Mobile app pentesting is a crucial process that ensures the safety of data and sensitive information stored in mobile applications. With the rising number of cyber-attacks, businesses must adopt mobile application security testing to protect their applications from potential security threats. App pentesting is one of the most critical aspects of mobile application security testing, and MobiSF is an essential tool for this process.
MobSF is an open-source mobile application security testing tool that provides comprehensive security testing for Android and iOS applications. This tool helps in identifying vulnerabilities and provides security recommendations to help secure mobile applications. MobiSF comes with a range of features that make it an essential tool for app pentesting. These features include:
- Static and Dynamic Analysis: MobSF can perform both static and dynamic analysis of mobile applications, providing a comprehensive view of application security. The tool can analyze the source code of an application, as well as the runtime behaviour, to identify vulnerabilities and potential security threats.
- Multiple Testing Techniques: MobSF supports a range of testing techniques, including vulnerability scanning, malware analysis, and traffic interception. These techniques help in identifying security threats and vulnerabilities in mobile applications.
- Third-Party Integration: MobSF can integrate with other security testing tools to provide a more comprehensive view of application security. This integration allows businesses to leverage the capabilities of other tools to identify and mitigate security threats.
- User-Friendly Interface: MobSF has a user-friendly interface that makes it easy to use for both security experts and beginners. The tool provides a step-by-step guide on how to perform app pentesting, making it accessible to all users.
Requirements
- PC running Kali Linux
- Git
- Docker
- App to perform penetration testing on.
- Python3
- JDK
Install MobSF
In this guide, we will be running an instance of the MobSF framework on Docker hence we can choose between two options: Using the prebuilt MobSF docker image from the docker hub or Building an image from the Dockerfile which can be found on the official MobSF GitHub repository. To clone the repository to our PC we run the below command.
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
After the download is complete, we can move into the newly created directory and build the image using the below commands as shown in the image below.
cd Mobile-Security-Framework-MobSF docker build -t mobsf .
MobSF is slightly bigger than 1GB hence a fast internet connection is required while installing it. Once completed, we can now run MobSF using the below command.
docker run -it --rm -p 8000:8000 mobsf
Since MobSF is a web-based app pentesting tool, we can access it by visiting http://localhost:8000/ on our favourite web browser as shown in the image below.
MobiSF can perform app pentesting for the common OS Platforms i.e Android, Windows and Mac OS. In our case, we want to test an android application, the InsecureShop app.
Perform App Pentesting
MobSF has a simple user interface hence it is really easy to use. To perform app pentesting, you just need to drag the file from your local folder and drop it on the MobSF page and the pentesting will automatically begin. Another way is by uploading the application by clicking the “Upload & Analyze” button. Since MobSF performs automated app pentesting, all you have to do is to sit back and wait for the analysis to complete.
After the analysis is complete, we can now be able to view the pentest information of the InsecureShop app. From the above image, we can be able to view the summarized information from the app pentest. We can see that the app has a Security score of 37 meaning the application has numerous vulnerabilities.
In the image shown below, we have a section from where we can proceed to perform dynamic app pentesting using MobSF. To perform dynamic analysis, an Android hacking lab and installation of Frida scripts are required.
We can also be able to view the APK’s source code, Smali and the Androidmanifest.xml files among other files. Below the scan options, we can view the signer certificate too as shown in the image below.
On the side navigation bar, we have different tabs from where we can view information related to the recently concluded app pentest. Some of the information that we can view include permissions required by the app, Android APIs, browsable activities, security analysis, malware analysis, reconnaissance and the components.
App pentesting report
We can save the result of the app pentest done on MobSF as a pdf report using the PDF options found on the side navigation bar as shown in the image below. Click on the PDF report to view a PDF summary of the app pentest and you can also download the PDF by clicking on the print PDF report.
On the first page, we have the name of the app, the file name, the package name, the date of the scan and the App Security Score. The app pentesting report generated on MobSF is structured in a way that classifies each of the found issues based on their severity as shown in the below image.
File information, App Information, App components, certificate information, application permissions, APKID analysis, browsable activities, network security, certificate analysis, manifest analysis, code analysis, domain malware check, NIAP analysis and hardcoded secrets.
Conclusion
MobSF is an essential tool for app pentesting as it helps businesses to identify vulnerabilities in their mobile applications and provides security recommendations to mitigate these threats. The tool is easy to use and provides a range of testing techniques to ensure comprehensive security testing.
In conclusion, mobile application security testing is a critical process for businesses that use mobile applications. App pentesting is a crucial aspect of mobile application security testing, and MobSF is an essential tool for this process. With MobiSF, businesses can identify vulnerabilities in their mobile applications and mitigate security threats. Therefore, every business that uses mobile applications should consider leveraging the capabilities of MobSF for app pentesting.