MobSF: Android App Pentesting [Step-by-Step]

Ethical hacking

Reviewer: Deepak Prasad

Mobile app pentesting is a crucial process that ensures the safety of data and sensitive information stored in mobile applications. With the rising number of cyber-attacks, businesses must adopt mobile application security testing to protect their applications from potential security threats. App pentesting is one of the most critical aspects of mobile application security testing, and MobiSF is an essential tool for this process.

MobSF is an open-source mobile application security testing tool that provides comprehensive security testing for Android and iOS applications. This tool helps in identifying vulnerabilities and provides security recommendations to help secure mobile applications. MobiSF comes with a range of features that make it an essential tool for app pentesting. These features include:

  • Static and Dynamic Analysis: MobSF can perform both static and dynamic analysis of mobile applications, providing a comprehensive view of application security. The tool can analyze the source code of an application, as well as the runtime behaviour, to identify vulnerabilities and potential security threats.
  • Multiple Testing Techniques: MobSF supports a range of testing techniques, including vulnerability scanning, malware analysis, and traffic interception. These techniques help in identifying security threats and vulnerabilities in mobile applications.
  • Third-Party Integration: MobSF can integrate with other security testing tools to provide a more comprehensive view of application security. This integration allows businesses to leverage the capabilities of other tools to identify and mitigate security threats.
  • User-Friendly Interface: MobSF has a user-friendly interface that makes it easy to use for both security experts and beginners. The tool provides a step-by-step guide on how to perform app pentesting, making it accessible to all users.


It is recommended that you run these tests on a virtual lab and use applications available for pentesting. In a case where you need to perform penetration testing on other applications, make sure you obtain consent from the parties involved to avoid breaking the law.



  1. PC running Kali Linux
  2. Git
  3. Docker
  4. App to perform penetration testing on.
  5. Python3
  6. JDK


Install MobSF

In this guide, we will be running an instance of the MobSF framework on Docker hence we can choose between two options: Using the prebuilt MobSF docker image from the docker hub or Building an image from the Dockerfile which can be found on the official MobSF GitHub repository. To clone the repository to our PC we run the below command.

git clone

app pentesting


After the download is complete, we can move into the newly created directory and build the image using the below commands as shown in the image below.

cd Mobile-Security-Framework-MobSF

docker build -t mobsf .

MobSF: Android App Pentesting [Step-by-Step]


MobSF is slightly bigger than 1GB hence a fast internet connection is required while installing it. Once completed, we can now run MobSF using the below command.

docker run -it --rm -p 8000:8000 mobsf

app pentesting


Since MobSF is a web-based app pentesting tool, we can access it by visiting http://localhost:8000/ on our favourite web browser as shown in the image below.

app pentesting

MobiSF can perform app pentesting for the common OS Platforms i.e Android, Windows and Mac OS. In our case, we want to test an android application, the InsecureShop app.


Perform App Pentesting

MobSF has a simple user interface hence it is really easy to use. To perform app pentesting, you just need to drag the file from your local folder and drop it on the MobSF page and the pentesting will automatically begin. Another way is by uploading the application by clicking the “Upload & Analyze” button. Since MobSF performs automated app pentesting, all you have to do is to sit back and wait for the analysis to complete.

app pentesting


After the analysis is complete, we can now be able to view the pentest information of the InsecureShop app. From the above image, we can be able to view the summarized information from the app pentest. We can see that the app has a Security score of 37 meaning the application has numerous vulnerabilities.

In the image shown below, we have a section from where we can proceed to perform dynamic app pentesting using MobSF. To perform dynamic analysis, an Android hacking lab and installation of Frida scripts are required.

app pentesting


We can also be able to view the APK’s source code, Smali and the Androidmanifest.xml files among other files. Below the scan options, we can view the signer certificate too as shown in the image below.

app pentest

On the side navigation bar, we have different tabs from where we can view information related to the recently concluded app pentest. Some of the information that we can view include permissions required by the app, Android APIs, browsable activities, security analysis, malware analysis, reconnaissance and the components.


App pentesting report

We can save the result of the app pentest done on MobSF as a pdf report using the PDF options found on the side navigation bar as shown in the image below. Click on the PDF report to view a PDF summary of the app pentest and you can also download the PDF by clicking on the print PDF report.

app pentest


On the first page, we have the name of the app, the file name, the package name, the date of the scan and the App Security Score. The app pentesting report generated on MobSF is structured in a way that classifies each of the found issues based on their severity as shown in the below image.

app pentest

File information, App Information, App components, certificate information, application permissions, APKID analysis, browsable activities, network security, certificate analysis, manifest analysis, code analysis, domain malware check, NIAP analysis and hardcoded secrets.



MobSF is an essential tool for app pentesting as it helps businesses to identify vulnerabilities in their mobile applications and provides security recommendations to mitigate these threats. The tool is easy to use and provides a range of testing techniques to ensure comprehensive security testing.

In conclusion, mobile application security testing is a critical process for businesses that use mobile applications. App pentesting is a crucial aspect of mobile application security testing, and MobSF is an essential tool for this process. With MobiSF, businesses can identify vulnerabilities in their mobile applications and mitigate security threats. Therefore, every business that uses mobile applications should consider leveraging the capabilities of MobSF for app pentesting.


Views: 593
Kennedy Muthii

Kennedy Muthii

He is an accomplished professional proficient in Python, ethical hacking, Linux, cybersecurity, and OSINT. With a track record including winning a national cybersecurity contest, launching a startup in Kenya, and holding a degree in information science, he is currently engaged in cutting-edge research in ethical hacking. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to

Thank You for your support!!

Leave a Comment