Your Strategy,
Our Tactics

We empower companies to express ideas, engage users and deliver capabilities through digital technology.


Static Analysis for Mobile Apps

Mobile App Static Analysis with MobSF

MobSF: Mobile Security Framework

Static analysis tools identify security issues in mobile apps and should be part of both development and QA processes. Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF is an open source toolset released as a security research platform for mobile applications incorporating tools for application security analysis, penetration testing, malware scanning, and privacy analysis. The project resides on GitHub and is licensed under GPL 3.0.

The Static Analyzer processes mobile application archives in .IPA for iOS and APK for Android, generating a report of potential issues along with an overall score. The Dynamic Analyzer supports interactive testing through application integration for interactive testing, runtime data capture, and network traffic analysis. Results are captured and made available through a web interface.

Getting Started with MobSF Static Analysis

If you are just getting started with MobSF, it’s best to get to scan generation as quickly as possible. Once you are comfortable with the system and understand the output, you can focus on adding it to your development pipeline through CI/CD,

The easiest way to run MobSF is to use the public scanner at mobsf.live. This is a reasonable option for scanning sample applications, but the results are public – potentially exposing proprietary information and vulnerabilities. Don’t do this with a “real” application.

The next alternative is to run MobSF in Docker. The README.md includes quick setup instructions, which are a snap as long as you are familiar with Docker.

Sanctuary Software runs a private MobSF server. For those who aren’t so technically inclined, we’ll give your mobile app a free scan on request. Just reach out to support@sancsoft.com with a request and we’ll coordinate the process.

Understanding Static Analyzer Output

MobSF provides deep insight into the mobile application binary, but the documentation doesn’t do a good job of explaining the results. In particular, the scanner assesses the risk associated with the application. In many cases, the risks are justified by the application requirements. For example, accessing location services is marked as dangerous, but can’t really be turned off if your application requires GPS. When reacting to the scan results, triage based on severity and focus on increasing app security while preserving app functionality.

MobSF Security Score

The Static Analyzer produces a security score from 0-100 and assigns a risk rating grade from A to F. The security score loses points for each high and medium issue identified and recovers points for each secure item identified.

Score = 100 - ((High + 0.5*Medium - 0.2*Secure) / (High + Medium + Secure) * 100)

The risk rating grading scale uses the security score with the following cut-offs: 60%+ = A, 40-59% = B, 30-39% = C, < 30% = F.

Threat Categories

Threats identified by the analyzer are categorized using the following scale:

  • High – serious security threat or misconfiguration
  • Medium – potential security threat or misconfiguration
  • Info – application information discovered that doesn’t impact the score; provided for reference and worth a look
  • Secure – an area is identified without fault, providing a positive bonus to the score
  • Hotspot – area of concern, generally based on enterprise findings (EFR_01 enabled)

Threat characterization can be impacted by the configuration and options.

Analysis Components

Static analysis for mobile apps includes components common across application operating systems include:

  • Code Analysis: Items marked good count as secure; each listed item impacts score
  • Permissions: Dangerous permissions show up as a hotspot
  • File Analysis: Bad certificates show up as a hotspot
  • Malicious Domains: Known malicious domains each generate a high, OFAC sanctioned countries generate a hotspot
  • Firebase: Firebase may severity is based on the URL
  • Trackers: No trackers = secure, 1-4 trackers = medium; > 4 trackers = high
  • Hardcoded Secrets: any potential hardcoded secrets generates a medium

Recommendations

Don’t worry too much about the application’s security score. Focus on producing the most secure application possible by consideration of threats at each level.

  1. Remediate Highs: items should be eliminated or documented for purpose
  2. Ruminate Mediums: items should be considered and removed as possible
  3. Review Infos: items should considered for accuracy and intentions
  4. Relocate Hardcoded Secrets: secrets should be relocated to key storage; false positives can be ignored

The risk rating generated doesn’t provide a complete picture. If an app scores high, but contains private API keys or hard-coded passwords, it still has a major security issue that needs to be addressed.

If you struggle with identifying the source or resolution of an item, refer to the scanner source code as the ultimate guide, or reach out to support@sancsoft.com for assistance with your application.