Mobile Security Framework

MobSF is an open-source framework used for automating mobile application security testing for Android and iOS. It helps security researchers automate both static and dynamic analysis of applications. This tool is designed to scan applications for misconfigurations based on a predefined dataset. MobSF integrates various open-source tools like APKTool, Frida, APKiD, SSLScanner, iNalyzer, JaDx and other application security penetration testing tools .

How MobSF Helps Security Researcher
MobSF helps pentesters quickly get an overview of an application and check for common vulnerabilities, allowing them to cross off known misconfigurations from their checklist. This speeds up the testing process, enabling security researchers to move on to other methodologies for a more in-depth assessment of the application.

Static Analysis
While performing static analysis, the objective is to thoroughly analyze the appʼs source code, its components, the packages used, and the libraries integrated. This helps in understanding the overall structure of the APK to uncover information such as : -
•    Exported components
•    Weak cryptographic implementations      
•    Improper use of permissions
•    API keys, tokens, and credentials      
•    Secret keys, if present
•    Sensitive files in the appʼs local directory      
•    User input sanitization issues
•    Malicious code blocks, especially those heavily obfuscated      
•    URLs
•    Endpoint URLs, etc.
 

Dynamic Analysis
In the dynamic testing phase, we leverage the information gathered during
static analysis to exploit potential vulnerabilities and observe the application's runtime behavior. This includes monitoring logs, API calls, caches, and network traffic. Additionally, we attempt to manipulate the applicationʼs behavior by injecting scripts and hooking into sensitive classes or methods to test for
instability and possible data leaks caused by code injection. The overall objective during this phase is to uncover:
•    App behavior under different conditions, such as running on a rooted device.
•    Intercepting network traffic to detect insecure transmissions, manipulate request parameters, and test endpoint security.
•     Monitoring API calls for improper implementation and data leakage.       
•    Analyzing application logs for sensitive information exposure.
•    Assessing cryptographic robustness to identify weak encryption mechanisms.
•    Hooking into applications to manipulate execution flow.
•    Detecting anti-root, anti-debugging, and anti-Frida mechanisms, etc.
 

What type of information you can expect from MobSF ?
MobSF checks and provides insights into all sections of the application that could be vulnerable, offering information such as : -   

•    Basic APK Information – File hashes, package name, version code, version.
•    Play Store Description & Certificate Analysis – Fetches metadata and verifies certificate security.
•    Application Components & APIs Used – Identifies total and exported components, API calls, and potential risks.
•    Source Code & Manifest Analysis – Decompiles APK to review security configurations.
•    Permissions Categorization – Groups permissions into Dangerous, Normal, High, and Info categories.
•    Manifest File Analysis – Checks for misconfigurations, exported components, and intent filters.
•    Code Analysis – Reviews the binary code for vulnerabilities, obfuscation, and security weaknesses.
•    Hardcoded Secrets & Credentials – Detects API keys, tokens, keys, and sensitive information in Strings.xml.
•    Domain & Firebase Security Checks – Identifies URLs present in the app and checks for misconfigured Firebase instances.
•    Email & Sensitive Data Exposure – Extracts emails and other identifiable data.
•    Malware Analysis – Scans for known malicious patterns, suspicious behaviors, and embedded threats.
•    Application Components Overview – Lists Activities, Services, Broadcast Receivers, and Content Providers.
•    SBOM (Software Bill of Materials) – Lists dependencies and third-party libraries for supply chain security.
•    Network Security – Analyzes API endpoints, insecure HTTP usage, and certificate pinning status.
•    WebView Security – Checks for improper WebView implementation that may lead to attacks like JavaScript injection.
•    Dynamic Analysis – Intercepts API requests, monitors runtime behavior, and detects network-based vulnerabilities.
•    Anti-Analysis Features – Identifies anti-root, anti-debugging, anti-Frida, and anti-tampering mechanisms. 

How to use MobSF ?
To use MobSF, you can either access it online at https://mobsf.live/ or set it up locally on your machine. To get started, the website is fine, hereʼs what the
interface looks like :

Upload your APK here. However, one downside is the speed, which can be quite slow due to high server traffic. As a result, decomplication and report generation may take some time.

 
Setting MobSF with Docker in Windows
Running MobSF locally using docker , makes life some much easier. Install
Docker Desktop on you System then open the terminal and execute the command below, this will install MobSF into a container .
PS : In windows make sure that you Docker Desktop is running .Then Execute it.
   docker  pull  opensecurity/mobile-security-framework-mobsf:latest

After successful installation .

Then run this .

docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-m

This will run MobSF locally on your system which you will be able to access with 127.0.0.1:8000

Access it on your browser →  127.0.0.1:8000
 
But this is only for performing Static Analysis , as no emulator is attach to the server for performing Dynamic Analysis to do so we need to attach the emulator to MobSF .
We will be using GenyMotion as our emulator because their images have the /system partition world-writable which is must for setting up MobSF for dynamic analysis.
We will be using the same command as earlier but with a little modification and that will be defining our EMULATOR IDENTIFIER so that our MobSF can communicate with emulator.

The only new parameter here is

    -e MOBSF_ANALYZER_IDENTIFIER" < device identifer > "

The device identifier can be found with adb

 
After adding the device identifier to our docker command we can now perform dynamic analysis .

Our Dynamic Analyzer is working , successfully attached to our Android-10 emulator . Now we can perform analysis of the APP already installed in our device .

Hereʼs what the interface looks like

PS: Due to various issues with Genymotion on Windows, analysis can be laggy. However, Genymotion performs much better on Linux systems.
What else to expect ?
While MobSF automates security testing, it may sometimes generate false positives—flagging issues that are not actual security threats. This can happen due to static code analysis limitations, where certain vulnerabilities are detected based on predefined patterns without considering the application's runtime context.
On the other hand, true positives—genuine security flaws—are also detected, but their impact and exploitability often require further validation. Manual testing is essential to confirm vulnerabilities, eliminate false positives, and assess real-world attack feasibility. Combining automated scanning with manual testing ensures a more accurate and reliable security assessment.

The rest is for you to explore! 

Conclusion
To conclude , you can perform static and dynamic analysis scanning and analyzing the mobile applications, uncovering vulnerabilities that could be exploited by attackers.
Through static analysis, one can extract sensitive information such as API keys, cryptographic weaknesses, and exported components, while dynamic analysis allows for runtime monitoring, API interception, and code injection to test the app's resilience against attacks.