys import requests import json import time
def mobsf_security_gate(apk_path, threshold_score=7.0): """ Security gate for CI/CD pipeline Returns True if app passes security threshold """ mobsf_url = "http://localhost:8000"
# Upload APK
upload_url = f"\\\\{mobsf_url\\\\}/api/v1/upload"
files = \\\\{'file': open(apk_path, 'rb')\\\\}
upload_response = requests.post(upload_url, files=files)
if upload_response.status_code != 200:
print("[-] Upload failed")
return False
file_hash = upload_response.json()['hash']
# Wait for analysis
time.sleep(60) # Wait for analysis to complete
# Get report
report_url = f"\\\\{mobsf_url\\\\}/api/v1/report_json"
report_data = \\\\{'hash': file_hash, 'scan_type': 'apk'\\\\}
report_response = requests.post(report_url, data=report_data)
if report_response.status_code != 200:
print("[-] Report generation failed")
return False
report = report_response.json()
# Calculate security score
high_issues = len([issue for issue in report.get('findings', []) if issue.get('severity') == 'high'])
medium_issues = len([issue for issue in report.get('findings', []) if issue.get('severity') == 'medium'])
# Simple scoring: 10 - (high_issues * 2) - (medium_issues * 1)
security_score = 10 - (high_issues * 2) - (medium_issues * 1)
print(f"[+] Security Score: \\\\{security_score\\\\}/10")
print(f"[+] High Issues: \\\\{high_issues\\\\}")
print(f"[+] Medium Issues: \\\\{medium_issues\\\\}")
if security_score >= threshold_score:
print("[+] Security gate PASSED")
return True
else:
print("[-] Security gate FAILED")
return False
if name == "main":
if len(sys.argv) != 2:
print("Usage: python3 security_gate.py
apk_path = sys.argv[1]
if mobsf_security_gate(apk_path):
sys.exit(0) # Success
else:
sys.exit(1) # Failure
```_
Integrationsbeispiele
Jenkins Pipeline Integration
```groovy pipeline \\{ agent any
stages \\\\{
stage('Build') \\\\{
steps \\\\{
// Build your Android app
sh './gradlew assembleDebug'
\\\\}
\\\\}
stage('Security Analysis') \\\\{
steps \\\\{
script \\\\{
// Start MobSF container
sh 'docker run -d -p 8000:8000 --name mobsf opensecurity/mobsf:latest'
// Wait for MobSF to start
sleep(30)
// Run security analysis
def result = sh(
script: 'python3 security_gate.py app/build/outputs/apk/debug/app-debug.apk',
returnStatus: true
)
if (result != 0) \\\\{
error("Security analysis failed")
\\\\}
\\\\}
\\\\}
post \\\\{
always \\\\{
// Cleanup
sh 'docker stop mobsf && docker rm mobsf'
\\\\}
\\\\}
\\\\}
\\\\}
\\} ```_
GitHub Aktionen Integration
```yaml name: Mobile Security Analysis
on: push: branches: [ main ] pull_request: branches: [ main ]
jobs: security-analysis: runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up JDK 11
uses: actions/setup-java@v2
with:
java-version: '11'
distribution: 'adopt'
- name: Build APK
run: ./gradlew assembleDebug
- name: Start MobSF
run: |
docker run -d -p 8000: 8000 --name mobsf opensecurity/mobsf:latest
sleep 30
- name: Run Security Analysis
run: |
python3 -c "
import requests
import time
# Upload APK
files = \\\\{'file': open('app/build/outputs/apk/debug/app-debug.apk', 'rb')\\\\}
response = requests.post('http: //localhost:8000/api/v1/upload', files=files)
file_hash = response.json()['hash']
# Wait and get report
time.sleep(60)
report_data = \\\\{'hash': file_hash, 'scan_type': 'apk'\\\\}
report = requests.post('http: //localhost:8000/api/v1/report_json', data=report_data)
# Save report
with open('security_report.json', 'w') as f:
f.write(report.text)
"
- name: Upload Security Report
uses: actions/upload-artifact@v2
with:
name: security-report
path: security_report.json
- name: Cleanup
run: docker stop mobsf && docker rm mobsf
```_
Fehlerbehebung
Gemeinsame Installationsprobleme
```bash
Python dependency issues
pip3 install --upgrade pip pip3 install -r requirements.txt --force-reinstall
Database migration issues
python3 manage.py migrate --run-syncdb python3 manage.py migrate --fake-initial
Permission issues (Linux/macOS)
sudo chown -R $USER:$USER . chmod +x manage.py ```_
Docker Issues
```bash
Container won't start
docker logs mobsf
Port already in use
docker ps -a docker stop $(docker ps -q) netstat -tulpn|grep 8000
Volume mount issues
docker run -it --rm -v $(pwd)/data:/home/mobsf/.MobSF opensecurity/mobsf:latest
Memory issues
docker run -it --rm -m 4g opensecurity/mobsf:latest ```_
Analysethemen
```bash
APK analysis fails
Check file size (default limit: 100MB)
ls -lh app.apk
Check file format
file app.apk
Enable debug mode
export MOBSF_DEBUG=1 python3 manage.py runserver
Clear cache
rm -rf ~/.MobSF/downloads/ rm -rf ~/.MobSF/uploads/ ```_
Dynamische Analyseprobleme
```bash
Android emulator not detected
adb devices adb kill-server adb start-server
Proxy issues
adb shell settings put global http_proxy localhost:1337 adb shell settings put secure http_proxy localhost:1337
Agent installation fails
adb uninstall com.mobsf.mobsfy adb install -r MobSFy.apk
Certificate issues
adb push mobsf_ca.crt /sdcard/
Install certificate manually in Android settings
```_
Leistungsoptimierung
```bash
Increase memory allocation
export JAVA_OPTS="-Xmx4g -Xms2g"
Optimize database
python3 manage.py dbshell VACUUM; REINDEX;
Clean old analyses
python3 manage.py shell from StaticAnalyzer.models import *
Delete old records
Use SSD storage for better I/O performance
Configure database on SSD
Use RAM disk for temporary files
```_
Ressourcen
- Official MobSF Dokumentation
- [MobSF GitHub Repository](LINK_7 -%20MobSF%20API%20Dokumentation
- [MobSF Docker Hub] (LINK_7)
- [OWASP Mobile Security Testing Guide](LINK_7 -%20Android%20Security%20Testing
- [iOS Security Guide](LINK_7
--
*Dieses Cheatsheet bietet eine umfassende Referenz für die Verwendung von MobSF für mobile Anwendungssicherheitstests. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie mobile Anwendungen testen. *