With the advent of smartphones since 2010, Android has substantially increased as choice of Operating System to be used in smartphones after iOS. So much so, that statistics show that Android has a market coverage of 86.6% worldwide. Android has been built on top of Linux kernel, and the main contributor, as well as commercial marketer is Google. Just like Windows supports .exe applications for its executables, Android applications are of the format .apk
With Android capturing attention of consumer media, it has also grabbed the attention of cyber security world as well. Issues such as untrusted APKs, phishing via SMS or e-mail, spying have boomed so much, it has been very difficult to identify for security researchers what exactly the APK is meant to do.
Thankfully, security researchers such as Ajin Abraham came up with the idea of a toolkit that can perform static as well as dynamic analysis of apk’s, and created Mobile Security Framework (MobSF). MobSF is an open source mobile application security assessment framework that can perform static analysis, dynamic analysis, and malware analysis. For our case, we are going to look at its static analysis capabilities. Interestingly, it has been suggested an all-in-one mobile security framework in OWASP mobile security testing guide. It can be used for analysis of Android, iOS and Windows mobile applications as well. MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless. It has an interactive graphic UI running as a web service, that consist of a dashboard, detailed results of analysis, its documentation site, an integrated emulator & an API that allows users to trigger the analysis automatically. It is hosted on a local environment, which means that sensitive data never gets out of our controlled environment.
For this blog, I picked the following environments:
· Kali Linux 2020.1: I removed the non-root user; hence my Kali is running on root user. If you are running kali, or any other flavour of Linux, with non-root user, all you need to do is use ‘sudo’
· Docker image of Mobile Security Framework available on https://hub.docker.com/r/opensecurity/mobile-security-framework-mobsf/
Wkhtmltopdf: For generating PDF reports
To install Docker, one must perform the following steps in terminal:
- Add Docker PGP key:
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add –
2. Configure Docker APT repository:
echo ‘deb [arch=amd64] https://download.docker.com/linux/debian buster stable’ | sudo tee /etc/apt/sources.list.d/docker.list
3. Update APT:
4. Install docker:
apt install docker-ce
Next, download MobSF Docker image from https://hub.docker.com/r/opensecurity/mobile-security-framework-mobsf/ with the following command:
docker pull opensecurity/mobile-security-framework-mobsf
Once you issue the command, you would notice the following output on your console:
This signifies that the docker image for MobSF is being downloaded. Once completed, the following message will appear:
Now that the docker image is downloaded, the image can be run with the following command:
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf
Once done, you would see message “Listening at: http://0.0.0.0:8000”. This signifies the URL from which one can access MobSF
Our MobSF framework is ready for us to conduct static analysis for APK files. For our testing, we take Facebook Lite’s APK file.
Once you upload the APK file, you would notice the following output being printed on our terminal:
Once the analysis is complete, the browser will show assessment details, such as application description, Android permission analysis, code analysis, CVSS grading, malware analysis etc.
You also notice a brief overview of the application you have reviewed.