Mobile Security Framework (MobSF) v3.7.6 Releases

Mobile Security Framework

Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS/Windows) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android, iOS and Windows Mobile Applications and supports both binaries (APK, IPA & APPX ) and zipped source code. MobSF can also perform Web API Security testing with it’s API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.


Static Analysis – Android APK


Static Analysis – iOS IPA


Static Analysis – Windows APPX


Dynamic Analysis – Android APK


Web API Fuzzer


Changelog v3.7.6

  • Features or Enhancements
    • Docker base image update to Ubuntu 22.04
    • Dockerfile QA
    • Migrated from Pip to Poetry for dependency management
    • Migrate from to use poetry for build and publish
    • Python 3.11 support
    • Docker ADB connection improvements (host.docker.internal translation for localhost)
    • IOS Swift RulesUpdates ios_biometric_boolios_biometric_aclios_keychain_weak_acl_device_passcodeios_keychain_weak_accessibility_valueios_insecure_random_no_generatorios_biometry_hardened
    • Android SCA rules update
    • Entropies scan support for strings
    • Regex Hardening: Fixes possible Regex DoS in rules and MobSF code base
    • Tox QA
    • Added poetry build test
    • Updated mobsf PyPI publishing workflow
    • Update local DBs
    • URLs/Email extraction refactor
    • Static and Dynamic Binary Analysis QA
    • Refactor Dex permissions
    • Refactor Androguard apk.APK() usage
    • Fallback certificate analysis using apksigtool
    • Use BeautifulSoup4 to prettify malformed XML
    • Detect non standard XML namespace in AndroidManifest.xml, Fixes : #2198
    • Updated android permissions list
    • Updated android permission update check script
    • Github Actions version update
    • Apktool bump
    • Bump httptools
    • Bump yara-python-dex
    • Docker image build test for PRs
    • iOS Source Report Fix
    • Removed unwanted pinned repository
    • Frida APK Patcher (WIP)
    • Fix for Recent Scans scan not completed for iOS zip
    • Fix for MachO stripped symbols false positive
    • Fix bug in IPA download
    • iOS/Android form validation fix
    • Fix missing exported components
  • Enterprise Feature Request
    • String extraction from APK, Source, AAR, JAR, SO.
    • Android strings sections to show source of strings extracted
    • Strings extraction refactor
    • Support for independent .so scan
    • Dylib analysis support
    • Dylib string extraction
    • Improved iOS Plist secret extraction
    • Support for Independent .dylib scan
    • Symbols view for dylib and so
    • Trackers support for so
    • AAR/JAR obfuscation and debug check
    • Independent Static Library(.a) ELF/MachO Analysis
    • Mac FAT binary only supported on Mac

What’s Changed

Download & Tutorial

Copyright (C) 2015 Ajin Abraham