Implement MobSF on Kali Linux for Dynamic and Static Security Testing

With the mobile application market exploding (currently 2.8m apps on the Google Play Store and 2.2m on the Apple store – not to mention Enterprise apps or apps not available on “Regular Markets”), Security Testing on mobile devices becomes critical to IT security for IOVIO and our customers.

 

A recent request from one our customers required that we provide Security and Penetration Testing against their mission critical applications, including Mobile Applications for Android and iOS. IOVIO’s weapons of choice for this assignment are Kali Linux and the MobSF (Mobile Security Framework), and automated Security Framework that allows application testing during run-time.

 

In this guide I’ll do my best to show you how to setup such an environment with minimum hassle.

 

So without further ado let’s start by opening a console and installing Phyton3-pip.

First, make sure you have Java SDK

Now let’s clone the MobSF repository and navigate to the main directory.

 

Configure Static Analyzer

Before running the server we need to create and activate a virtual environment and install the MobSF requirements.

As an optional step install wkhtmltopdf first to generate PDF reports.



 

Run MobSF Server

There is a very common error that occurs after running the server for the first time: you have unapplied migrations and your project may not work properly. To solve it all you have to do is apply the pending migrations.

Now everything is ready to run: open your favorite browser and navigate to http://127.0.0.1:800, or IP and Port that was configured.

You are now ready to load APKs or IPAs into the server and start performing Static Analysis of your apps.

On the following article I will show you how to configure the MobSF to communicate with an Android emulator and start executing Dynamic tests.

Don’t forget to visit the project page to discover more about the MobSF.

If you are interested in security testing services, have any questions, comments, tips or tricks or even if you want to share some of your own approaches then reach out.

4 comments

  1. Hi, I installed MobSF successfully as per the above directions. But, when i try to upload the apk file, it is throwing an error message ‘APK file is invalid or corrupt’. I am sure that the apk is valid one.

    Please suggest.

  2. Hello Sundram, Antonio here, please send (antonio.olvera@outlook.com)me your installation log and double check all the prerequisites are met that could be a problem with APKID, also let me know which distro you are using.

  3. Hi, I installed MobSF successfully. But when I try to do static analysis of the uploaded apk file, it is throwing error message as “internal error : 34” . Detail error message is as follows:
    File “/root/Mobile-Security-Framework-MobSF/venv/lib/python3.6/site-packages/apkid/apkid.py”, line 120, in scan_file
    matches: List[yara.Matches] = self.rules.match(data=f.read(), timeout=self.options.timeout)
    yara.
    Error: internal error: 34

  4. Hi, I installed MobSF successfully in kali linux installed on a virtual box. But when I try to do static analysis, it is throwing error message as “Internal error 34”.

    Please suggest what to do.

Leave a Reply