Mobile Security Framework

Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS/Windows) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android, iOS and Windows Mobile Applications and supports both binaries (APK, IPA & APPX ) and zipped source code. MobSF can also perform Web API Security testing with it’s API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.

Screenshots

Static Analysis – Android APK

Static Analysis – iOS IPA

Static Analysis – Windows APPX

Dynamic Analysis – Android APK

Web API Fuzzer

Changelog v3.1.1

• Features or Enhancements
  • Added Support for Android Network Security Config Analysis
  • Replace SAST core with libsast
  • Support for line numbers in source code
  • Replaced Code Viewer with EnlighterJS
  • Kotlin source scan support
  • Improved Certificate Analysis
  • Genymotion Cloud Support
  • Support Android Emulator AVD x86, ARM, ARM64
  • Verify Dynamic Analysis APK Installation
  • Dynamic Analysis: Support APK with test package requirements
  • Automatic MobSFy on Frida binary update
  • Expose App result compare REST API and Update REST API Docs
  • Clean up MobSF proxy on exit
  • IPA Binary Regex QA
  • Optimize Root Checking Frida Script
  • Environment Checks to see if API Level is supported and /system is writable
  • Prebuilt dex enabled yara-python and improved setup, tox, tests
  • Added Chinese documentation
  • Reduce Docker image size
  • Improved Postgresql Docker Support
  • Android Dynamic Analysis QA
  • Update Dependencies
• Bug Fixes
  • Android Rule Fixes
  • Fixed API Monitor which was broken from Frida 12.8.19
  • Fixed iOS ATS bug
  • Fix Black PDF background issue
  • LGTM Scan Code QA
• Security
  • Fixed Regex DoS in Email Extraction
  • Fixed insecure Default Bind to 0.0.0.0

Download & Tutorial

Copyright (C) 2015 Ajin Abraham