L. DYNAMIC ANALYSIS
Dynamic analysis is the testing and evaluation of a program based on execution with selected
data. The intention of performing dynamic analysis is to test and find errors in a program while
it is running, thus avoid examining the code offline repeatedly. The tester can only use the tool
by using MobSF inside Docker or Virtual Machine. Genymotion is the preferred dynamic
analysis environment that can be setup with the least friction by running Genymotion Android
Virtual Machine before starting the MobSF. Click MobSFy Android Runtime button in Dynamic
Analyzer to perform runtime environment.
Figure 4.51 Dynamic Analysis
98
TUTORIAL
1. List five (5) elements that will be generated when
conducting static analysis.
2. Identify all of four (4) security results when user clicks
MobSF Security Scorecard.
3. Identify four (4) details that will be shown at the
summary report.
4. Briefly explain the Reconnaissance tab for the user
when using the MobSF.
5. Identify all six (6) security analysis reports that will be
provided when running MobSF.
6. Identify a device to use to perform static analysis using
MobSF and download APK file named Instagram
(Android version). Use the checklist to conduct your
analysis.
99
CHAPTER 5
TUTORIAL
100
5.1 TUTORIAL
5.1.1 PERFORM CHECKLIST
The installation process is straightforward and easy to understand. However, there is a
consideration of selecting a device and prerequisite requirements need to be fulfilled to ensure
that performing a static analysis can be run without problems. The installation guidelines are
provided in previous chapter.
STEP DETAILS TICK (/)
1 Identify the device to use
2 Install basic requirements
3 Install MobSF
4 Run MobSF in a web browser
5 Download APK file from any online sources
6 Upload the APK file in the MobSF
7 Click run to perform static analysis
8 Analyze the results
9 Download and print PDF report for future references
101
5.1.2 STEP 1
The installation process is straightforward and easy to understand. However, there is a
consideration of selecting a device and prerequisite requirements need to be fulfilled to ensure
that performing a static analysis can be run without problems. The installation guidelines are
provided in previous chapter.
Figure 5.1 Device Requirements
It is advisable to perform static analysis in virtual environment to ensure secure environment
such as installing Linux Ubuntu operating system in Virtual Box. The goal of virtual machine
software is to provide a platform that can facilitate the execution of multiple operating systems
concurrently, both efficiently and with an accepted level of isolation
Figure 5.2 Download Operating System for Virtual Machine
102
5.1.3 STEP 2
There are many ways to do the initial process, and user can select the most suitable and easy
for them to start. The tools can be cloned locally from the GitHub repository located at
https://github.com/MobSF/Mobile-Security-Framework-MobSF or through a prebuilt Docker
image that can be found on DockerHub at https://hub.docker.com/r/opensecurity/mobile-
security-framework-mobsf/. Once these are in place, and you have cloned the repository from
GitHub, you can proceed to run setup.sh or setup.bat for Mac OS, Linux OS, or Windows
OS, respectively.
DEVICE REQUIREMENTS
Mac OS • Install Git
• Install latest or Python 3.8-3.9
Windows OS • After installing Python 3.8+, go to /Applications/Python 3.8/ and run Update
Ubuntu / Shell Profile.command first and then Install Certificates.command
Debian based • Install JDK 8+
• Install command line tools xcode-select --install
Linux OS • Download and install wkhtmltopdf as per the wiki instructions
• Windows App Static analysis requires a Windows Host or Windows VM for Mac
and Linux
• Install Git sudo apt-get install git
• Install latest or Python 3.8-3.9 sudo apt-get install python3.8
• Install JDK 8+ sudo apt-get install openjdk-8-jdk
• Install the following dependencies:
sudo apt install python3-dev python3-venv python3-pip build-essential libffi-dev
libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev wkhtmltopdf
• Install Git
• Install latest or Python 3.8-3.9
• Install JDK 8+
• Install Microsoft Visual C++ Build Tools
• Install OpenSSL (non-light)
• Download and install wkhtmltopdf as per the wiki instructions
• Add the folder that contains wkhtmltopdf binary to environment variable PATH.
103
5.1.4 STEP 3
The best way to perform static analysis is to learn and develop new skills in malware testing
by setting up the tool from the scratch. Users can select any device to perform static analysis
using MobSF by installing it after fulfilling the basic system requirements mentioned in the
previous subtopic.
MobSF supports mobile application binaries such as IPA, APK, and PPX in addition to zipped
source codes. If this setup completes with no issues or errors, you can run the appropriate file
as detailed at https://mobsf.github.io/docs/#/running, and navigate to “http://localhost:8000” in
your browser to begin using MobSF.
DEVICE REQUIREMENTS
Mac OS Install the MobSF by opening terminal bash and follow the steps:
• git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
• cd Mobile-Security-Framework-MobSF
• ./setup.sh
• Run the tool: ./run.sh 127.0.0.1:8000
Windows OS Install the MobSF by opening command prompt and follow the steps:
• git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
• cd Mobile-Security-Framework-MobSF
• setup.bat
• Run the tool: run.bat 127.0.0.1:8000
Ubuntu / Install the MobSF by opening terminal bash and follow the steps:
Debian based • git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
• cd Mobile-Security-Framework-MobSF
Linux OS • ./setup.sh
• Run the tool: ./run.sh 127.0.0.1:8000
\
104
5.1.5 STEP 4
After successfully following the installation guidelines the in previous chapter, MobSF can be
accessed on the web browser by typing a localhost URL http://127.0.0.1:8000. Thus, we can
analyze and identify all the possible vulnerabilities that will be performed by MobSF by
uploading an APK or IPA file on MobSF.
Figure 5.3 Installing MobSF
Figure 5.4 MobSF Main Page using Localhost 127.0.0.1/8000
105
5.1.6 STEP 5
As a beginner, we can try to download APK file to perform the static analysis. There are tons
of websites that provide APK file for free and can easily search types of applications according
to the category we want that are available in the Google Playstore.
Figure 5.5 One of official website to download an APK file
Figure 5.6 Download an APK file to run static analysis
106
5.1.7 STEP 6
After downloading the APK file, we can just easily drag and drop the file to MobSF and let it
scans and analyze the file automatically.
Figure 5.7 Drag or drop APK file in MobSF
Figure 5.8 Wait while MobSF analyzing the APK file
107
5.1.8 STEP 7
In analyzing the file, it may take sometimes depends on the size of the file uploaded. Bigger
size will consume a longer time to process and analyze.
Figure 5.9 Uploading a file
Figure 5.10 Analyzing a file
108
5.1.9 STEP 8
A static analysis report will be generated automatically one the analyzing process is
completed.
Figure 5.11
109
4.2.2 STEP 9
Once MobSF is up and running, any mobile application file is ready to be uploaded and the
file will be analyzed by MobSF and a report to summarize the functionality within the
application, as well as potential issues that should be noted and checked out will be created.
These reports can be exported in PDF format for further or shared with other teams. MobSF
reports contain information on everything from if a file is securely signed and how that was
done, to the functionality that the application will utilize once installed on a device.
Figure 5.12 Print Report
110
TUTORIAL
1. Test yourself by performing a static analysis using
MobSF. Use the following APK files to start the
analysis. Compare the results and analyze carefully the
vulnerabilities found by MobSF.
a) Google Play store
b) Lazada – Online Shopping App
c) Twitter
d) Netflix
e) Among Us
111
112
REFERENCES
Alsmadi, I. (2019). The NICE Cyber Security Framework. United States: Springer.
Androulidakis, I. I. (2016). Mobile Phone Security and Forensic: A Practical Approach (Second Edition).
Greece: Springer.
Application Security Testing. (n.d.). Retrieved from Imperva:
https://www.imperva.com/learn/application-security/application-security-testing/
Availability in Information Security. (24 January, 2020). Retrieved from GeeksforGeeks:
https://www.geeksforgeeks.org/availability-in-information-security/
Ayewah, N., & Pugh, W. (2014). Using Checklists to Review Static Analysis Warnings. DEFECTS: Defects
in Large Software Systems, 11-15. Retrieved from
https://www.researchgate.net/publication/228895573_Using_checklists_to_review_static_
analysis_warnings
Chai, K. Y., & Zolkipli, M. F. (2021). Review on Confidentiality, Integrity and Availability in Information
Security. Journal of ICT in Education (JICTIE), 34-42.
Chapter 1: Introduction to Computing. (n.d.).
Ciampa, M. (2015). CompTIA Security+ Guide to Network Security Fundamentals. Canada: Cengage
Learning.
Confidentiality, Integrity And Availability – The CIA Triad. (n.d.). Retrieved from CertMike:
https://www.certmike.com/confidentiality-integrity-and-availability-the-cia-triad/
Confidentiality, Integrity, & Availability: Basics of Information Security. (5 October, 2020). Retrieved
from Smart Eye Technology : https://getsmarteye.com/confidentiality-integrity-availability-
basics-of-information-security/
Gillis, A. S. (August, 2020). Native App. Retrieved from TechTarget:
https://www.techtarget.com/searchsoftwarequality/definition/native-application-native-
app#:~:text=Examples%20of%20native%20apps&text=Examples%20of%20native%20applica
tions%20range,games%2C%20such%20as%20Pok%C3%A9mon%20GO.
Gold, E. (4 August, 2021). Importance of MobSF for the Mobile Security of Companies, Organizations
and Governments. Retrieved from Aviyel Beta: https://aviyel.com/post/591/importance-of-
mobsf-for-the-mobile-security-of-companies-organizations-and-governments
Halder, S. (13 Jun, 2020). Mobile Security Testing Tools: MobSF Alternatives. Retrieved from Appknox:
https://www.appknox.com/blog/mobile-security-testing-tools-alternatives-for-mobsf
113
How do we perform Mobile App VAPT? (n.d.). Retrieved from
https://www.valencynetworks.com/penetration-testing-services/mobile-app-
testing/mobile-app-testing-features.html
Information Resources Management Association. (2018). The Dark Web: Breakthroughs in Reseach
and Practice. United States: IGI Global.
Information Security: Integrity. (13 June, 2022). Retrieved from GeeksforGeeks:
https://www.geeksforgeeks.org/information-security-integrity/?ref=lbp
Islam, R., & Mazumder, T. (2017). Mobile Application and Its Global Impact. International Journal of
Engineering & Technology IJET-IJENS Vol: 10 No: 06, 104-111.
Jobe, W. (2013). Native Apps vs. Mobile Web Apps. iJIM ‒ Volume 7, Issue 4, October 2013, 27-32.
Knott, D. (2015). Hands-On Mobile App Testing. United States: Pearson Education.
Kumar, R. (7 April, 2015). Static vs Dynamic Code Analysis: Advantages and Disadvantages. Retrieved
from DevOps School: https://www.devopsschool.com/blog/static-vs-dynamic-code-analysis-
advantages-and-disadvantages/
Loshin, P. (n.d.). Open Web Application Security Project (OWASP). Retrieved from Techtarget:
https://www.techtarget.com/searchsoftwarequality/definition/OWASP
Mobile Technology: What is Mobile Technology? (2022). Retrieved from IBM: Engineered for Agility:
https://www.ibm.com/my-en/topics/mobile-
technology#:~:text=Mobile%20technology%20is%20technology%20that,like%20smartphone
s%2C%20tablets%20and%20watches.
Nash, A. (2020). Introduction about Previous Generations of Mobile Networks. Retrieved from
MobileTrans Wondershare: https://mobiletrans.wondershare.com/5g/g-generations.html
Nzapdi, K. (13 August, 2021). A Brief Introduction and Guide to Mobile Security Framework (MobSF).
Retrieved from Aviyel Beta: https://aviyel.com/post/643/a-brief-introduction-and-guide-to-
mobile-security-framework-mobsf
Osseiran, A., Monserrat, J. F., & Marsch, P. (2016). 5G Mobile and Wireless Communications
Technology. United Kingdom: Cambridge University Press.
OWASP Top Ten. (n.d.). Retrieved from OWASP: https://owasp.org/www-project-top-ten/
Pandey, A. (20 May, 2022). 11 Examples of Web Applications | What is Web Application. Retrieved
from Quick Learn Computer: https://quicklearncomputer.com/examples-of-web-
applications/
Phongtraychack, A., & Dolgaya, D. (2018). Evolution of Mobile Applications. MATEC Web of
Conferences 155, 01027 (2018), 1-7.
Research of Evolution of Mobile Phones. (12 July, 2012). Retrieved from Ying: The One Academy:
https://pying91.wordpress.com/2012/07/12/research-of-evolution-of-mobile-phones
Sanyal, R. (2 November, 2021). Difference Between Web vs Hybrid vs Native Apps. Retrieved from
Lambdatest: https://www.lambdatest.com/blog/web-vs-hybrid-vs-native-
apps/#:~:text=Native%20applications,-
114
Brief&text=Web%20apps%20are%20responsive%20websites%20that%20are%20dependent
%20on%20browsers,HTML5%20and%20languages%20like%20Java.
Seker, E. (4 September , 2020). Confidentiality, Integrity, Availability (CIA Triad) — The Backbone of
Cybersecurity. Retrieved from Data Driven Investor:
https://medium.datadriveninvestor.com/confidentiality-integrity-availability-cia-triad-the-
backbone-of-cybersecurity-8df3f0be9b0e
Sinha, S. (2018). Beginning Ethical Hacking with Kali Linux. Howrah, West Bengal, India: Apress.
The Importance of Information Security in Your Organization: Top Threats and Tactics. (6 July, 2021).
Retrieved from AuditBoard: https://www.auditboard.com/blog/importance-of-information-
security-in-organization/
Vora, L. J. (2015). Evolution of Mobile Generation Technology: 1G to 5G and Review of Upcoming
Wireless Technology 5G. International Journal of Modern Trends in Engineering and Research,
281-290.
What Is a Web Application? How It Works, Benefits and Examples. (February, 2020). Retrieved from
Indeed: https://www.indeed.com/career-advice/career-development/what-is-web-
application
What is Cyber Security? Definition and Best Practices. (n.d.). Retrieved from IT Governance :
https://www.itgovernance.co.uk/what-is-cybersecurity
What Is Malware? (n.d.). Retrieved from Cisco:
https://www.cisco.com/c/en/us/products/security/advanced-malware-protection/what-is-
malware.html#~what-is-malware
Why Mobile Security Is Important Today? (9 July, 2019). Retrieved from
https://antivirus.comodo.com/blog/comodo-news/why-mobile-security-is-important-today/
WHY YOU SHOULD BE FOCUSING ON YOUR MOBILE SECURITY. (6 February , 2020). Retrieved from RSI
Security: https://blog.rsisecurity.com/importance-of-mobile-security/
Wireless, Mobile. (n.d.). Retrieved from Cisco: https://www.cisco.com/c/en/us/tech/wireless-2f-
mobility/wireless-mobile/index.html
Zoe. (16 January, 2022). 13 Excellent Hybrid App Examples In 2022 That Will Inspire You. Retrieved
from Tigren: https://www.tigren.com/blog/hybrid-app-
examples/#:~:text=Uber%20is%20one%20of%20the,%2C%20various%20payment%20gatew
ays%2C%20etc.
Zorz, M. (17 March, 2016). MobSF: Security Analysis of Android and iOS Apps. Retrieved from Help Net
Security: https://www.helpnetsecurity.com/2016/03/17/mobsf-security-analysis-android-
ios/
115
AUTHOR’S BACKGROUND
Noor Aishah binti Zainiar is currently working as a
Lecturer for Diploma in Information Technology
(Digital Technology) - Networking System Track in
the Department of Information and Communication
Technology of Sultan Idris Shah Polytechnic.
Her interests include wireless network
technologies, network security, and cybersecurity
operations.
Nur Hazimah binti Khalid is currently working as a
Lecturer for Diploma in Information Technology
(Digital Technology) – Software and Application
Development Track in the Department of
Information and Communication Technology of
Sultan Idris Shah Polytechnic. Her interests include
data analytics, database design and management,
and business intelligence.
Nurzaini binti Razali is currently working as a
Lecturer for Diploma in Information Technology
(Digital Technology) - Networking System Track in
the Department of Information and Communication
Technology of Sultan Idris Shah Polytechnic.
Her interests include mobile and wireless
communication technologies.
116
Mobile Security Framework (MobSF): Performing Static Analysis for Beginners introduces
beginners to explore the different capabilities and how they are used to perform mobile
application penetration testing in a safe environment and easy way. MobSF is an open-source
and automated tool that provides either a static or dynamic analysis of both Android and iOS
mobile applications. Next, this eBook provides knowledge and steps to perform static analysis
in identifying vulnerabilities that might occur in mobile applications, mobile devices, and mobile
operating systems. Tutorials, examples, and installation guidelines are provided to help
beginners in increasing their understanding and knowledge to perform static analysis in depth.
Politeknik Sultan Idris Shah
Sungai Lang, 45100 Sungai Air Tawar, Selangor.
Contact : 03 – 3280 6389
Website : www.psis.mypolycc.edu.my
117