MobSF- Implement MobSF on Kali Linux for Dynamic and Static Security Testing
With the mobile application market exploding (currently 2.8m apps on the Google Play Store and 2.2m on the Apple store – not to mention Enterprise apps or apps not available on “Regular Markets”),Security Testing on mobiledevices becomes critical to IT security forIOVIOand our customers.
A recent request from one our customers required that we provide Security and Penetration Testing against their mission critical applications, including Mobile Applications for Android and iOS. IOVIO’s weapons of choice for this assignment are Kali Linux and the MobSF (Mobile Security Framework), and automated Security Framework that allows application testing during run-time.
In this guide I’ll do my best to show you how to setup such an environment with minimum hassle.
So without further ado let’sstart by opening a console and installing Phyton3-pip.
First, make sure you have Java SDK
cat >/etc/apt/sources.list.d/webupd8team-java.list<< EOF deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main EOF apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886 apt-get update apt-get install oracle-java8-installer java -version apt-get install python3-pip
Nowlet’s clone the MobSF repositoryand navigate to the main directory.
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git cd Mobile-Security-Framework-MobSF
Configure Static Analyzer
Before running the server we need tocreate and activate a virtual environmentand install the MobSF requirements.
As an optional step installwkhtmltopdffirst to generate PDF reports.
There is a very common error that occurs after running the server for the first time: you have unapplied migrations and your project may not work properly. To solve it all you have to do isapply the pending migrations.
python3 manage.py migrate
Now everything is ready to run: open your favorite browser and navigate to http://127.0.0.1:800, or IP and Port that was configured.
You are now ready to load APKs or IPAs into the server and start performing Static Analysis of your apps.
On the following article I will show you how to configure the MobSF to communicate with an Android emulator and start executing Dynamic tests.Don’t forget to visit theproject pageto discover more about the MobSF.If you are interested in security testing services, have any questions, comments, tips or tricks or even if you want to share some of your own approaches thenreach out.
Hello, Myself Bhabesh, living in Bengaluru, Karnataka, India. I’m a Penetration Tester, Cyber Security Analyst, Threats hunter, Vulnerability founder, Bug Bounty hunter, System Hacker, Exploiting expert, Android hacker, Reverse Engineer, Malware Analyst, SIEM or UTM & SOC Analyst, Security Researcher with great innovation and latest technology gadgets.
View all posts by B4cKD00₹