Convert Figma logo to code with AI

MobSF logoMobile-Security-Framework-MobSF

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

17,259
3,221
17,259
16

Top Related Projects

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).

3,192

Tool to look for several security related Android application vulnerabilities

Runtime Mobile Security (RMS) 📱🔥 - is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime

Quick Overview

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. It supports both binary and source code scanning, making it a versatile tool for mobile app security testing.

Pros

  • Comprehensive analysis: Covers static and dynamic analysis for Android, iOS, and Windows mobile applications
  • Easy to use: Provides a user-friendly web interface for performing security assessments
  • Extensive reporting: Generates detailed PDF and JSON reports with security findings
  • Active development: Regularly updated with new features and security checks

Cons

  • Resource-intensive: Can be demanding on system resources, especially for large applications
  • Limited scalability: Not designed for high-volume or enterprise-level scanning
  • Learning curve: Advanced features may require some technical expertise to fully utilize
  • False positives: Like many automated tools, it may occasionally report false positives

Getting Started

To get started with MobSF:

  1. Install Docker on your system
  2. Run the following command to pull and start MobSF:
docker pull opensecurity/mobile-security-framework-mobsf
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
  1. Open your web browser and navigate to http://localhost:8000
  2. Upload your mobile application (APK, IPA, or APPX file) for analysis
  3. Review the generated report for security findings and recommendations

For more detailed instructions and advanced usage, refer to the official documentation on the GitHub repository.

Competitor Comparisons

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).

Pros of owasp-mastg

  • Comprehensive guide covering mobile app security testing and reverse engineering
  • Regularly updated with community contributions and industry best practices
  • Provides detailed explanations and step-by-step instructions for various security testing techniques

Cons of owasp-mastg

  • Primarily a documentation project, not an automated tool like Mobile-Security-Framework-MobSF
  • Requires manual effort to implement the described techniques and methodologies
  • May have a steeper learning curve for beginners compared to automated solutions

Code Comparison

While owasp-mastg is primarily a documentation project, it does include code snippets and examples. Mobile-Security-Framework-MobSF, on the other hand, is a full-fledged tool with its own codebase. Here's a brief comparison of how they might approach a similar task:

owasp-mastg (example of checking for root detection):

public static boolean isDeviceRooted() {
    return checkRootMethod1() || checkRootMethod2() || checkRootMethod3();
}

Mobile-Security-Framework-MobSF (simplified example of root detection check):

def check_root(self):
    root_indicators = ['su', 'busybox', 'supersu', 'Superuser.apk', 'KingoUser.apk']
    for indicator in root_indicators:
        if self.file_exists(indicator):
            return True
    return False

Both projects aim to improve mobile app security, but they take different approaches. owasp-mastg provides comprehensive guidance, while Mobile-Security-Framework-MobSF offers an automated testing framework.

3,192

Tool to look for several security related Android application vulnerabilities

Pros of QARK

  • Focused specifically on Android app security analysis
  • Provides detailed explanations of identified vulnerabilities
  • Offers suggestions for fixing security issues

Cons of QARK

  • Less actively maintained compared to MobSF
  • Limited to Android platform only
  • Fewer features and less comprehensive analysis than MobSF

Code Comparison

QARK example (Python):

def find_manifest(self):
    manifest = None
    for (dir_path, dir_names, file_names) in os.walk(self.apk_directory):
        for file_name in file_names:
            if file_name == 'AndroidManifest.xml':
                manifest = os.path.join(dir_path, file_name)
    return manifest

MobSF example (Python):

def get_manifest(app_dir, app_path, tools_dir, typ):
    """Get AndroidManifest.xml."""
    try:
        manifest = None
        if typ == 'apk':
            manifest = get_apk_manifest(app_path, app_dir, tools_dir)
        elif typ == 'studio':
            manifest = get_studio_manifest(app_dir)
        return manifest
    except Exception:
        logger.exception('Getting Manifest file')

Both projects aim to analyze mobile app security, but QARK focuses solely on Android while MobSF supports multiple platforms. MobSF offers a more comprehensive set of features and is more actively maintained. QARK provides more detailed explanations of vulnerabilities and suggestions for fixes, which can be beneficial for developers. The code examples show similar approaches to finding the AndroidManifest.xml file, with MobSF's implementation being more modular and handling different app types.

Runtime Mobile Security (RMS) 📱🔥 - is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime

Pros of RMS-Runtime-Mobile-Security

  • Focuses on runtime analysis, allowing real-time inspection of app behavior
  • Provides a web interface for easy interaction and monitoring
  • Supports both Android and iOS platforms

Cons of RMS-Runtime-Mobile-Security

  • Less comprehensive static analysis capabilities compared to MobSF
  • Smaller community and fewer updates
  • Limited documentation and support resources

Code Comparison

MobSF (Python):

def scan_file(self, file_path):
    # Perform static analysis
    results = self.static_analyzer.analyze(file_path)
    # Generate report
    return self.report_generator.create(results)

RMS-Runtime-Mobile-Security (JavaScript):

function hookMethod(className, methodName) {
    Java.perform(() => {
        const targetClass = Java.use(className);
        targetClass[methodName].implementation = function() {
            // Log method call and arguments
            console.log(`${className}.${methodName} called`);
            return this[methodName](...arguments);
        };
    });
}

The code snippets highlight the different approaches:

  • MobSF focuses on static analysis and report generation
  • RMS-Runtime-Mobile-Security emphasizes runtime method hooking and monitoring

Both tools serve different purposes in mobile app security testing, with MobSF offering a more comprehensive static analysis solution and RMS-Runtime-Mobile-Security providing real-time runtime analysis capabilities.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Mobile Security Framework (MobSF)

Version: v4.0

Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. MobSF can be used for a variety of use cases such as mobile application security, penetration testing, malware analysis, and privacy analysis. The Static Analyzer supports popular mobile app binaries like APK, IPA, APPX and source code. Meanwhile, the Dynamic Analyzer supports both Android and iOS applications and offers a platform for interactive instrumented testing, runtime data and network traffic analysis. MobSF seamlessly integrates with your DevSecOps or CI/CD pipeline, facilitated by REST APIs and CLI tools, enhancing your security workflow with ease.

Made with Love in India

python PyPI version platform License Docker Pulls

MobSF tests Quality Gate Status GitHub closed issues CII Best Practices

ToolsWatch Best Security Tools 2016 ToolsWatch Best Security Tools 2017 Blackhat Arsenal Asia 2015 Blackhat Arsenal Asia 2018 Blackhat Arsenal Europe 2023

MobSF is also bundled with Android Tamer, BlackArch and Pentoo.

Support MobSF

Donate to MobSF

If you liked MobSF and find it useful, please consider donating.

It's easy to build open source, maintaining one is a different story. Long live open source!

Documentation

Quick setup

docker pull opensecurity/mobile-security-framework-mobsf:latest
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

See MobSF Documentation See MobSF Documentation in Chinese See MobSF Documentation in Japanese See MobSF Documentation in Español

Collaborators

Ajin Abraham india | Magaofei china | Matan Dobrushin israel | Vincent Nadal france

e-Learning Courses & Certifications

MobSF Course Automated Mobile Application Security Assessment with MobSF -MAS

Android Security Tools Course Android Security Tools Expert -ATX

MobSF Support

  • Free Support: Free limited support, questions, help and discussions, join our Slack channel Join_MobSF_Slack
  • Enterprise Support: Priority feature requests, live support & onsite training, see MobSF Support Packages

Contribution, Feature Requests & Bugs

  • Read CONTRIBUTING.md before opening bugs, feature requests and pull request.
  • For Project updates and announcements, follow @ajinabraham or @OpenSecurity_IN.
  • Github Issues are only for tracking bugs and feature requests. Do not post support or help queries there. We have a slack channel for that.

Static Analysis - Android

mobsf_android_static_analysis

Static Analysis - iOS

mobsf_ios_ipa_static_analysis

Dynamic Analysis - Android APK

mobsf_android_dynamic_analysis

Web API Viewer

mobsf_web_api_fuzzing_with_burp

Dynamic Analysis - iOS IPA

mobsf_ios_dynamic_analysis

Past Collaborators

Honorable Contributors

  • Amrutha VC - For the new MobSF logo
  • Dominik Schlecht - For the awesome work on adding Windows Phone App Static Analysis to MobSF
  • Esteban - Better Android Manifest Analysis and Static Analysis Improvement.
  • Matan Dobrushin - For adding Android ARM Emulator support to MobSF - Special thanks goes for cuckoo-droid
  • Shuxin - Android Binary Analysis
  • Abhinav Saxena - (@xandfury) - For Travis CI and Logging integration
  • netguru Netguru (@karolpiateknet, @mtbrzeski) - For iOS Swift support, Rule contributions and SAST refactoring.
  • Maxime Fawe - (@Arenash13) - For Matching Strategy implementation of SAST pattern matching algorithms.

Shoutouts

  • Abhinav Sejpal (@Abhinav_Sejpal) - For poking me with bugs, feature requests, and UI & UX suggestions
  • Anant Srivastava (@anantshri) - For Activity Tester Idea
  • Anto Joseph (@antojoseph) - For the help with SuperSU
  • Bharadwaj Machiraju (@tunnelshade) - For writing pyWebProxy from scratch
  • Rahul (@c0dist) - Kali Support
  • MindMac - For writing Android Blue Pill
  • Oscar Alfonso Diaz - (@OscarAkaElvis) - For Dockerfile contributions
  • Thomas Abraham - For JS Hacks on UI
  • Tim Brown (@timb_machine) - For the iOS Binary Analysis Ruleset
  • Shanil Prasad (@Rajuraju14) - For improving iOS ATS Analysis
  • Jovan Petrovic (@JovanPetrovic) - For sponsoring a server to host mobsf.live