Mobile Security Framework (MobSF)

Overview

Mobile Security Framework (MobSF)

Version: v3.5 beta

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF supports mobile app binaries (APK, XAPK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.

Made with Love in India

python PyPI version platform License Docker Pulls

MobSF tests Requirements Status Language grade: Python Quality Gate Status GitHub closed issues

ToolsWatch Best Security Tools 2016 ToolsWatch Best Security Tools 2017 Blackhat Arsenal Asia 2015 Blackhat Arsenal Asia 2018

MobSF is also bundled with Android Tamer, BlackArch and Pentoo.

Support MobSF

Donate to MobSF

If you liked MobSF and find it useful, please consider donating.

It's easy to build open source, try maintaining a project once. Long live open source!

Documentation

See MobSF Documentation See MobSF Documentation in Chinese See MobSF Documentation in Japanese See MobSF Documentation in Español

Collaborators

Ajin Abraham india | Magaofei china | Matan Dobrushin israel | Vincent Nadal france

e-Learning Courses & Certifications

MobSF Course Automated Mobile Application Security Assessment with MobSF -MAS

Android Security Tools Course Android Security Tools Expert -ATX

MobSF Support

  • Free Support: Free limited support, questions, help and discussions, join our Slack channel Join_MobSF_Slack
  • Enterprise Support: Priority feature requests, live support & onsite training, see MobSF Support Packages

Contribution, Feature Requests & Bugs

  • Read CONTRIBUTING.md before opening bugs, feature requests and pull request.
  • For Project updates and announcements, follow @ajinabraham or @OpenSecurity_IN.
  • Github Issues are only for tracking bugs and feature requests. Do not post support or help queries there. We have a slack channel for that.

Launching MobSF Rewards

Contributed to MobSF? Here is a big thank you from our community to you. Claim your badge, a soulbound NFT and showcase them with pride. Let us inspire more folks !

MobSF Badges

Claim Now!

Static Analysis - Android

mobsf_android_static_analysis

Static Analysis - Android Source Tree-view

mobsf_android_static_analysis_tree_view

Static Analysis - iOS

mobsf_ios_ipa_static_analysis

Dynamic Analysis - Android APK

mobsf_dynamic_analysis

Web API Viewer

 mobsf_web_api_fuzzing_with_burp

Past Collaborators

Honorable Contributors

  • Amrutha VC - For the new MobSF logo
  • Dominik Schlecht - For the awesome work on adding Windows Phone App Static Analysis to MobSF
  • Esteban - Better Android Manifest Analysis and Static Analysis Improvement.
  • Matan Dobrushin - For adding Android ARM Emulator support to MobSF - Special thanks goes for cuckoo-droid
  • Shuxin - Android Binary Analysis
  • Abhinav Saxena - (@xandfury) - For Travis CI and Logging integration
  • netguru Netguru (@karolpiateknet, @mtbrzeski) - For iOS Swift support, Rule contributions and SAST refactoring.
  • Maxime Fawe - (@Arenash13) - For Matching Strategy implementation of SAST pattern matching algorithms.

Shoutouts

  • Abhinav Sejpal (@Abhinav_Sejpal) - For poking me with bugs, feature requests, and UI & UX suggestions
  • Anant Srivastava (@anantshri) - For Activity Tester Idea
  • Anto Joseph (@antojoseph) - For the help with SuperSU
  • Bharadwaj Machiraju (@tunnelshade) - For writing pyWebProxy from scratch
  • Rahul (@c0dist) - Kali Support
  • MindMac - For writing Android Blue Pill
  • Oscar Alfonso Diaz - (@OscarAkaElvis) - For Dockerfile contributions
  • Thomas Abraham - For JS Hacks on UI
  • Tim Brown (@timb_machine) - For the iOS Binary Analysis Ruleset
  • Shanil Prasad (@Rajuraju14) - For improving iOS ATS Analysis
  • Jovan Petrovic (@JovanPetrovic) - For sponsoring a server to host mobsf.live
Comments
  • Dynamic analysis report error.

    Dynamic analysis report error.

    I am getting following error while generating Dynamic analysis report: Don't Play Around. An Error just popped in! Cosole says: [INFO] Waiting for TAR dump to complete...

    [ERROR] TAR Generation Failed. Process timed out.

    [INFO] Dumping Application Files from Device/VM remote object '/data/local/com.myapp.custom.tar' does not exist

    [INFO] Stopping ADB [06/May/2016 15:11:17]"POST /DumpData/ HTTP/1.1" 200 15

    [INFO] Dynamic Analysis Report Generation

    [INFO] Dynamic API Analysis

    [2016-05-06 15:11:17] [ERROR] Dynamic API Analysis (C:\Users\origami\Downloads\MobSF\DynamicAnalyzer\views.py, LINE 681 "with open(LOCATION,"r") as f:"): [Errno 2] No such file or directory: u'C:\Users\origami\Downloads\MobSF\uploads/c3df704d723c5ae7a1a64bf58b843a5a/x_logcat.txt'

    [INFO] Dynamic File Analysis

    [2016-05-06 15:11:17] [ERROR] Dynamic Analysis Report Generation (C:\Users\origami\Downloads\MobSF\DynamicAnalyzer\views.py, LINE 483 "URL,DOMAINS,EMAIL,HTTP,XML,SQLiteDB,OtherFiles=RunAnalysis(APP_DIR,MD5,PKG)"): [Errno 2] No such file or directory: u'C:\Users\origami\Downloads\MobSF\uploads/c3df704d723c5ae7a1a64bf58b843a5a/x_logcat.txt' [06/May/2016 15:11:17]"GET /Report/?md5=c3df704d723c5ae7a1a64bf58b843a5a&pkg=com.myapp.custom HTTP/1.1" 302 0 [06/May/2016 15:11:17]"GET /error/ HTTP/1.1" 200 4602 [06/May/2016 15:11:17]"GET /static/bootstrap/css/bootstrap.min.css HTTP/1.1" 304 0 [06/May/2016 15:11:17]"GET /static/css/ionicons.min.css HTTP/1.1" 304 0 [06/May/2016 15:11:17]"GET /static/css/font-awesome.min.css HTTP/1.1" 304 0 [06/May/2016 15:11:17]"GET /static/dash/css/AdminLTE.min.css HTTP/1.1" 304 0 [06/May/2016 15:11:17]"GET /static/dash/css/skins/_all-skins.min.css HTTP/1.1" 304 0 [06/May/2016 15:11:17]"GET /static/css/style.css HTTP/1.1" 304 0 [06/May/2016 15:11:17]"GET /static/plugins/jQuery/jQuery-2.1.4.min.js HTTP/1.1" 304 0 [06/May/2016 15:11:17]"GET /static/bootstrap/js/bootstrap.min.js HTTP/1.1" 304 0 [06/May/2016 15:11:17]"GET /static/plugins/fastclick/fastclick.min.js HTTP/1.1" 304 0 [06/May/2016 15:11:17]"GET /static/dash/js/app.min.js HTTP/1.1" 304 0 [06/May/2016 15:11:17]"GET /static/plugins/slimScroll/jquery.slimscroll.min.js HTTP/1.1" 304 0 [06/May/2016 15:11:17]"GET /static/js/docs.js HTTP/1.1" 304 0

    While starting manager.py C:\Users\origami\Downloads\MobSF>python manage.py runserver

    Mobile Security Framework v0.9.2 Beta


    | / | ___ | |/ ___|| __| __ __/ _ \ / _ \ |
    | |/| |/ _ | '_ ___ | |_ \ \ / / | | | () | __) | | | | | () | |) |**) | | \ V /| || |**, | / **/ || ||/|.__/__/|| _/ _() /()__**|

    [INFO] Finding JDK Location in Windows....

    [INFO] Oracle JDK Identified. Looking for JDK 1.7 or above

    [INFO] Oracle Java (JDK >= 1.7) is installed!

    Mobile Security Framework v0.9.2 Beta


    | / | ___ | |/ ___|| __| __ __/ _ \ / _ \ |
    | |/| |/ _ | '_ ___ | |_ \ \ / / | | | () | __) | | | | | () | |) |**) | | \ V /| || |**, | / **/ || ||/|.__/__/|| _/ _() /()__**|

    [INFO] Finding JDK Location in Windows....

    [INFO] Oracle JDK Identified. Looking for JDK 1.7 or above

    [INFO] Oracle Java (JDK >= 1.7) is installed! Performing system checks...

    System check identified no issues (0 silenced). May 06, 2016 - 12:04:26 Django version 1.8, using settings 'MobSF.settings' Starting development server at http://127.0.0.1:8000/

    investigating 
    opened by ideasfoundry 34
  • Source Treeview

    Source Treeview

    ! ONGOING PR !

    • Tested on Windows til now
    • Changed the Java view to the tree-view
    • Used jsTree library for the javascript tree-view (@ajinabraham - do we need to add their license?)
    • The whole data is generated within the HTML with a os.dir + template generator hack, big thanks to Elf Sternberg from this thread
    • For now the filename filtering is done in the client side, and the content search is done both in the client and server side (Query the find source view for all the files that match the query -> get all of the files and only "higlight" them in the client side - actually I search the whole paths with a hack in the client side, refer to the new search callback for the implementation...)
    opened by matandobr 32
  • internal error: 34

    internal error: 34

    When I upload and apk file in Mobsf Internal error:34 is seen. Results are not coming. Can you please help in fix this issue.

    Steps to reproduce:

    1.In command prompt run "run.bat" 2.Go the localhost url and upload the apk file 3.Internal error:34 and in log files Internal Server Error: /StaticAnalyzer/ ERROR:django.request:Internal Server Error: /StaticAnalyzer/ will be seen.

    LOG FILE

    [INFO] 23/May/2019 21:44:29 -


    | / | ___ | |/ || | __ / | / _
    | |/| |/ _ | '
    _
    | |
    \ \ / / || | | | | | | | (
    ) | |_) |
    ) | | \ V /| || || | || ||_
    /|.__//|| _/ |()_/

    [INFO] 23/May/2019 21:44:29 - Mobile Security Framework v1.1.1 Beta REST API Key: 5c55a2cda130fbdc6815726fab3b7bdd68de3c82a6857d911b8bac1f0c4c8bff [INFO] 23/May/2019 21:44:29 - OS: Windows [INFO] 23/May/2019 21:44:29 - Platform: Windows-10-10.0.17763-SP0 [INFO] 23/May/2019 21:44:29 - Finding JDK Location in Windows.... [INFO] 23/May/2019 21:44:30 - Oracle Java JDK is installed! [WARNING] 23/May/2019 21:44:30 - Could not find VirtualBox path. [INFO] 23/May/2019 21:44:30 - MobSF Basic Environment Check [INFO] 23/May/2019 21:44:30 - Checking for Update. [INFO] 23/May/2019 21:44:31 - No updates available. [INFO] 23/May/2019 21:44:38 - MIME Type: application/vnd.android.package-archive FILE: exploiter.apk [INFO] 23/May/2019 21:44:38 - Performing Static Analysis of Android APK [INFO] 23/May/2019 21:44:38 - Starting Analysis on : Exploiter.apk [INFO] 23/May/2019 21:44:38 - Generating Hashes [INFO] 23/May/2019 21:44:38 - Unzipping [INFO] 23/May/2019 21:44:39 - Getting Hardcoded Certificates/Keystores [INFO] 23/May/2019 21:44:39 - APK Extracted [INFO] 23/May/2019 21:44:39 - Converting AXML to XML S: WARNING: Could not write to (C:\Users\kiruthiga.k.r\AppData\Local\apktool\framework), using C:\Users\KIRUTH~1.R\AppData\Local\Temp\ instead... S: Please be aware this is a volatile directory and frameworks could go missing, please utilize --frame-path if the default storage directory is unavailable [INFO] 23/May/2019 21:44:48 - Reading Android Manifest [INFO] 23/May/2019 21:44:48 - Parsing AndroidManifest.xml [INFO] 23/May/2019 21:44:48 - Fetching icon path [INFO] 23/May/2019 21:44:49 - Extracting Manifest Data [INFO] 23/May/2019 21:44:49 - Fetching Details from Play Store: opensecurity.exploiter [WARNING] 23/May/2019 21:44:49 - Unable to get app details. Invalid application ID: opensecurity.exploiter. 404 Client Error: Not Found for url: https://play.google.com/store/apps/details?id=opensecurity.exploiter&hl=en&gl=us [INFO] 23/May/2019 21:44:49 - Manifest Analysis Started [INFO] 23/May/2019 21:44:49 - Static Android Binary Analysis Started [INFO] 23/May/2019 21:44:49 - Static Android Resource Analysis Started [INFO] 23/May/2019 21:44:49 - Reading Code Signing Certificate [INFO] 23/May/2019 21:44:50 - Running APKiD 2.0.2 [ERROR] 23/May/2019 21:44:50 - internal error: 34 [ERROR] 23/May/2019 21:44:50 - Internal Server Error: /StaticAnalyzer/ ERROR:django.request:Internal Server Error: /StaticAnalyzer/

    opened by Kirthikmr 26
  • [ERROR] PDF Report Generation Error

    [ERROR] PDF Report Generation Error

    I am receiving the following error when I try to download the pdf version of the report.

    PDF Error: [ERROR] PDF Report Generation Error (/MobSF/Mobile-Security-Framework-MobSF-0.9.2/StaticAnalyzer/views.py, LINE 148 "pdf = pisa.pisaDocument(StringIO( "{0}".format(html.encode('utf-8'))), result, encoding='utf-8')"): global name 'pisa' is not defined

    Please assist me in fixing this error.

    Thanks in advance for your help!

    opened by TokenDev18 26
  • Static analysis using MobSF giving error

    Static analysis using MobSF giving error

    EXPLANATION OF THE ISSUE

    Hello, I'm using the MobSF for static analysis. I have installed the MObSF requirements on Windows 7 machine. I have followed the documentation on link "https://github.com/MobSF/Mobile-Security-Framework-MobSF/wiki/1.-Documentation" for installation. While running the MobSF and uploading the apk file, I'm getting the error " 'NoneType' object does not support item assignment"

    STEPS TO REPRODUCE THE ISSUE

    1. This is the first step
    2. This is the second step
    3. Further steps, etc.
    

    CONSOLE OUTPUT

    Paste the output generated at your console/terminal while scanning the mobile app.
    The console log should contain the error or bug you are seeing
    (NOT REQUIRED FOR FEATURE REQUEST/ENHANCEMENT)
    

    D:\Python36>python.exe d:\Mobile-Security-Framework-MobSF\manage.py runserver Performing system checks...


    | / | ___ | |/ || | __ / | / _
    | |/| |/ _ | '
    _
    | |
    \ \ / / || | | | | | | | (
    ) | |_) |
    ) | | \ V /| || || | || ||_
    /|.__//|| _/ |()_/

    Mobile Security Framework v1.0 Beta

    REST API Key: a79edbcec9aa119f30d2d2bc07e525bae83f9cd259e8bb5df91c6fdb87789a81 OS: Windows Platform: Windows-7-6.1.7601-SP1

    [WARNING] Could not find VirtualBox path.

    [INFO] Checking for Update.

    [INFO] No updates available. System check identified no issues (0 silenced). May 11, 2018 - 11:14:38 Django version 2.0.5, using settings 'MobSF.settings' Starting development server at http://127.0.0.1:8000/ Quit the server with CTRL-BREAK. [11/May/2018 11:15:19] "GET / HTTP/1.1" 200 7723 [INFO] MIME Type: application/vnd.android.package-archive FILE: Testapp.apk

    [INFO] Performing Static Analysis of Android APK [11/May/2018 11:15:31] "POST /upload/ HTTP/1.1" 200 134 [INFO] Starting Analysis on : Testapp.apk [INFO] Generating Hashes [INFO] Unzipping [INFO] Getting Hardcoded Certificates/Keystores [INFO] APK Extracted [INFO] Converting AXML to XML

    [2018-05-11 11:15:42] [ERROR]Getting Manifest file (d:\Mobile-Security-Framework-MobSF\StaticAnalyzer
    views\android\manifest_analysis.py, LINE 1304 "subprocess.check_output(args)"): [WinError 2] The system cannot find the file specified

    [2018-05-11 11:15:42] [ERROR] Reading Manifest file (d:\Mobile-Security-Framework-MobSF\StaticAnalyzer \views\android\manifest_analysis.py, LINE 1259 "if isFileExists(manifest):"): st at: path should be string, bytes, os.PathLike or integer, not NoneType [INFO] Parsing AndroidManifest.xml

    [2018-05-11 11:15:42] [ERROR] apktool failed to extract AndroidManifest.xml or parsing failed (d:\Mobi le-Security-Framework-MobSF\StaticAnalyzer\views\android\manifest_analysis.py, L INE 28 "manifest = minidom.parseString(dat)"): a bytes-like object is required, not 'NoneType' [WARNING] Using Fake XML to continue the Analysis [INFO] Fetching icon path [INFO] Extracting Manifest Data [INFO] Manifest Analysis Started [INFO] Static Android Binary Analysis Started [INFO] Static Android Resourse Analysis Started [INFO] Reading Code Signing Certificate

    [2018-05-11 11:15:44] [ERROR] Reading Code Signing Certificate (d:\Mobile-Security-Framework-MobSF\Sta ticAnalyzer\views\android\cert_analysis.py, LINE 65 "dat = subprocess.check_outp ut(args)"): [WinError 2] The system cannot find the file specified [INFO] DEX -> JAR [INFO] Using JAR converter - dex2jar [INFO] Converting d:\Mobile-Security-Framework-MobSF\uploads/56e9273f71f06d29ea6 e98c45b77e890\classes.dex to JAR [INFO] Running JAVA path fix in Windows '"D:/Program Files/Java/jdk-10.0.1/binjava"' is not recognized as an internal or external command, operable program or batch file. [INFO] Converting d:\Mobile-Security-Framework-MobSF\uploads/56e9273f71f06d29ea6 e98c45b77e890\classes2.dex to JAR [INFO] Running JAVA path fix in Windows '"D:/Program Files/Java/jdk-10.0.1/binjava"' is not recognized as an internal or external command, operable program or batch file. [INFO] DEX -> SMALI [INFO] Converting d:\Mobile-Security-Framework-MobSF\uploads/56e9273f71f06d29ea6 e98c45b77e890\classes.dex to Smali Code

    [2018-05-11 11:15:44] [ERROR] Converting DEX to SMALI (d:\Mobile-Security-Framework-MobSF\StaticAnalyz er\views\android\converter.py, LINE 112 "subprocess.call(args)"): [WinError 2] T he system cannot find the file specified [INFO] JAR -> JAVA [INFO] Static Android Code Analysis Started [INFO] Code Analysis Started on - d:\Mobile-Security-Framework-MobSF\uploads/56e 9273f71f06d29ea6e98c45b77e890/java_source/ [INFO] Performing Malware Check on extracted Domains [INFO] Finished Code Analysis, Email and URL Extraction

    [INFO] Generating Java and Smali Downloads [INFO] Generating Downloads [INFO] Zipping [INFO] Zipping [INFO] Extracting Strings from APK

    [INFO] Connecting to Database

    [INFO] Saving to Database

    [2018-05-11 11:15:45] [ERROR] Saving to DB (d:\Mobile-Security-Framework-MobSF\StaticAnalyzer\views\an droid\db_interaction.py, LINE 218 "CERT_INFO=cert_dic['cert_info'],"): 'NoneType ' object is not subscriptable

    [2018-05-11 11:15:45] [ERROR] Rendering to Template (d:\Mobile-Security-Framework-MobSF\StaticAnalyzer \views\android\db_interaction.py, LINE 105 "'certinfo': cert_dic['cert_info'],") : 'NoneType' object is not subscriptable ←[1m←[91m[ERROR] 'NoneType' object does not support item assignment←[0m [11/May/2018 11:15:45] "GET /StaticAnalyzer/?name=Testapp.apk&type=apk&checksum= 56e9273f71f06d29ea6e98c45b77e890 HTTP/1.1" 500 4835

    Error message showing on the browser:

    Don't Play Around. An Error just popped in! Inappropriate argument type.

    'NoneType' object does not support item assignment

    CONTENTS OF LOG FILES

    MobSF.log

    Paste the contents of logs/MobSF.log here
    (NOT REQUIRED FOR FEATURE REQUEST/ENHANCEMENT)
    
    If you have issues with API Fuzzer,
    Paste the contents of logs/webproxy.log here
    (NOT REQUIRED FOR FEATURE REQUEST/ENHANCEMENT)
    
    opened by khushbukothari 25
  • [FEATURE] Reduce the size of docker image

    [FEATURE] Reduce the size of docker image

    The docker image size of MobSF is more than 1.7GB. Can we decrease the size of the image ?

    A solution could be using a different (lightweight) base image or install only the recommended software to compile and run MobSF.

    enhancement 
    opened by Chan9390 24
  • [FEATURE] Improve security scoring of apps

    [FEATURE] Improve security scoring of apps

    Currently, app score is calculated as:

    avg_cvss = round(sum(cvss_scores) / len(cvss_scores), 1)
    app_score = int((10 - avg_cvss) * 10)
    

    Since average CVSS score is used, it could happen that if an app has one major issue and multiple minor ones, it would score better than if it only had a major issue.

    For example, if an issue is introduced to an app that already has higher average cvss than that issue, app would actually have higher score than before even though it now has more issues.

    This could be a problem for CI workflow because it will not catch regression in that case.

    I suggest using a different scoring scheme that would calculate scores as 100 - percentage of maximum CVSS for a particular platform, or any other scheme that would avoid using averages.

    enhancement investigating 
    opened by peja 23
  • Dynamic analysis fails despite proper configuration

    Dynamic analysis fails despite proper configuration

    I have configured the virtual machine in virtualbox 1:1 with https://github.com/MobSF/Mobile-Security-Framework-MobSF/wiki/1.-Documentation

    The mobsf/settings.py contains:

    UUID = '<uuid from vbox file>'
    SUUID = '<suuid taken from current snapshot from the vbox file>'
    VM_IP= '192.168.56.3'
    VM_ADB_PORT = 5555
    
    PROXY_IP = '192.168.56.1'
    PORT = 1337
    

    The proxy ip is the adress of the vbox ip adapter thats assigned to the vm machine But all I'm getting is:

    Could not find a registered machine with UUID {uuid from vbox file}
    Details" code VBOX_E_OBJECT_NOT_FOUND (0x80bb0001) ... 
    Context: "FindMachine(Bstr(a->...
    
    
    investigating dynamic analyzer 
    opened by Kollerb04 23
  • Error running on windows

    Error running on windows

    Hi there,

    Below is the error i received when i try to run on windows 8.1 Enterprise

    C:\MobSf
    > python manage.py runserver
    [INFO] Running first time setup for windows.
    [*] Reading config file..
    Traceback (most recent call last):
      File "manage.py", line 10, in <module>
        execute_from_command_line(sys.argv)
      File "C:\PentestBox\base\python\Lib\site-packages\django\core\management\__init__.py", line 367, in execute_from_command_line
        utility.execute()
      File "C:\PentestBox\base\python\Lib\site-packages\django\core\management\__init__.py", line 316, in execute
        settings.INSTALLED_APPS
      File "C:\PentestBox\base\python\Lib\site-packages\django\conf\__init__.py", line 53, in __getattr__
        self._setup(name)
      File "C:\PentestBox\base\python\Lib\site-packages\django\conf\__init__.py", line 41, in _setup
        self._wrapped = Settings(settings_module)
      File "C:\PentestBox\base\python\Lib\site-packages\django\conf\__init__.py", line 97, in __init__
        mod = importlib.import_module(self.SETTINGS_MODULE)
      File "C:\PentestBox\base\python\lib\importlib\__init__.py", line 37, in import_module
        __import__(name)
      File "C:\MobSf\MobSF\settings.py", line 378, in <module>
        windows_setup.install_locally(MobSF_HOME)
      File "C:\MobSf\install\windows\setup.py", line 397, in install_locally
        rewrite_config()
      File "C:\MobSf\install\windows\setup.py", line 372, in rewrite_config
        CONFIG['MobSF']['dir'] = expanduser("~") + CONFIG['MobSF']['dir']
    AttributeError: ConfigParser instance has no attribute '__getitem__'
    

    I am running with admin privileges.

    investigating 
    opened by exploitprotocol 23
  • Getting error while Finishing Dynamic Analyser

    Getting error while Finishing Dynamic Analyser

    pls find the logs of the issue

    [2016-08-01 17:50:57] [ERROR] Device Data Dump (C:\MobSF\DynamicAnalyzer\views\android.py, LINE 332 "if "MOBSEC-TAR-CREATED" in subprocess.check_output([adb, "-s", getIdentifier(), "shell", "cat", "/sdcard/mobsec_status"]):"): Command '['C:\MobSF\DynamicAnalyzer/tools/adb/windows/adb.exe', '-s', '192.168.56.101:5555', 'shell', 'cat', '/sdcard/mobsec_status']' returned non-zero exit status -1

    and let me know how to resolve it

    investigating 
    opened by deepakexodia 21
  •  Requires OSX. iOS Application Security Analysis requires OSX. on Docker

    Requires OSX. iOS Application Security Analysis requires OSX. on Docker

    EXPLANATION OF THE ISSUE

    Using the Docker for iOS pen test:

    I am using the Docker for iOS app test on a Mac. However, I get the following message:

    Requires OSX. iOS Application Security Analysis requires OSX.

    How can I use the docker on the Mact to test the iOS app test.

    CONSOLE OUTPUT

    [INFO] MIME Type: application/octet-stream FILE: Nudge.ipa
    
    [ERROR] Static Analysis of iOS IPA requires OSX
    [08/Mar/2017 19:41:41] "POST /Upload/ HTTP/1.1" 200 60
    [08/Mar/2017 19:41:41] "GET /MAC_ONLY/ HTTP/1.1" 200 4618
    
    opened by chaohaiding 20
  • Scheduled weekly dependency update for week 52

    Scheduled weekly dependency update for week 52

    Update quark-engine from 22.10.1 to 22.11.1.

    Changelog

    22.11.1

    **New Features**
    
    * Add new Quark Script APIs to detect CWE-319 and CWE-327. (413 and 428) 
    
    [Here](https://quark-engine.readthedocs.io/en/latest/quark_script.html)&#x27;s the relevant document. 
    
    **UI Enhancements**
    
    * Fix typos in Quark Web Report. (414 and 419)
    * Make grid lines in Quark Web Report more visible. (419)
    
    **Document enhancements**
    
    * Spotlight Quark Script in README. (424)
    * Add Quark Script Quick Start instruction. (422)
    
    Links
    • PyPI: https://pypi.org/project/quark-engine
    • Changelog: https://pyup.io/changelogs/quark-engine/
    • Repo: https://github.com/quark-engine/quark-engine

    Update frida from 15.2.2 to 16.0.8.

    Changelog

    16.0.8

    See https://frida.re/news/ for details.
    

    16.0.7

    See https://frida.re/news/ for details.
    

    16.0.6

    See https://frida.re/news/ for details.
    

    16.0.5

    See https://frida.re/news/ for details.
    

    16.0.4

    See https://frida.re/news/ for details.
    

    16.0.3

    See https://frida.re/news/ for details.
    

    16.0.2

    See https://frida.re/news/ for details.
    

    16.0.1

    See https://frida.re/news/ for details.
    

    16.0.0

    See https://frida.re/news/ for details.
    
    Links
    • PyPI: https://pypi.org/project/frida
    • Changelog: https://pyup.io/changelogs/frida/
    • Homepage: https://frida.re
    opened by pyup-bot 1
  • Postgres support cannot be enabled without this step

    Postgres support cannot be enabled without this step

    When building my own image based on official dockerhub FROM opensecurity/mobile-security-framework-mobsf
    I'm required to include three additional lines of code into my own Dockerfile I would like to reduce that amount to single line

    Stacktrace:

    RUN ./scripts/postgres_support.sh True
    Postgres support : True
    Defaulting to user installation because normal site-packages is not writeable
    Collecting psycopg2-binary
      Downloading psycopg2_binary-2.9.5-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (3.0 MB)
         ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 3.0/3.0 MB 42.3 MB/s eta 0:00:00
    Installing collected packages: psycopg2-binary
    ERROR: Could not install packages due to an OSError: [Errno 13] Permission denied: '/home/mobsf/.local/lib'
    Check the permissions.
    
    The command '/bin/sh -c ./scripts/postgres_support.sh True' returned a non-zero code: 1
    

    What may solve it:

    USER root
    RUN chown -R mobsf:mobsf /home/mobsf
    USER mobsf
    RUN ./scripts/postgres_support.sh True
    
    opened by frost9i 3
  • The issue App can read/write to External Storage should not exist with obfuscation and optimization enable

    The issue App can read/write to External Storage should not exist with obfuscation and optimization enable

    ENVIRONMENT

    OS and Version: Android
    Python Version:
    MobSF Version: MobSF v3.5.2 Beta
    

    EXPLANATION OF THE ISSUE

    Target SDK: 31
    Min SDK: 26
    Kotlin Version: 1.7.10
    
    The static analysis report shows the following warning issue.
    
    > Issue: App can read/write to External Storage. Any App can read data written to External Storage.
    > Severity: Warning
    > Standards: 
      > CWE: CWE-276: Incorrect Default Permissions
      > OWASP Top 10: M2: Insecure Data Storage
      > OWASP MASVS: MSTG-STORAGE-2
    > Files: com.google.android.play.core.assetpacks.da​
    
    But this issue disappears by disabling the obfuscation(ProGuard) and minify(minifyEnabled = false)
    
    Expected behavior: Issue read/write to External Storage should not exist with obfuscation and optimization enabled.
    
    

    STEPS TO REPRODUCE THE ISSUE

    1. Generate APK
    2. Upload & generate the static report
    

    LOG FILE

    opened by nemobarco 2
  • [FEATURE] I suggest replace IP2Location  library with geoip2

    [FEATURE] I suggest replace IP2Location library with geoip2

    I suggest using geoip2 library instead of IP2Location, because it supports multiple languages

    Describe the solution you'd like IP address information display in different languages

    pip install geoip2 http://dev.maxmind.com/geoip/geoip2/geolite2

    enhancement 
    opened by ohyeah521 2
  • High memory usage

    High memory usage

    ENVIRONMENT

    OS and Version: Ubuntu 20.04.4 LTS
    Python Version: 3.8.10
    MobSF Version: 3.6.1
    

    EXPLANATION OF THE ISSUE

    We deployed MobSF application in kubernetes cluster(use image built from the last code version(commit 075e9c18623a78a30774391d83566e40e664eb1d) with postgres support). We use m5.2xlarge aws instance as node and EFS storage which is mounted to uploads and downloads folders. Also RDS postgres DB is used.

    We set following limits in kubernetes deployment:

     limits:
     	cpu: 7500m
                memory: 30Gi
    

    But even with this configuration we are facing performance issues and pod is restarting from time to time due to high memory consumption. Even when there isn’t any scan in progress, application can use a lot of RAM(For examle, now it’s about 10Gb). Also we found that if we are doing some actions on UI side of application(not scanning) RAM usage increases decently.

    Previously we used vm setup and faced similar issues but in this case instance stuck and we needed to reboot it.

    opened by antonkap 1
  • Android - Picking wrong network security config file.

    Android - Picking wrong network security config file.

    ENVIRONMENT

    OS and Version: MacOS 12.6
    Python Version: 3.10.7
    MobSF Version: 
    

    EXPLANATION OF THE ISSUE

    In APK's where networksecurityconfig attribute declares a filename like "another_security_config.xml" and then in res/xml folder both, "network_security_config.xml" and "another_security_config.xml" is present, MobSF will choose "network_security_config.xml" file (basically whichever comes first while iterating over xml files in the folder).

    The reason being, in the code in network_security.py, it is checking for presence of either declare config file name or "network_security_config", and in current case it is always choosing "network_security_config", as co-incidentally "network_security_config.xml" file is also present in the application.

    STEPS TO REPRODUCE THE ISSUE

    Can be reproduced for MyJio v7.0.19 application (https://www.apkmirror.com/apk/jio-platforms-limited/myjio/myjio-7-0-19-release/).

    In the app, the manifest declares:

    networkSecurityConfig="@xml/network_security"
    

    And application contains two network security config files:

    • network_security.xml
    • network_security_config.xml

    MobSF will choose "network_security_config.xml"

    opened by su-vikas 2
Releases(v3.6.0)
  • v3.6.0(Oct 4, 2022)

    IMPORTANT - IF YOU ARE UPDATING MOBSF

    This release has database model changes. To update see: https://mobsf.github.io/docs/#/updating This release has a breaking change. Please rescan all existing scans after the update. Perform rescan from Recent Scans view.

    v3.6.0 Beta Changelog

    • Features or Enhancements

      • False Positive Triaging / Suppression Triaging Support for critical Android and iOS Security Analysis features.
        • Android Binary & Source - Supports Code Analysis and Manifest Analysis
        • iOS Binary - Supports Binary Code Analysis
        • iOS Source - Supports Code Analysis
        • New REST APIs for Suppression Support
      • Android Certificate Analysis improvements
      • Remove RELRO check from android binary analysis due to false positives
      • iOS Bundle ID extraction improvements
      • Feature parity - Allow IPA downloads from reports view
      • Code QA: Reduce False positives in identified secrets
      • Check for updates from Github releases
      • M1 Mac support
      • Disabled by default feature to support hotspots in AppSec Scorecard
      • Dependency updates
      • Added CodeQL scan on MobSF python code base
    • Bug Fixes

      • Fixes #1999, #1917, #2042 #1981 #2014 #2043
      • Fixed a bug in JSON response REST API
      • iOS URL view fix
      • Code fixes to address minor security issues in thrid party libraries.
      • Handle JADX timeouts
    Source code(tar.gz)
    Source code(zip)
  • v3.5.0(Jan 23, 2022)

    IMPORTANT - IF YOU ARE UPDATING MOBSF

    This release has database model changes. To update see: https://mobsf.github.io/docs/#/updating This release has a breaking change. Please rescan all existing scans after the update. Perform rescan from Recent Scans view.

    v3.5.0 Beta Changelog

    • Features or Enhancements

      • MobSF Application Security Scorecard for scoring mobile application security
      • Scorecard REST API
      • Published Static Analyzer online mobsf.live (Thanks to Jovan Petrovic for sponsoring the server)
      • Improved App Security Scoring Logic
      • Improved PDF Report, Reduce generation times.
      • Disable CVSSv2 by default.
      • Non blocking file upload from home screen.
      • Android and iOS SAST rule QA
      • Manifest, Certificate, Transport Security and Network Security rule QA
      • Common severity levels High, Warning, Info and Secure.
    • Bug Fixes

      • Fixes #1885
      • Replaced PWD with dedicated server
    Source code(tar.gz)
    Source code(zip)
  • v3.4.6(Jan 8, 2022)

    v3.4.6 Beta Changelog

    • Features or Enhancements

      • Quark Version Update
      • New Frida Scripts from F-Secure labs
      • Manual Activity Launcher and REST API
      • Suppress warnings from third party
      • LIEF integration QA
      • Update Janus Vulnerability description
      • General Code QA
      • Improve Setup script
      • Update Dockerfile to use non-root user
      • PDF in landscape
      • Add healthcheck to dockerfile
      • Update Android API rules
      • iOS Hardcoded Secret extraction from plists
      • Add browsable activities in android diff
      • Multiplatform docker image
      • Added checks and bypass for certificate transparency
      • Updated Android Static Analysis rules
      • Improved Split APK support, now supports .apks file
      • Ability to lookup and download APK from apktada/apkpure/apkplz
      • Dynamic Analyzer: Get Runtime Application Third party dependencies
      • Persist Frida Code change in session storage
      • Show Base64 strings decoded at runtime and the called class
      • Detect Trackers from Runtime Dependencies and Network Traffic
      • Windows Binskim version pinning
      • Global Proxy Configuration for Dynamic Analyzer
    • Bug Fixes

      • Fix Django 4.0 support
      • Fix minor bugs
      • Fix dependency issues
    Source code(tar.gz)
    Source code(zip)
  • v3.4.3(Apr 25, 2021)

    v3.4.3 Beta Changelog

    • Features or Enhancements

      • Android Dynamic Analysis TLS/SSL Security Tester
      • Dynamic Analysis without Static Analysis
      • Support Dynamic Analysis of third party apps in VM/AVD
      • Download and perform static analysis of third party apps from VM/AVD
      • Dynamic Analysis enhancement to preserve app config/data
      • Improved SSL Pinning Bypass script
      • Added Intent dumper auxiliary Frida script
      • Added an auxiliary method bypass template script
      • Security Hardening
      • Addressing LGTM issues and QA
      • Android Permissions Mapping update and Typo fix
      • VirusTotal Code QA
      • Refactored Logcat log viewer to show only app specific logs
      • Xposed Improvements and updates of agents
      • Updated frontend libraries for CodeMirror and EnligherJS
      • New REST API exposed for TLS/SSL tests
      • General Code QA
    • Bug Fixes

      • Fixed Windows Setup script
      • Fixed typo and incomplete description in Android permission mapping
    Source code(tar.gz)
    Source code(zip)
  • v3.4.0(Mar 27, 2021)

    From 3.4.0 onwards MobSF user configuration and data is stored under <user_home_dir>/.MobSF/ . Also instead of mobsf/MobSF/settings.py, please use <user_home_dir>/.MobSF/config.py

    You can now install mobsf from pypi https://pypi.org/project/mobsf/ provided you have installed all the requirements in documentation.

    Install and Setup

    python3 -m venv venv
    source venv/bin/activate
    pip install mobsf
    mobsfdb # migrate database
    

    Run

    mobsf 127.0.0.1:8000 # run mobsf
    

    v3.4.0 Beta Changelog

    • Features or Enhancements

      • Android Hardcoded Secrets False Positive Improvement
      • New Android Crypto Rule
      • Rescan Fail-Safe and Code QA
      • Auto Comment for PR and Issues
      • USE_HOME by default
      • Dynamically Display Config Location
    • Bug Fixes

      • Fixed a bug in iOS ATS plist analysis
    Source code(tar.gz)
    Source code(zip)
  • v3.3.5(Mar 22, 2021)

    You can now install mobsf from pypi https://pypi.org/project/mobsf/ provided you have installed all the requirements in documentation.

    Install and Setup

    python3 -m venv venv
    source venv/bin/activate
    pip install mobsf
    mobsfdb # migrate database
    

    Run

    mobsf 127.0.0.1:8000 # run mobsf
    

    v3.3.5 Beta Changelog

    • Bug Fixes
      • Removed Android Shared Library PIE Check
      • Improved Frida Instrumentation Logic to prevent Frida bypass
      • Fixed a False positive in Android Java Random rule
      • Fixed a bug that caused multiple first time saves of the same scan
      • Fixed Dynamic Analyzer JSON Report REST API bug
    Source code(tar.gz)
    Source code(zip)
  • v3.3.3(Mar 8, 2021)

    You can now install mobsf from pypi https://pypi.org/project/mobsf/ provided you have installed all the requirements in documentation.

    Install and Setup

    python3 -m venv venv
    source venv/bin/activate
    pip install mobsf
    mobsfdb # migrate database
    

    Run

    mobsf 127.0.0.1:8000 # run mobsf
    

    v3.3.3 Beta Changelog

    • Features or Enhancements

      • Android Hardcoded Secrets Improvement
      • iOS IPA binary analysis improvements
      • Improved Android Manifest Analysis
      • Improved Setup
      • Updated to APKiD that is maintained by MobSF Team
      • Static Analysis Rule QA
      • macOS BigSur support
      • Update libsast to skip large files.
      • Improved iOS plist analysis
      • Relaxed Android Source code zip requirements
    • Bug Fixes

      • Fixed a bug in Android Shared Library RELRO check
      • Fixed a bug in Windows setup that prevents detection of python version on the first run
      • Fixed a bug in Recent Scan
      • Fixed a bug in root CA naming that prevented traffic interception
    Source code(tar.gz)
    Source code(zip)
  • v3.2.9(Jan 20, 2021)

    You can now install mobsf from pypi https://pypi.org/project/mobsf/ provided you have installed all the requirements in documentation.

    python3 -m venv venv
    source venv/bin/activate
    
    pip wheel --wheel-dir=yara-python --build-option="build" --build-option="--enable-dex" git+https://github.com/VirusTotal/[email protected]
    pip install --no-index --find-links=yara-python yara-python
    
    pip install mobsf
    mobsfdb # migrate database
    mobsf 127.0.0.1:8000 # run mobsf
    

    v3.2.9 Beta Changelog

    • Bug Fixes
      • MobSF python package fix
    Source code(tar.gz)
    Source code(zip)
  • v3.2.8(Jan 20, 2021)

    v3.2.8 Beta Changelog

    • Features or Enhancements

      • OWASP MSTG Mapping to Rules
      • Python 3.9 support
      • Prebuilt DEX enabled yara-python wheels
      • Dynamic Downloading of frida-server binary
      • Code QA
    • Bug Fixes

      • Windows APPX bug fix
    Source code(tar.gz)
    Source code(zip)
  • v3.2.6(Jan 17, 2021)

    IMPORTANT - IF YOU ARE UPDATING MOBSF

    This release has database model changes. To update see: https://mobsf.github.io/docs/#/updating This release has a breaking change. Please rescan all existing scans after the update. Add &rescan=1 to the scan URL to perform rescan.

    v3.2.6 Beta Changelog

    • Features or Enhancements

      • Added Support for Android 10 Dynamic Analysis
      • Published new REST APIs for Dynamic Analysis
      • New Source Tree Browser for Android Static Analysis
      • Improved Binary and Shared Object Analysis with LIEF
      • Added Support for NIAP v1.3
      • Added a world map UI plotting server locations
      • Added Maltrail Domain Check
      • Improved Android Permission Analysis
      • iOS Objective C Rule improvements
      • Android Kotlin Rule improvements
      • MobSF now available as a python package and published to pypi
      • Migrated CI from Travis to Github Action
      • Improved File Magic Check on Uploads
      • Post Install Check script
      • Static Analysis Hardcoded Secrets Section from strings.xml
      • Updated Dependencies
      • Custom Header for REST API Key
    • Bug Fixes

      • Fixed Install Verification bug on older Android versions
      • Fix a Regex DoS in rule
      • Fixed IPA Static Analysis Bug
      • Minor PDF template fix
    Source code(tar.gz)
    Source code(zip)
  • v3.1.1(Aug 5, 2020)

    IMPORTANT - IF YOU ARE UPDATING MOBSF

    This release has database model changes. To update see: https://mobsf.github.io/docs/#/updating This release has a breaking change. Please rescan all existing scans after the update. Add &rescan=1 to the scan URL to perform rescan.

    v3.1.1 Beta Changelog

    • Features or Enhancements

      • Added Support for Android Network Security Config Analysis
      • Replace SAST core with libsast
      • Support for line numbers in source code
      • Replaced Code Viewer with EnlighterJS
      • Kotlin source scan support
      • Improved Certificate Analysis
      • Genymotion Cloud Support
      • Support Android Emulator AVD x86, ARM, ARM64
      • Verify Dynamic Analysis APK Installation
      • Dynamic Analysis: Support APK with test package requirements
      • Automatic MobSFy on Frida binary update
      • Expose App result compare REST API and Update REST API Docs
      • Clean up MobSF proxy on exit
      • IPA Binary Regex QA
      • Optimize Root Checking Frida Script
      • Environment Checks to see if API Level is supported and /system is writable
      • Prebuilt dex enabled yara-python and improved setup, tox, tests
      • Added Chinese documentation
      • Reduce Docker image size
      • Improved Postgresql Docker Support
      • Android Dynamic Analysis QA
      • Update Dependencies
    • Bug Fixes

      • Android Rule Fixes
      • Fixed API Monitor which was broken from Frida 12.8.19
      • Fixed iOS ATS bug
      • Fix Black PDF background issue
      • LGTM Scan Code QA
    • Security

      • Fixed Regex DoS in Email Extraction
      • Fixed insecure Default Bind to 0.0.0.0
    Source code(tar.gz)
    Source code(zip)
  • v3.0.5(Mar 13, 2020)

    IMPORTANT - IF YOU ARE UPDATING MOBSF

    This release have database model changes. To update see: https://mobsf.github.io/docs/#/updating

    v3.0.5 Beta Changelog

    • Features or Enhancements

      • iOS Swift Source Code Support
      • Improved iOS Swift and Objective C rules
      • OWASP MASVS/MSTG Standard Support
      • Brand New PDF Reports
      • Improved SAST Core
      • Improved iOS Application Transport Security Checks
      • Improved iOS Permission Checks
      • Added IP to Geolocation Feature for Domain Malware Check
      • URL and IP extraction from IPA
      • App Risk Calculation from App Security Score
      • Improve Recent Scan View
      • Add Jtool2 support
      • Code QA
      • New Docs Site
    • Bug Fixes

      • Classdump bug fixes
      • Geolocation bug fixes
    Source code(tar.gz)
    Source code(zip)
  • v3.0.1(Jan 24, 2020)

    IMPORTANT - IF YOU ARE UPDATING MOBSF

    v3.0.1 Beta Changelog

    • Features or Enhancements

      • Simplified REST API
      • Improved Android App Name detection
      • Dynamic Analysis proper Root CA naming
      • Changes to Support Android x86 Docker
      • Dependency updates
      • Code QA
    • Bug Fixes

      • Handle Invalid ATS domain entries iOS
      • Fixes a Template Bug
    Source code(tar.gz)
    Source code(zip)
  • v3.0.0(Dec 12, 2019)

    IMPORTANT - IF YOU ARE UPDATING MOBSF

    This is a major release and has changes to database models and REST API schemas.

    • Run setup.sh or setup.bat depending on your OS.

    v3.0.0 Beta Changelog

    • Features or Enhancements

      • OWASP Mobile Top 10 2016 is supported
      • Major UI Update for MobSF
      • Major Schema changes to rest API
      • iOS URLs Scheme
      • iOS ATS Analysis improved
      • New iOS Static Analysis Rules
      • New iOS Static Analysis Rules
      • New Android Manifest Analysis Rules
      • Updated dependencies
      • Optimized Windows Setup
      • Updated Scoring mechanisms
      • Improved Tracker detection
      • Remove Global Proxy after dynamic analysis
      • Android Permission database update
      • Added Play with Docker support
      • AppMonsta support
      • Code QA
    • Bug Fixes

      • Fix Security issue #1197 (Directory Traversal)
      • iOS Static Analyzer fixes
      • Typo Fix
      • Moved to oscrypto and distro
      • Windows binscope bug fix
      • Reduce False positives
    Source code(tar.gz)
    Source code(zip)
  • v2.0.0(Sep 22, 2019)

    IMPORTANT - IF YOU ARE UPDATING MOBSF

    This release have database model changes and core framework changes.

    • Run setup.sh or setup.bat depending on your OS.
    • Migrate Database
      python manage.py makemigrations
      python manage.py makemigrations StaticAnalyzer
      python manage.py migrate
      

    v2.0.0 Beta Changelog

    • Features or Enhancements

      • Dynamic Analysis Support for Genymotion Android VMs 4.1 -9.0 x86
      • Improved Recent Scan
      • Replaced CapFuzz with HTTPtools
      • Automatic MobSFy with Xposed and Frida
      • Streaming logcat
      • Live API Monitor
      • Better SQlite DB View
      • Inbuilt Frida scripts for basic tasks
      • Custom Frida Script support
      • Frida Log Viewer
      • UI Changes
      • Browser PDF print support
      • Updated Tools
      • Baksmali performance improvements
      • Improved malware domain check
      • Multi OS Travis Support
      • Code QA
    • Bug Fixes

      • Typo Fix
      • Reduce False positives
    Source code(tar.gz)
    Source code(zip)
  • v1.1.6(Aug 9, 2019)

    IMPORTANT - IF YOU ARE UPDATING MOBSF

    This release have database model changes and core framework changes.

    • Run setup.sh or setup.bat depending on your OS.
    • Migrate Database
      python manage.py makemigrations
      python manage.py makemigrations StaticAnalyzer
      python manage.py migrate
      

    v1.1.6 Beta Changelog

    • Features or Enhancements

      • 70x performance improvements for large APKs
      • CVSS, CWE tagging with results
      • Trackers Detection
      • App Store/ Playstore Details of supported packages
      • Added Security Score, Average CVSS Score, VirusTotal & Tracker Detection
      • Coloured logging
      • Better Logging and Exception Handling
      • Travis CI/CD integration
      • Optimized & Updated Dockerfile
      • Super fast java decompiling with JADX
      • Large scale Code QA
      • Enforced mandatory code linting
      • Integrated automated travis tests in Linux and OSX
      • Moved to proper production servers Gunicorn & Waitress
      • Improved icon detection
      • Android APK app real name
      • Moved from Oracle JDK to OpenJDK
      • Reduce False Positives
      • Enforced Least privilege mode
      • Improved Setup scripts
      • Moved to androguard based certificate printing
      • File less local db updates for better cross platform support
      • Static Analyzer rule updates and accuracy improvement
      • REST API - Recent Scans
      • classdump support for iOS swift binaries
      • Updated dependencies
      • SonarCloud Integration
    • Bug Fixes

      • Fixed bug in Appx Analysis
      • Dynamic Analysis Bug Fix
      • Fix plist bug in iOS SCA
      • Performance Improvements
    Source code(tar.gz)
    Source code(zip)
  • v1.0.3Beta(Dec 19, 2018)

    IMPORTANT - IF YOU ARE UPDATING MOBSF

    • This release have database model changes. Read Updating MobSF
    • Run setup.sh or setup.bat

    v1.0.3 Beta Changelog

    • Features or Enhancements

      • Android APK Scan Results Diffing Support
      • VirtualBox VM Headless mode
      • UI Changes
      • Improved Android icon analysis
      • CapFuzz for API Fuzzing
      • JSON Report REST API
      • Dependency Updates
      • Code QA and Refactoring
      • More unit tests
      • Update 3rd party tools
      • Improved APKiD Scans
      • Added Basic Environment Checks on first run
      • Docker support for PostgreSQL
      • Improved REST APIs
      • Android AVD 6 Support (Broken)
      • iOS IPA Analysis support in Linux
      • Improved Form Handling
      • REST API CORS Support
      • Improved Plist Parsing
      • Removed Faulty Binary Analysis
      • Improved Manifest Analysis
      • Updated Android Permission Mappings
      • New Setup and Run scripts for easy installation and usage
      • Updated Dockerfile
      • Multi Dex Support
      • Upstream Proxy Support
      • Improved String Extraction for Android
    • Bug Fixes

      • Fixed manifest view
      • Performance improvements
      • Find Java Bug fixes
      • Fixed APK String extraction
      • Fixed Regression Bug
      • Fixed Byte Bug
    Source code(tar.gz)
    Source code(zip)
  • v0.9.5.5(Dec 17, 2017)

    IMPORTANT - IF YOU ARE UPDATING MOBSF

    • This release have database model changes. Read Updating MobSF
    • Run pip install -r requirements.txt

    v0.9.5.5 Beta Changelog

    • Features or Enhancements

      • Added support for VirusTotal API
      • Added APKtool for manifest extraction if AXMLPrinter2 fails
      • Updated dependencies
      • Improved android signer cert checks.
      • UI QA
    • Bug Fixes

      • Fixed icon extraction bug
      • Fixed icon bug in linux where Library is not loaded
      • Fixed AndroidManifest.xml parsing bug
      • Fixed broken Docker file
      • Fixed plist extraction bug on Linux
      • Fixed iOS Code review bug
      • Fixed Recent Scan bug in REST API
    Source code(tar.gz)
    Source code(zip)
  • v0.9.5.4(Aug 29, 2017)

    IMPORTANT - IF YOU ARE UPDATING MOBSF

    • This release have database model changes. Read Updating MobSF
    • Run pip install -r requirements.txt

    v0.9.5.4 Beta Changelog

    • Features or Enhancements
      • REST API for MobSF and API Docs
      • Icon Extractor Android Static Analysis
      • Updating Libraries to latest
      • Malware Analysis Code refactoring
      • Updated ADB binaries
      • Code Refactoring Android Static Analysis
      • Android and iOS new static analysis rules added
    • Bug Fixes
      • iOS file analysis bug fix
      • iOS Classdump exception fix
      • Unicode Unzip fix
      • sqlitedb isinstance bug fix
      • Dockerfile error fix
      • Bug Fix in skip classes
      • Bug Fix in https traffic decryption due to tornado upgrade
      • iOS Binary analysis regex fix
      • Android binary analysis bug fix
    Source code(tar.gz)
    Source code(zip)
  • v0.9.5.2(Apr 24, 2017)

    v0.9.5.2 Beta Changelog

    • Features or Enhancements

      • Supports Android ARM Emulator for Android Dynamic Analysis. Thanks to Matan Dobrushin - Documentation
      • Android Dynamic Analysis Code QA and Refactoring
      • Delete Scan Results from DB and related files under Recent Scan
      • Detects Apps Signed with SHA1-RSA
      • Added APKiD to MobSF Android APK Static Analysis
      • Python Dependency updates
      • Dockerfile updated
      • Added unit test for delete scan
    • Bug Fixes

      • Fixed Android Certificate Analyzer find match bug
      • Android Static Analyzer content provider rules bug fix
      • Windows Static Analyzer Bugfixes
      • Moved from buggy syntaxhighlighter to highlightjs
    Source code(tar.gz)
    Source code(zip)
  • v0.9.4.2(Mar 1, 2017)

  • v0.9.4.1(Feb 25, 2017)

  • v0.9.4(Feb 22, 2017)

    IMPORTANT - IF YOU ARE UPDATING MOBSF

    • This release have database model changes. Read Updating MobSF
    • We are using a new and faster PDF generation library . Read PDF Report Generation
    • Run pip install -r requirements.txt

    v0.9.4 Beta Changelog

    • Features or Enhancements
      • Android Binary/ELF Analysis and Resource Analysis
      • Android App Static Analysis: Tapjacking Detection
      • Android App Static Analysis: Better Exported Component Analysis
      • iOS App Static Analysis: Listing App Permissions
      • iOS App Static Analysis: ATS Check
      • Better and Faster PDF Generation
      • Updated Dependencies
      • Optimised DB Interactions
      • Unit Tests for Static Analyzer, PDF Report Generation
    • Bug Fixes
      • Windows App Static Analyzer Bug Fix
      • Fixed all PDF Related Bugs
      • Windows App Static Analyzer: BinScope Bug Fix
      • iOS App Static Analysis: Plist Bug Fix
    Source code(tar.gz)
    Source code(zip)
  • v0.9.3.7(Dec 7, 2016)

  • v0.9.3.6(Nov 30, 2016)

  • v0.9.3.5(Nov 30, 2016)

  • v0.9.3.4(Nov 30, 2016)

  • v0.9.3.3(Nov 29, 2016)

    • Fixed Unicode Error in Unzipping Files
    • Restructured Templates
    • Improved IsInternetAvailable function as Google IP is not accessible in China.
    Source code(tar.gz)
    Source code(zip)
  • v0.9.3.2(Nov 25, 2016)

  • v0.9.3.1(Nov 23, 2016)

Owner
Mobile Security Framework
Automated pentesting framework for Android, iOS and Windows Apps
Mobile Security Framework
A collection of android security related resources

android-security-awesome A collection of android security related resources. Tools Academic/Research/Publications/Books Exploits/Vulnerabilities/Bugs

Ashish Bhatia 6.6k Jan 5, 2023
Simple API to perform AES encryption on Android. This is the Android counterpart to the AESCrypt library Ruby and Obj-C (with the same weak security defaults :( ) created by Gurpartap Singh. https://github.com/Gurpartap/aescrypt

AESCrypt-Android Simple API to perform AES encryption on Android with no dependancies. This is the Android counterpart to the AESCrypt library Ruby an

Scott Alexander-Bown 636 Dec 18, 2022
Secure your REST APIs with Spring Security, Resource and Authorization Server from zero to JWT

Secure REST APIs with Spring ./mvnw RTFM YouTube: Spring Security Patterns YouTube: Spring Security 5.5 From Taxi to Takeoff Official Apache Maven doc

Maksim Kostromin 1 Dec 5, 2021
Native Device security checks, Rooted/Jailbroken, Not real device, Developer mode is on, On external drive.

palestine_trusted_device Native Device security checks, Rooted/Jailbroken, Not real device, Developer mode is on, On external drive. Part of Palestine

Palestine Developers 3 Apr 19, 2022
Tiny app to enforce security policies of your device

Sentry Enforce security policies. Tiny app to enforce security policies of your device. It can: limit the maximum number of failed password attempts d

lucky 43 Dec 24, 2022
BlackDex is an Android unpack tool, it supports Android 5.0~12 and need not rely to any environment. BlackDex can run on any Android mobile phones or emulators, you can unpack APK File in several seconds.

BlackDex is an Android unpack tool, it supports Android 5.0~12 and need not rely to any environment. BlackDex can run on any Android mobile phones or emulators, you can unpack APK File in several seconds.

null 4.3k Jan 2, 2023
A collection of Kotlin Multiplatform Mobile cryptographic hashing functions.

crypto A collection of Kotlin Multiplatform Mobile libraries to aid in mobile app development. cryptohash: A set of cryptographic (and not so cryptogr

Appmattus Limited 58 Dec 15, 2022
A runtime mobile application analysis toolkit with a Web GUI, powered by Frida, written in Python.

___ ___ / | \ ____ __ __ ______ ____ / ~ \/ _ \| | \/ ___// __ \ \ Y ( <_> )

NCC Group Plc 1.2k Dec 21, 2022
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.6k Dec 29, 2022
A Java ePub reader and parser framework for Android.

FolioReader-Android is an EPUB reader written in Java and Kotlin. Features Custom Fonts Custom Text Size Themes / Day mode / Night mode Text Highlight

FolioReader 2.1k Jan 3, 2023
UNIX-like reverse engineering framework and command-line toolset

Radare2: The Libre Unix-Like Reverse Engineering Framework See the Releases page for downloads. The current git master branch is 5.7.7, next will be 5

radare org 17.4k Jan 9, 2023
Soot - A Java optimization framework

Using Soot? Let us know about it! We are regularly applying for funding to help us maintain Soot. You can help us immensely by letting us know about p

Soot Program Analysis Framework 2.5k Jan 2, 2023
SpringBoot-Security-Kotlin - JPA, MraiaDB , Security, 인증 및 권한(Role여러개)

SpringBoot-Security-Kotlin 프로젝트 생성시 java 11 , SpringBoot 2.6.2 , jar-gradle 기본환경 mariadb 잘 안됐던 내용 참고 권한 여러개 설정시 interface UserDetails를 implements할때 ge

YuSeungju 1 Jan 2, 2022
Find Security Bugs is the SpotBugs plugin for security audits of Java web applications

The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)

OWASP Find Security Bugs 2k Jan 6, 2023
Runtime Mobile Security (RMS) 📱🔥 - is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime

Runtime Mobile Security (RMS) ?? ?? by @mobilesecurity_ Runtime Mobile Security (RMS), powered by FRIDA, is a powerful web interface that helps you to

Mobile Security 2k Dec 20, 2022
The Leading Security Assessment Framework for Android.

drozer ---------------------------------------------------------------- NOTE We would like to formally announce that F-Secure has stopped further deve

WithSecure Labs 3k Jan 8, 2023
Kotlin Multiplatform Mobile + Mobile Declarative UI Framework (Jetpack Compose and SwiftUI)

Kotlin Multiplatform Mobile + Mobile Declarative UI Framework (Jetpack Compose and SwiftUI)

Kotchaphan Muangsan 3 Nov 15, 2022
Easy app for managing your files without ads, respecting your privacy & security

Simple File Manager Can also be used for browsing root files and SD card content. You can easily rename, copy, move, delete and share anything you wis

Simple Mobile Tools 1.2k Dec 30, 2022
A collection of android security related resources

android-security-awesome A collection of android security related resources. Tools Academic/Research/Publications/Books Exploits/Vulnerabilities/Bugs

Ashish Bhatia 6.6k Jan 5, 2023
Easy app for managing your files without ads, respecting your privacy & security

Simple File Manager Can also be used for browsing root files and SD card content. You can easily rename, copy, move, delete and share anything you wis

Simple Mobile Tools 1.2k Dec 29, 2022