MOBILE SECURITY FRAMEWORK (MobSF): PERFORMING STATIC ANALYSIS FOR BEGINNERS

1

2

POLITEKNIK SULTAN IDRIS SHAH
KEMENTERIAN PENGAJIAN TINGGI

ALL RIGHTS RESERVED
FIRST ISSUE 2022

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or
transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise,
without either the prior permission of the publisher. The entire programs included in this module have
been included for the instructional value. They have been tested with care but are not guaranteed for
any particular purpose.

Perpustakaan Negara Malaysia Cataloguing-in-Publication Data

Noor Aishah Zainiar, 1994-
Mobile Security Framework (MobSF): Performing Static Analysis for Beginners /
NOOR AISHAH ZAINIAR, NUR HAZIMAH KHALID, NURZAINI RAZALI.

Mode of access: Internet
eISBN 978-967-2860-39-6
1. Mobile computing--Security measures.
2. Mobile communication systems--Security measures.
3. Statics--Data processing.
4. Mobile apps.
5. Government publications--Malaysia.
6. Electronic books.
I. Nur Hazimah Khalid, 1990-. II. Nurzaini Razali, 1988-.
III. Title.
005.8

Published by:
Politeknik Sultan Idris Shah
Sungai Lang, 45100 Sungai Air Tawar

Selangor.

Contact : 03 – 3280 6200
Fax : 03 – 3280 6400
Website : www.psis.mypolycc.edu.my

3

ACKNOWLEDGEMENT

Alhamdulillah, all praises and thanks to Allah because of His Almighty for
giving us the strength and His utmost blessings, we were able to complete
this eBook.
We would like to take this opportunity to express our sincere and heartiest
gratitude to our Head of Department and Head of Programme for their
constructive comments and consultations, and guidance, that nothing is
comparable to the keen advice they provided for us in completing this
eBook.
Lastly, we would like to express our deepest appreciation to our family
members and colleagues for their, understanding, support,
encouragement, cooperation, and continuous motivation throughout this
journey.

1

PREFACE

Mobile Computing Security and Mobile Vulnerabilities in
Secure Mobile Computing’s syllabus stance is one of the most difficult
topics for the students of the Software and Application Development Track
in the Department of Information and Communication Technology. The
students seem to be incapable to grasp the basic understanding of the
course since it is related to Computer Networking Technologies.

This eBook provides steps and detailed explanations for performing static
analysis by using one of the most powerful open-sourced tools available
online and based on the Secure Mobile Computing course curriculum
offered at Malaysian Polytechnics.

Lastly, this eBook is in hopes that can help lecturers and students to use
the MobSF as one of the tools to perform penetration testing and mobile
analysis in a secure environment and to conduct simple in-class activities
and tutorials.

2

ABSTRACT

Mobile Security Framework (MobSF): Performing Static Analysis for
Beginners introduces beginners to explore the different capabilities and
how they are used to perform mobile application penetration testing in a
safe environment and easy way. MobSF is an open-source and
automated tool that provides either a static or dynamic analysis of both
Android and iOS mobile applications. The chapters in this eBook are
written based on the syllabus of Secure Mobile Computing for students in
Diploma in Digital Technology (Information Technology). Next, this eBook
provides knowledge and steps to perform a static analysis for Mobile
Computing Technologies, Mobile Computing Security, and Mobile
Vulnerabilities in identifying vulnerabilities, possible threats, and attacks
that might occur in mobile applications, mobile devices, and mobile
operating systems. Tutorials, examples, and installation guidelines are
provided to help beginners in increasing their understanding and
knowledge to perform static analysis in depth.

3

CONTENTS

1 ACKNOWLEDGEMENT
2
3 PREFACE
4
5 ABSTRACT

34 CONTENTS
CHAPTER 1 INTRODUCTION
46
• EVOLUTION OF MOBILE TECHNOLOGY
65 • MOBILE COMPUTING TECHNOLOGY
• MOBILE APPLICATIONS
• MOBILE COMPUTING SECURITY

CHAPTER 2 MOBILE SECURITY ANALYSIS

• MOBILE SECURITY ANALYSIS OVERVIEW
• MOBILE SECURITY FRAMEWORK (MobSF)
• OPEN WEB APPLICATION SECURITY PROJECT (OWASP)
• COMMUNITY SCORE CARD (CSC)

CHAPTER 3 MobSF REQUIREMENTS

• GETTING STARTED WITH MobSF
• INSTALLATION GUIDELINES
• COMMON ERRORS ENCOUNTERED
• ALTERNATIVES CODE ANALYSIS TOOLS

CHAPTER 4 STATIC ANALYSIS WITH MobSF

• PERFORMING STATIC ANALYSIS

100 CHAPTER 5 ASSESSMENTS

• TUTORIAL

113 REFERENCES

4

CHAPTER 1

INTRODUCTION

5

1.1 EVOLUTION OF MOBILE TECHNOLOGY
1.1.1 OVERVIEW

Mobile technology goes where human develop the technologies to improve their daily
activities, increase productivity, promotes, and capitalizes on new business models, and
enhance communication technologies. Mobile technology consists of portable two-way
communications devices, computing devices and networking technology that connects them.
(Mobile Technology: What is Mobile Technology?, 2022).

Figure 1.1 Mobile Technology

Wireless technologies are loosely referred to as communications networks that connect these
devices. They enable mobile devices to share voice, data, and applications. Mobile technology
is pervasive and rising where the number of smartphones and smart devices users has always
been expected to rapidly increase every year.

6

Since the 1970s, mobile communication technology had not changed much until 1983, when
it started to improve in both design and functions. There are thousands of cellular phones
models in the telecommunication industry between 1983 and today.

Figure 1.2 Generations of Mobile Phones

Nowadays, mobile communication has become more popular due to fast emerging mobile
communications from 1G to 5G in mobile technology. This emergence of mobile technology
offers the requirement of service-compatible transmission technology and a very high increase
in telecommunication regulars. Generation refers to changes in the nature of service-
compatible transmission technology and new frequency bands. In 1980s, the mobile cellular
era started, and since then mobile communications have undergone considerable changes
and experienced massive growth. (Nash, 2020)

7

1.1.2 MOBILE GENERATIONS

Generation in network communication is mobile wireless standards that have their own
attributes carrying values for data capacity, quality, latency, frequency, and encryption. Radio
Access Network (RAN) has received growing interest as the mobile wireless networks
evolved. RAN Transport involves the voice, data, control, and signaling traffic from the cell site
Base Transceiver Stations (BTSs) to aggregation nodes and Base Station Controllers (BSCs),
between BSCs, and between the BSC and an associated Mobile Switching Center (MSC).
Optimizing this critical part of the network is a key goal of every Mobile Wireless Network
Operator. (Wireless, Mobile, n.d.).

Figure 1.3 Generations of Mobile Networks

There are some standards, different ranges, new features, and techniques that differentiate
generations from each other:

❖ The first generation (1G) was analog and used for voice calls only.
❖ The second generation (2G) is a digital technology that supports text messaging.
❖ The third generation (3G) mobile technology provided higher data transmission rates,

increased capacity, and provided multimedia support.
❖ The fourth generation (4G) integrates 3G with fixed internet to support wireless

mobile internet, which is an evolution of mobile technology and it overcomes the
limitations of 3G. It also increases bandwidth and reduces the cost of resources.
❖ The fifth generation (5G) enables a new kind of network that is designed to connect
virtually everyone and everything together including machines, objects, and devices.

8

A. FIRST GENERATION
The First Generation (1G) mobile phones were introduced in 1982 and completed in early
1990. These phones used for voice services and was based on Advanced Mobile Phone
System (AMPS) technology. The AMPS system was frequency modulated and used
frequency division multiple access (FDMA) with a channel capacity of 30 kHz and frequency
band of 824-894MHz.

Figure 1.4 First Generation Mobile Phone

Various mobile technologies have been introduced such as Mobile Telephone System (MTS),
Advanced Mobile Telephone System (AMTS), Improved Mobile Telephone Service (IMTS),
and Push to Talk (PTT). It has fickle handoff, low capacity, poor voice links, and no security
since voice calls were played back in radio towers, thus causing these calls vulnerable to
undesired eavesdropping by third parties.

9

B. SECOND GENERATION

Second Generation (2G) is based on GSM and emerged in the late 1980s. It uses digital
signals for voice transmission. This technology focused on digital signals and provided
services to deliver text and picture messages at low speed (in kbps). It uses a bandwidth of
30 to 200 kHz. Next to 2G, 2.5G system uses packet switched and circuit switched domain
and provides data rate up to 144 kbps. E.g., GPRS, CDMA, and EDGE.

Figure 1.5 Second Generation Mobile Phone

2G 2.5G
Data speed was up to 64-144 kbps
Data speed was up to 64kbps
Provides phone calls
Use digital signals Send/receive e-mail messages

Provides phone calls Web browsing
Provides better speed and capacity
Enables services such as text messages,
picture messages and MMS Camera phones

Provides better quality and capacity Required a longer time to download a media
Unable to handle complex data such as

videos
Required strong digital signals to help mobile
phones work. If there is no network coverage

in any specific area, digital signals would
weak

10

C. THIRD GENERATION
Third Generation (3G) was launched in 2000 and is based on Global System for Mobile
Communications (GSM). This technology due to introduction of packet switching, allows
higher speed of data transfer up to 14 Mbps. The improvement on data transfer enables better
voice quality, data services and broader access to multimedia such as audio and video
streaming. 3G also uses Wide Band Wireless Network with increased clarity.

Figure 1.6 Third Generation Mobile Phone

It operates at a range of 2100MHz and has a bandwidth of 15-20MHz used for High-speed
internet service, and video chatting. The 3G mobile system was led as UMTS (Universal
Mobile Telecommunication System) in Europe, while CDMA2000 is the name of the American
3G variant. Furthermore, the IMT2000 has accepted a new 3G standard from China, i.e. TD-
SCDMA. WCDMA is the air-interface technology for UMTS.

11

D. FOURTH GENERATION
Fourth Generation (4G) offers a prominent and high speed of downloading data for 100Mbps.
4G provides the same features the as third generation and additional services like Multi-Media
Newspapers, to watch television programs with more clarity and send data much faster than
previous generations.

Figure 1.7 Fourth Generation Mobile Phone

Long Term Evolution (LTE) is considered a fourth-generation technology. The need to
accommodate the QoS and rate requirements set by forthcoming applications such as
Multimedia Messaging Services (MMS), broadband access, video chat, HDTV content,
wireless mobile TV, Digital Video Broadcasting (DVB), and minimal services like voice and
data, and other services that utilize bandwidth has led to 4G development.

12

E. FIFTH GENERATION
The fifth Generation (5G) was started in the late 2010s. 5G aims mainly on the Wireless World
Wide Web (WWWW) which is wireless communication with no limitations. Therefore, facilities
that might be apparent with 5G technology include superior levels of connectivity and
coverage.

Figure 1.8 Fifth Generation Mobile Phone

Furthermore, 5G technology has exceptional data capabilities, the ability to connect
unrestricted call volumes and boundless data broadcast within the current mobile operating
system. It also can handle outstanding technologies and offer priceless handsets to their
customers.

13

1.2 MOBILE COMPUTING TECHNOLOGY
1.2.1 OVERVIEW

Since the introduction of the computers with the likes of ENIAC, in mid twentieth century, the
electronic computers have been the major catalyst to the adoption of information and
communication technology in every facet of our lives and thus drastically changed the way of
business, culture, government, and science operate.
According to Oxford’s Advance Learner’s Dictionary, computing is the operation of an
electronic machine that can store, organize, and find information, do processes with numbers
and other data, and control other machines. Meanwhile, Collins Dictionary indicates the
activity of using a computer and writing programs for it.

Figure 1.9 Mobile Computing

According to Oxford’s Advance Learner’s Dictionary, mobile is referred to someone or
something can move or be moved easily and is not fixed only in one place, and quickly from
one place to another place. Mobile computing refers to technical field that entails the design,
development and evaluation of mobile applications using suitable solutions that meet the user
requirements.

14

1.2.2 INFRASTRUCTURE

Mobile communication infrastructure is the front and backend that may consist of several parts,
which are hardware, unseen infrastructure requirements, software and networks, and access.

INFRASTRUCTURE DETAILS
HARDWARE
• Cellular phone, attachable keyboards, PDAs, Notebooks, Handheld
UNSEEN Smart Pads, Wired lines
INFRASTRUCTURE
• Suitably configured wireline or wireless WAN modem Web Server
REQUIREMENTS with wireless support

SOFTWARE • Application or database server
• Global Positioning System (GPS)
NETWORKS AND • Large enterprise application server
ACCESS
• Micro browser
• Mobile client operating system
• Mobile apps user interface
• Back-end legacy application software
• Application middleware
• Wireless middleware

• Wireless transmission media (Microwave, satellites, radio, infrared,
Bluetooth, Cellular radio technology)

• Wireless systems

A. MOBILE COMMUNICATIONS

❖ Is the infrastructure put in place so that seamless and reliable communication goes on.
❖ Include devices such as protocols, services, bandwidth, and portals necessary to

facilitate and support the stated services. The data format is also defined at this stage.
❖ It ensures that there is no collision with other existing systems which offer the same

service.
❖ Since the media is unguided or unbounded, the overlaying infrastructure is basically

radio-wave oriented and the signals are carried over the air to intended devices that
can receive and send similar kinds of signals.

15

Types of mobile communication systems are:
1. Mobile two-way radio
❖ E.g.: Walkie Talkie.
2. Public land radio
❖ Land Mobile Radio Systems (LMRS) are frequently used by public
safety organizations
❖ E.g.: Ambulance, police, fire services.
3. Mobile telephone
❖ E.g.: Used by anyone.
4. Amateur radio
❖ Also known as ham radio, is the use of radio frequency spectrum for
purposes of non-commercial exchange of messages.
❖ E.g.: Use to provide support communication during a disaster where
commercial communications systems are not available.

Figure1.10 Mobile Communication Infrastructure

16

Types of Networks are as follows:

ACTIVITY DETAILS
GPS
• Use of orbiting satellite
• Determine the geographic location of the device

Wi-Fi • Use Local Area Network (LAN)
• Access to connected resources or the internet

Bluetooth • Use Personal Area Network (PAN)
• File sharing and linking peripheral devices

Subscriber Identity Module • Removable hardware token
(SIM) • Providing data storage and cellular access

Cellular • Use cell radio network carriers
• Provide for voice, text and data services transmitted

Near – Field Communication • Use smart card emulation and reading RFID tags

(NFC) • Low data rate transfers used

Secure Digital (SD) Card • Used for additional storage capacity
• Transferring data between devices

Power & Synchronous Cable • Use wire connection for charging
• Exchanging data with a computer

17

B. MOBILE HARDWARE
❖ It can receive or access the service of mobility.
❖ It is having a receptor medium capable of sending and receiving signals.
❖ It is configured to operate in a full duplex.
❖ Capable of sending and receiving signals at the same time.
❖ It is using an existing and established network to operate on.
❖ Examples: Portable laptops, smartphones, tablet PCs, Personal Data Assistants (PDA).

Figure 1.11 Mobile Hardware

Figure 1.12 Component of Mobile Hardware
18

C. MOBILE DEVICES
❖ Creation of devices using mobile components like mobile hardware and software.
❖ Portable devices with operating, executing, providing services and applications

capabilities like a computing device.
❖ Not only limited to mobile phones but there are various gadgets available in the market to

supports mobile computing such as:
 Personal Digital Assistant (PDA)
 Portable Computers
 Wearable Computers
 A Carputer
 Smartphones
 Tablet PC and iPads

D. MOBILE SOFTWARE

❖ Also known as a computer program.
❖ It’s the essential component that operates mobile devices.
❖ Deals with the characteristics and requirements of mobile applications.
❖ Designed to run on a mobile device or hardware such as phone, tablet or watch.
❖ System software refers to operating system such as iOS, Android, Windows Phone and

SymbianOS.
❖ Application software refers to mobile application such as Gaming Apps, Business Apps,

Social Media Apps, Music Apps, Messaging and Shopping Apps.

Figure 1.13 Mobile Software

19

Types of Application Software:
❖ Gaming Apps – For entertainment

▪ Examples: Clash of Clans, PUBG, Candy Crush, Among Us
❖ Social Media Apps – Facebook, Instagram, LinkedIn, Twitter
❖ Business Apps – Adopting BYOD and AI
❖ Messaging Apps – Whatsapp, Telegram
❖ Shopping Apps – Shopee, Lazada, AliBaba, Amazon
❖ Streaming Apps – Youtube, NetFlix
❖ On-Demand Apps – Grab, FoodPanda, Apple Store, Google Play Store

Figure 1.14 Application Software

20

1.3 MOBILE APPLICATIONS

1.3.1 OVERVIEW

Mobile applications are operating on a mobile device which are easy to use and accessible
from anywhere, any time and any place. Wide varieties of application have been made
possible due to advances in mobile technology which allows people to use it on the move.
When developing for small, portable devices, developers must account for small constraints
including small screen sizes, limited connectivity, high power consumption rates, and limited
input modalities.

Figure 1.15 Mobile Application

Mobile application is easily accessible, user-friendly, inexpensive, downloadable, and run able
in most of the mobile phones including inexpensive and entry-level phone. The mobile
application has varieties of functionality like calling, messaging, capturing images, recoding
audio, and video, browsing, chatting, social network communication, game and so much more.
In a large number of mobile applications, some are preinstalled in phone and others users can
download from the internet and install it in mobile phones. This large number of mobile
applications in the market served by an increasing no of mobile application developers,
publishers, and providers.

21

Smartphones have become part and parcel of our daily lives through various of applications
that supporting activities like waking up with a morning alarm, listening to music, reading news,
checking social medias, watching YouTube videos, turn on and off lighting of our home and
the list goes on. All these applications run independently on main operating platforms
seamlessly thus bringing our smartphones to life in real-time.

Figure 1.16 Mobile Application
Millions of new applications are in the market every year, and the demand for mobile
application development continues to rise. Though smartphone users are familiar with
operating systems (i.e., iOS and Android), however, users are unable to know the specific
technology platforms software developers use throughout the implementation of the design
and development process in building apps. There are three (3) types of applications:

❖ Web applications
❖ Hybrid mobile applications
❖ Native mobile applications

22

A. WEB APPS
A web application is a client-server program that uses a web browser to perform a particular
function. A simple example is a contact form on a website. It has a client-side and a server-
side. The term "client" here refers to the program the individual uses to run the application. It
is part of the client-server environment, where many computers share information. For
example, in the case of a database, the client is the program through which the user enters
data. The server is the application that stores the information. (What Is a Web Application?
How It Works, Benefits and Examples, 2020). Web applications are built using the most in-
demand programming languages and due to its accessible via web browser, they can’t use
hardware on mobile devices or be sold in any app store.

Figure 1.17 Web Applications

Web applications provide two-way communication facilities between businesses and their
customers. A contact form is an example of a simple web app, where a user enters information
to sign up for a business mailing list. Other examples of web applications that could either be
part of a website or stand-alone include a shopping cart and a content management system.
The use of Web applications has allowed sharing information with any device, and serve a
wide range of functions, including running calculations, generating reports, manipulating
images and editing videos.

23

Next, a web application is also like software, which a user can access remotely from any
device or use a web application. To simplify a web application is software that runs online.
This means that a user can only use the web application only if they have an internet
connection.

ADVANTAGES DISADVANTAGES

Available quickly at the market after No Offline Availability — Web apps aren’t
development compared to mobile applications available when users don’t have cell or WiFi
and don’t need to be approved by app stores access, as they are dependent on the internet.

and marketplaces. Stability conflicted since web browser variations
can sometimes cause challenges with running
Cost-effective development where developers
can build just one version to serve all operating web apps.
systems, so less development time is required
Web applications has limited access to mobile
for web applications compared to mobile device functionality such as limited in accessing
applications. native features on mobile devices like location

Web applications are accessible through a services and the camera.
browser, so they can serve users on a wide
range of devices across all operating systems. Lessened user awareness since most people is
preferred looking for applications from the Apple
Ease of maintenance and customization where Store or Google Play. Web applications are not
updates are simple and can be pushed quickly
to a server for instant visibility as changes are listed in marketplaces, so users may not be
aware of web applications.
made to a common code base.

Figure 1.18 Web Applications

Dynamic web applications may consist of single-page or multiple pages with functionality and
design elements such as animations, content management system, and e-commerce.
Progressive Web Apps (PWA) is a blend of mobile and web apps which perceive as a mobile
app and the speed and mobile adaptability of web apps.

24

B. HYBRID MOBILE APPS

Hybrid applications is a software application that combine the elements of web applications
and native applications and they are functional across multiple platforms. They can be installed
on devices just like native apps, but they run via web browsers. The development of hybrid
apps used HTML5 programming language. In terms of performance, hybrid applications are
not as fast or reliable as native apps, but they have a greater capacity for streamlining the
development process. Time and resources of developers are saved because they don’t have
to build and maintain applications for separate platforms.

Figure 1.19 Hybrid Applications

ADVANTAGES DISADVANTAGES

Less development time as the application is Operating slower as they are built within Google
available for both iOS and Androids, which are or Apple’s own programming languages and
the quickest way to bring a product to life and methods. This can yield overall better
performance and speed.
ready for the Google Play and Apple App
Stores. A hybrid app has a longer testing process to
make sure coding bug-fixes are rolled out to all
Lower cost is equivalent to fewer billable hours. platforms and the applications are as close to
As long as hybrid apps take fewer hours to
perfect as possible.
create, they will remain cheaper than building As hybrid applications are written in a third-party
native apps. language, it can take developers longer to figure

Wider users, since the users cannot download out how to keep updates to those software
the applications while they’re waiting for it to be updates and update a hybrid app to be
compatible.
made available to their phones’ operating
system. A hybrid application has less complex
functionality that requires high performance or
Easier bug fixes and maintenance: since the
hybrid applications let developer to provide relies heavily on 3D graphics and design.
patches and fix bugs in order to repair issues

across all devices.

25

C. NATIVE MOBILE APPS

Native applications are software programs that are used on a particular platform or devices.
They are designed to be innate to one platform, whether it is iOS, Android, or Windows Phone.
The native platform can be profitable since it helps to optimize the user experience. Other than
that, it can operate more swiftly and intuitively.

Figure 1.20 Native Applications

ADVANTAGES DISADVANTAGES

Improved Usability — Since native apps are Specialization required — Building a native app
built specifically for the device they are being means finding a team of developers that

used on, native apps are generally more specialize in Android and iPhone development.
intuitive, easy to use, and provide the best user
Require a strong knowledge: developers must
experience. be diligent in order to work with various

Optimal Performance — The native option codebases for each platform on which they
provides developers with access to the full build.
feature set for the operating system, so native
Separate development efforts — It takes two
apps run smoothly with fewer glitches. separate development efforts to build an app for

Single Customized Code Base — developing both Android and iPhone. Development may
native apps is simpler and more streamlined, as take more time as a result. On the other hand, if
the developer is coding for only one platform at
you’re only planning to develop for either
a time and not trying to use one code base Android or iPhone, this consideration doesn’t
across multiple operating systems.
matter as much.

26

D. DIFFERENCES BETWEEN WEB, HYBRID AND NATIVE APPLICATIONS

Web, hybrid, and native applications each have their own advantages and disadvantages.
There are a few considerations that need to be taken note of by developers to build an
application.

Figure 1.21 Comparison between Native, Web and Hybrid Applications

DETAILS WEB APPS HYBRID APPS NATIVE APPS

Definition Web apps are responsive Hybrid apps are created Native apps are
websites that are to work on more than one developed to work on one
Performance operating system. Native
dependent on browsers, operating system or apps are built using Java,
Cost and not operating systems. platform. Hybrid apps are
Time HTML5 is generally used built using a combination Swift, Objective-C.
to build such applications. of HTML5 and languages
A brilliant user experience
Web apps are responsive like Java. is guaranteed since the
but have decreased performance of native
intuitiveness and are Hybrid apps, although apps is outstanding. As a
much slower when slower than their native result, native apps are
compared to native counterparts, perform fast and have expressive
applications. UIs.
based on the user Native apps are
Web apps are the interface. expensive to build and
cheapest to develop and
take the least amount of Hybrid apps are not as require high maintenance,
time. Hence, companies expensive to develop as especially if the same
on a budget and a tight native ones. Maintenance
application is required for
schedule opt for is much simpler as it multiple operating
responsive web requires only one
codebase to create systems. Building native
applications. apps is also a time-
multiple versions of the consuming process.
same application.

27

1.4 MOBILE COMPUTING SECURITY
1.4.1 OVERVIEW

Information security is necessary to be included in network communications. There are three
(3) objectives of information security ensuring data protection, which are confidentiality,
integrity, and availability. Any organization, corporation or institutions should consider and be
able to manage from risks to information security such as unauthorized modification, illegal
access, leakages of data, and breach of data. A secure environment can help the data to be
remained private only authenticated and authorized access can manage or modify the data.

Figure 1.22 CIA Triad Information Security

Either small or big companies, they need to be assured of strong data security and protected
against cyber-attacks, unauthorized access or data breaches. Weakness in information
security make the system become vulnerable to attackers’ exploitation on private customer
and business data which leads to poor customers experience and trust, loss of business, and
reputational harm if a company does not implement sufficient protections over customer data.

28

A. CONFIDENTIALITY IN INFORMATION SECURITY
Confidentiality refers to the ability to protect and not to disclose information to any
unauthorized access either from persons, programs or processes. Confidentiality can also be

defined as the restrictions on using any types of data. If confidentiality is compromised, this can lead to
loss of privacy and disclosure of confidential information to the public or other persons.

B. INTEGRITY IN INFORMATION SECURITY
Integrity refers to the reliability of data. Integrity can be defined as protection against unethical
modification and loss of information to ensure information integrity and detection of any
changes of information. Implementation of information integrity is realized via encryption and
hashing for best possible protection against cyberattacks and threats.

C. AVAILABILITY IN INFORMATION SECURITY
Availability is defined as enabling the authorized users to access information when
they users needed, regardless of the time of day, location, or any other factors. This
approach demonstrates that the data information is safe and can be used in a real-
time system. Availability helps the system administrators to check the data integrity
effectively without necessarily downloading the actual data. This makes it possible to
perform secure and complex operations on outsourced data, such as server collusion
and block alteration attacks in which the data information is stored in the cloud
computing and its integrity has been verified at the by third-party verifier, even if it is
impossible to access the client data.

29

1.4.2 INFORMATION SECURITY VECTORS

There are many information security issues concerned in all of the fields. In order to decrease
the security incidents, either in corporate sectors, governments, institutions, it is
recommended to provide internal and external customers with reliable security policies other
than to promote awareness on the information security. Therefore, there are few information
securities vectors to be understand.

Figure 1.23 Information Security Issues
A. THREATS
Threats are the actions taken to gain a benefit from security breaches in a system and
negatively impact it.
B. VULNERABILITIES
Vulnerabilities refers to flaws existed in a system or its design which allows an attacker to
execute malicious commands, gain data access in an authorized manner, and/or conduct
various denial-of-service attacks.

30

C. RISKS
Risks refer to the damage that attacks against IT systems can cause. It encompasses a wide
range of potential events, including data breaches, regulatory enforcement actions, financial
costs, reputational damage and much more.

D. ATTACKS
Attackes are the actions taken with intention to damage a system or interrupt its routine
operations by exploiting vulnerabilities using various techniques and tools. Attackers launch
these attacks to achieve their malicious targets, either for self-satisfaction or financial reward.

E. CYBER SPACE
Cyber space is a global domain within the information world whose distinct characteristics is
electronic and electromagnetic spectrum usage to store, create, update, share and exploit
information with interconnected and dependent networks supports via the latest information
and communication technologies.

F. CYBER SECURITY
Cyber security is concerned with the collection of techniques, rules, policies, best practices
and approaches used to protect a user’s assets and cyber organizations. Cyber security is
critical and challenging. Therefore, it aims to reduce the risk of cyber-attacks and protect
against the illegal exploitation of systems, networks as well as technologies.

31

1.4.3 MOBILE MALWARES

Malicious software, also defines as Malwares, is refers to any intrusive software developed by
cybercriminals with the purpose of stealing data, damage or destroy computer systems. There
are few types of malwares such as Virus, Worms, Trojan, Spyware, Adware, Ransomware
and Fileless Malwares. Details on the mobile malwares are as follows:

MALWARE EXPLANATIONS
Virus
Worms A virus is malicious software attached to a document or file that supports
Trojan macros to execute its code and spread from host to host. Once downloaded,
the virus will lay dormant until the file is opened and in use. Viruses are
Spyware designed to disrupt a system’s ability to operate. As a result, viruses can
Adware cause significant operational issues and data loss.
Worms are a malicious software that rapidly replicates and spreads to any
Ransomware device within the network. Unlike viruses, worms do not need host programs
Fileless Malware to disseminate. A worm infects a device via a downloaded file or a network
connection before it multiplies and disperses at an exponential rate. Like
viruses, worms can severely disrupt the operations of a device and cause
data loss.
Trojans are disguised as helpful software programs. But once the user
downloads it, the Trojans can gain access to sensitive data and then modify,
block, or delete the data. This can be extremely harmful to the performance
of the device. Unlike normal viruses and worms, Trojans are not designed to
self-replicate.
Spyware is malicious software that runs secretly on a computer and reports
back to a remote user. Rather than simply disrupting a device’s operations,
spyware targets sensitive information and can grant remote access to
predators. Spyware is often used to steal financial or personal information.
A specific type of spyware is a keylogger, which records your keystrokes to
reveal passwords and personal information.
Adware collects data on user’s computer usage and provide appropriate
advertisements to user. While adware is not always dangerous, in some
cases adware can cause issues for your system. Adware can redirect user’s
browser to unsafe sites, and it can even contain Trojan horses and spyware.
Moreover, significant levels of adware can slow down your system
noticeably. Because not all adware is malicious, it is important to have
protection that constantly and intelligently scans these programs.
Ransomware access to sensitive information within a system and encrypts
that information so that the user cannot access it, and then demands a
financial payout for the data to be released. Ransomware is commonly part
of a phishing scam. By clicking a disguised link, the user downloads the
ransomware. The attacker proceeds to encrypt specific information that can
only be opened by a mathematical key they know. When the attacker
receives payment, the data is unlocked.
Fileless malware is a type of memory-resident malware. As the term
suggests, it is malware that operates from a victim’s computer’s memory, not
from files on the hard drive. Because there are no files to scan, it is harder
to detect than traditional malware. It also makes forensics more difficult
because the malware disappears when the victim computer is rebooted.

32

TUTORIAL

1. Identify the mobile generations.
2. Identify the purpose of mobile applications for user.
3. Lists the types of application software.
4. Describe briefly the definition of Hybrid Applications.
5. Identify the three (3) objectives of CIA triads.
6. Identify the seven (7) types of mobile malwares.

33

CHAPTER 2

MOBILE SECURITY ANALYSIS

34

2.1 MOBILE SECURITY ANALYSIS OVERVIEW
2.1.1 MOBILE APPLICATION SECURITY TESTING

The best way to prevent any mobile application security issues is by detecting any
vulnerabilities or threats in the application by yourself. Ideally, a mobile application security
test should be conducted before you launch your application for public use. Mobile application
security testing consists of two processes that usually performed together.
A. VULNERABILITY ASSESSMENT (VA)
Vulnerability Assessment is an evaluation of the application’s infrastructure and security
mechanism to detect likeliness of vulnerabilities & loopholes in the app.
B. PENETRATION TESTING (PT)
Penetration testing includes exploiting the vulnerabilities found in the VA to assess the scope
of a possible hack via that vulnerability.

Figure 2.1 Mobile Application Penetration Testing Flows

35

2.2.1 TYPES OF APPLICATION SECURITY TESTINGS

Application Security Testing (AST) is the process of ensuring applications more resistant to
security threats by identifying security weaknesses and vulnerabilities in source code.
Initially, AST use manual process, but today it has been automated due to the huge number
of open-source components, the growing modularity of enterprise software, the large number
of known vulnerabilities and threat vectors. For AST implementation, most organizations use
a combination of several application security tools.

s

Figure 2.2 Mobile Application Penetration Testing

A. STATIC APPLICATION SECURITY TESTING (SAST)
SAST describes the process in which the components of an application are subjected to a
static analysis. This approach not only searches for security gaps but also determines the
licenses for the individual elements.
The term static comes from the fact that only the static context is used for this evaluation. All
dynamic or context-related assessments are not possible with this method. SAST can be used
to analyze the entire tech stack of an application if access to these components is possible,
which is also one of the advantages of SAST compared to other analysis methods.

36

B. DYNAMIC APPLICATION SECURITY TESTING (DAST)
The DAST analysis method does precisely the opposite in comparison to the SAST method.
Here the application is viewed as a black box. As soon as an executable version of the
application is available, it is attacked through automatically executed cyber-attacks. In most
cases, the general attack patterns are based on the Most Common Vulnerabilities defined by
the OWASP.
For developers who do not use these tools daily and intensively, their use is limited to the
predefined attack vectors. It is a good thing with this procedure that unknown security gaps
can also be identified, as long as they are based on the Most Common Vulnerabilities. Some
manufacturers extend this approach with AI or ML techniques. This approach using AI and ML
techniques is still in a very early stage of development, and the currently available potential
cannot be foreseen

C. INTERACTIVE APPLICATION SECURITY TESTING (IAST)
IAST uses software tools to evaluate application performance and identify vulnerabilities. IAST
use "agent-like" approach where an agents and sensors are run to repeatedly analyze the
application workings during automated testing, manual testing, or mix of both.

D. MOBILE APPLICATION SECURITY TESTING (MAST)

MAST tools combine static analysis, dynamic analysis and investigation of forensic data
generated by mobile applications. They can test for security vulnerabilities like SAST, DAST
and IAST, and in addition address mobile-specific issues like malicious Wi-Fi networks,
jailbreaking, and data leakage from mobile devices.

37

E. SOFTWARE COMPOSITION ANALYSIS (SCA)
SCA tools is used to conduct analysis on inventory of third-party commercial and open-source
components used within company software. Enterprise applications can use thousands of
third-party components, which may comprise security weaknesses. SCA helps to understand
which components and versions are actually being used, recognize the most severe security
vulnerabilities affecting those components, and understand the simple way to remediate them.

F. RUNTIME APPLICATION SELF-PROTECTION (RASP)
RASP is capable of inspecting application behavior, as well as the surrounding context. It
captures all requests to ensure they are secure and handle validation request inside the
application. RASP is capable of raising an alarm in diagnostic mode and prevent an attack in
protection mode by either stopping the execution of a certain operation or terminating the
session.
While RASP and IAST have similar methods and use, RASP does not conduct comprehensive
scans but instead runs as a part of the application inspecting its traffic and activity. They both
report on attacks as they occur, however IAST does so during resting time, while RASP does
so in production.

38

2.2 MOBILE SECURITY FRAMEWORK (MobSF)
2.2.1 OVERVIEW

Mobile Security Framework (MobSF) is an open-source and an automated tool that provides
guidance for mobile application penetration testing, static and dynamic analysis of both
Android and iOS mobile applications, and malware testing. Using this tool helps the tester to
explore the different capabilities and how it can be used to augment mobile application
penetrating testing. MobSF supports APK and IPA files, as well as zipped source codes.

Figure 2.3 Mobile Security Framwork Official Logo

Figure 2.4 Mobile Security Framwork Static Analyzer Main Interface

39

2.2.2 IMPORTANCE OF MOBILE SECURITY

It is important to comprehend the importance of mobile security before focusing on
implementing malware analysis with Mobile Security Framework. Developing a mobile
application requires initial phase that may focus on security. Mobile security can help to
prevent possible vulnerabilities and threats such as malware, encryption problems, leakages
of personal data and injection of malicious code.

Figure 2.5 Importance of Mobile Security

A weak mobile security strategy may cause issues with the user device. Implementing mobile
security may seem time-consuming, but it is necessary to maintain a strong relationship and
receive trust from the users. Attackers use mobile applications to generate phishing attacks
on consumers. It is upon developers to understand and counter existing mobile application
security threats and stay updated with future threats. In order to counter extensive
cyberattacks on smartphones, Open Web Application Security Project (OWASP), a non-profit
organization known for improving software security and community-led open-source projects,
came out with OWASP Top 10 mechanism to enhance mobile security framework. The details
on OWASP Top 10 are discussed in next sub-topic.

40

2.3 OPEN WEB APPLICATION SECURITY PROJECT
(OWASP)

2.3.1 OVERVIEW

The Open Web Application Security Project (OWASP) is a non-profitable foundation dedicated
to improve the security of software. OWASP operates under an open community model, where
anyone can participate in and contribute to projects, online chats, events, and more.
OWASP ensures all materials and information are free and easily accessed on their website
for everyone. It offers everything from tools, videos, forums, projects, to events. In short,
OWASP is a repository of all thing’s web-application-security, backed by the extensive
knowledge and experience of its open community contributors.

Figure 2.6 OWASP Official Logo
.

41

2.3.2 THE IMPORTANCE OF OWASP TOP 10

OWASP is one of the top 10 is an online document on OWASP’s website that provides ranking
of and remediation guidance for the top 10 most critical web application security risks and
dangers. The report is based on a consensus among security experts from around the world.
The risks are ranked based on the frequency of discovered security defects, the severity of
the vulnerabilities, and the magnitude of their potential impacts.
The report aims to offer developers and web application security professionals understanding
into the most prevalent security risks so that they may incorporate the report’s findings and
recommendations into their security practices, thereby minimizing the presence of these
known risks in their applications.

Figure 2.7 OWASP Highlights

OWASP Top 10 is a list of the 10 most important security risks affecting web applications.
OWASP manages the Top 10 list and has been doing so since 2003. They update the list
every 2-3 years, in keeping with changes and developments in the AppSec market to reflect
industry and risk changes. The list has descriptions of each category of application security
risks and methods to remediate them. OWASP compiles the list from community surveys,
contributed data about common vulnerabilities and exploits, and vulnerability databases.

42

2.3.3 OWASP TOP 10 CATEGORIES

Figure 2.8 briefly shows what changed in the OWASP top 10 from 2017 to 2021. Remember
that the OWASP Top 10 is in order of importance. A01 is referring to the most important
vulnerability, A02 is the second most important, and so on.

Figure 2.8 Comparison between OWASP Top 10 2017 and Top 10 2021

COLOUR INDICATOR DETAILS

Green arrows Vulnerabilities that were promoted in importance
Vulnerabilities that were demoted in importance
Orange arrows Vulnerabilities removed and merged into other categories
Yellow broken line arrows

The Open Web Application Security Project (OWASP) is a non-profitable foundation which
aims to improve the web applications’ security. With an increase in the number of threats to
online users, there is a growing need to focus on web application security. OWASP produces
several applications, tools, standards, and learning guides which contribute to the overall
health of the internet and help organizations to plan, develop, maintain, and operate web apps
which can be trusted.

43

2.4 COMMUNITY SCORE CARD (CSC)

2.4.1 DEFINITION

The Community Score Card (CSC) is a participatory, community-based monitoring and
evaluation tool that enables citizens to assess the quality of public services such as health
centers, schools, public transport, water, waste disposal systems, and so on. It is used to
inform community members about available services and their entitlements and to solicit their
opinions about the accessibility and quality of these services. By providing an opportunity for
direct dialogue between service providers and the community, the CSC process empowers
the public to voice their opinion and demand improved service delivery.

In information security, the CSC is a space where the anti-virus industry, security
professionals, and malware researchers can discuss with each other and with end users as
well as anyone of us who work to make the internet a safer place. This community now acts
as the collective intelligence of the anti-malware tools, comments range from deep malware
analyses to information on distribution vectors and in-the-wild locations of submitted files. Files
and URLs can be voted as malicious or harmless; together these votes build a community
maliciousness score for the resource.

There are many community pages to be joined to fight malware by taking close collaboration
either free or subscribe. The purpose of involvement in end-user security is that they must
work together and with grit to counteract today's immense malware production rate, the spread
problem of false positives, and the endless threat of false negatives.

44

TUTORIAL

1. Identify two (2) processes of mobile application
testing that are usually performed together.

2. Briefly explain the Static Application Security Testing
(SAST).

3. Briefly explain the purpose of Mobile Security
Framework (MobSF).

4. Identify two (2) purposes of OWASP Top Ten.
5. List three (3) examples of OWASP Top Ten Categories.

45

CHAPTER 3

MobSF REQUIREMENTS

46

3.1 GETTING STARTED WITH MobSF

3.1.1 OVERVIEW

There are two different methods that can be used to analyze a mobile application, which is
Static Analysis or Dynamic Analysis in MobSF. As mentioned in Chapter 3, Static Analysis
(SAST) is a method of computer program debugging that is done by examining the codes
without executing the program. Meanwhile, Dynamic Analysis (DAST) use certain
techniques to evaluate an application and testing process outcome covers security
weaknesses and vulnerabilities present in an application.

DIFFERENCES STATIC ANALYSIS DYNAMIC ANALYSIS

Advantages It can find weaknesses in the code at It identifies vulnerabilities in a runtime
Disadvantages the exact location. environment.

It can be conducted by trained Automated tools provide flexibility on
software assurance developers who what to scan for.

fully understand the code. It allows for analysis of applications in
It allows a quicker turnaround for fixes which you do not have access to the
and relatively fast if automated tools
actual code.
are used. It identifies vulnerabilities that might
It permits weaknesses to be found have been false negatives in the static
earlier in the development life cycle,
code analysis.
reducing the cost to fix. It permits you to validate static code
Automated tools can scan the entire
analysis findings.
code base.
Automated tools can provide It can be conducted against any
mitigation recommendations, reducing application.

the research time. Automated tools provide a false sense
It is time consuming if conducted of security that everything is being
addressed.
manually and It does not find
vulnerabilities introduced in the Automated tools produce false
positives and false negatives.
runtime environment. Automated tools are only as good as
Automated tools do not support all the rules they are using to scan with.
There are not enough trained
programming languages. personnel to thoroughly conduct
Automated tools produce false
positives and false negatives. dynamic code analysis.
There are not enough trained It is more difficult to trace the
personnel to thoroughly conduct static vulnerability back to the exact location
in the code, taking longer to fix the
code analysis.
problem.
Automated tools can provide a false
sense of security that everything is

being addressed.

47