MOBILE SECURITY FRAMEWORK (MobSF): PERFORMING STATIC ANALYSIS FOR BEGINNERS

3.1.2 STATIC ANALYSIS AS A PROBLEM SOLVER

Static analysis can be done using automated tools to assist programmers and developers in
software development teams and quality assurance specialist in quality assurance teams. The
tool will scan all code in a project for vulnerabilities checking while validating the code. The
static analysis process is also beneficial for addressing any weaknesses in source code that
could lead to buffer overflows which is a common software vulnerability.
Static analysis is generally good at finding coding issues such as:
❖ Programming errors
❖ Coding standard violations
❖ Undefined values
❖ Syntax violations
❖ Security vulnerabilities

There are several static analysis methods an organization could use, which include:
❖ Control analysis - focuses on the control flow in a calling structure. For example, a

control flow could be a process, function, method or in a subroutine.
❖ Data analysis - makes sure defined data is properly used while also making sure data

objects are properly operating.
❖ Fault/failure analysis - analyzes faults and failures in model components.
❖ Interface analysis - verifies simulations to check the code and makes sure the interface

fits into the model and simulation.

48

3.2 INSTALLATION GUIDELINES

3.2.1 SYSTEM REQUIREMENTS

As discussed in the previous chapter, the user can perform static analysis if the requirements
have been fulfilled. The user can use Mac OS, Windows OS or Linux OS to install MobSF.
Another way to perform the static analysis safely is by conducting them in the virtual machine
and installing the requirements.

There are many ways to do the initial process, and user can select the most suitable and easy
for them to start. The tools can be cloned locally from the GitHub repository located at
https://github.com/MobSF/Mobile-Security-Framework-MobSF or through a prebuilt Docker
image that can be found on DockerHub at https://hub.docker.com/r/opensecurity/mobile-
security-framework-mobsf/. Once these are in place, and you have cloned the repository from
GitHub, you can proceed to run setup.sh or setup.bat for Mac OS, Linux OS, or Windows
OS, respectively.

DEVICE REQUIREMENTS

Mac OS • Install Git
• Install latest or Python 3.8-3.9
Windows OS • After installing Python 3.8+, go to /Applications/Python 3.8/ and run Update

Ubuntu / Shell Profile.command first and then Install Certificates command
Debian based • Install JDK 8+
• Install command line tools xcode-select --install
Linux OS • Download and install wkhtmltopdf as per the wiki instructions
• Windows App Static analysis requires a Windows Host or Windows VM for Mac

and Linux

• Install Git sudo apt-get install git
• Install latest or Python 3.8-3.9 sudo apt-get install python3.8
• Install JDK 8+ sudo apt-get install openjdk-8-jdk
• Install the following dependencies:

sudo apt install python3-dev python3-venv python3-pip build-essential libffi-dev
libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev wkhtmltopdf

• Install Git
• Install latest or Python 3.8-3.9
• Install JDK 8+
• Install Microsoft Visual C++ Build Tools
• Install OpenSSL (non-light)
• Download and install wkhtmltopdf as per the wiki instructions
• Add the folder that contains wkhtmltopdf binary to environment variable PATH.

49

3.2.2 INSTALLATION PROCESS

The best way to perform static analysis is to learn and develop new skills in malware testing
by setting up the tool from the scratch. Users can select any device to perform static analysis
using MobSF by installing it after fulfilling the basic system requirements mentioned in the
previous subtopic.

MobSF supports mobile application binaries such as IPA, APK, and PPX in addition to zipped
source codes. If this setup completes without issues or errors, run the suitable file as detailed
at https://mobsf.github.io/docs/#/running, and navigate to http://localhost:8000 in your browser
to begin using MobSF.

DEVICE REQUIREMENTS

Mac OS Install the MobSF by opening terminal bash and follow the steps:
• git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
• cd Mobile-Security-Framework-MobSF
• ./setup.sh
• Run the tool: ./run.sh 127.0.0.1:8000

Windows OS Install the MobSF by opening command prompt and follow the steps:
• git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
• cd Mobile-Security-Framework-MobSF
• setup.bat
• Run the tool: run.bat 127.0.0.1:8000

Ubuntu / Install the MobSF by opening terminal bash and follow the steps:
Debian based • git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
• cd Mobile-Security-Framework-MobSF
Linux OS • ./setup.sh
• Run the tool: ./run.sh 127.0.0.1:8000

50

Once MobSF is up and running, next upload any mobile application file and MobSF will
analyze the file and create a report to summarize the functionality within the application, as
well as potential issues that should be noted and checked out. For multiple files testing or
analysis at once, generated reports can be reviewed at any time through the “Recent Scans”
tab, and the exported in PDF format for review outside of the application.

Figure 3.1 MobSF installation process

.

Figure 3.2 MobSF Main Page

51

3.3 COMMON ERRORS ENCOUNTERED
3.3.1 ERRORS USING MobSF

Some users may encounter few errors while installing the MobSF in their device. It may due
to the tool is incompatible with the device or some of the package is not installed properly.
Some common errors such as follows:
A. DATABASE-RELATTED EXCEPTIONS WHEN RUNNING STATIC ANALYSIS

Figure 3.3 Database Related Exceptions

Solution: If the users see exceptions like the one above, most probably it is because the user
has a newer version of MobSF with database scheme changes. Therefore, kindly ensure the
basic requirement during the installation process is fulfilled and compatible with your device.
Refer to previous subtopic from this chapter on the installation guidelines and system
requirements to avoid mistakes and errors when performing static analysis.

52

B. MobSF FAILED TO RECOGNIZE FILE DATA UPLOADED

Figure 3.4 MobSF Failed to Recognize File Data Uploaded

Solution: If the users see exceptions like the one above, it may due to server problems or
involving internet connections. User may troubleshoot internet connections or the basic
requirements is yet to be completed such as the version of python that has been installed.
Therefore, kindly ensure the basic requirement during the installation process is fulfilled and
compatible with your device. Refer to previous subtopic from this chapter on the installation
guidelines and system requirements to avoid errors when performing static analysis.

53

C. APK FAILED TO INSTALL

Figure 3.5 APK failed to install

Figure 3.6 APK failed to install

Solution: The INSTALL_FAILED_NO_MATCHING_ABIS error is shown when you are trying
to install an app that has native libraries which targets an unsupported architecture like ARM.
Genymotion or Android Studio Emulator x86 runs x86 or x86_64 architecture of Android and
hence ARM libraries cannot work. Thus, you need to provide the right APK targeting the right
platform or use an ARM architecture-based Android Studio Emulator for Dynamic Analysis.

54

D. MobSF FAILED TO INSTALL

Figure 3.7 MobSF failed to install

Solution: If the users see exceptions like the one above, it is exactly the same issue with Part
C, which is the basic requirements is yet to be completed such as the version of python that
has been installed is not the same with the requirement need by MobSF. Therefore, kindly
ensure the basic requirement during the installation process is fulfilled and compatible with
your device. Refer to previous subtopic from this chapter on the installation guidelines and
system requirements to avoid errors when performing static analysis.

55

E. MobSF FAILED TO PERFORM DYNAMIC ANALYSIS

Figure 3.8 MobSF failed to perform dynamic analysis

Solution: If the users see exceptions like the one above, user might need to consider to use
Host/Proxy Settings. Kindly ensure that the Proxy IP and Virtual Machine OP in the same IP
range to avoid problems with the internet connection. Next, kindly ensure that there is android
instance identifier installed in the device since the Dynamic Analysis can only be performed in
Virtual Machine environment with Android Emulator AVD (non-production).

56

3.4 ALTERNATIVES CODE ANALYSIS TOOLS

There are many Static Analysis Tools that are available as online tools and paid version tools.
Some of the recommend tools in this eBook are:
A. WIRESHARK
Wireshark is widely used as a network protocol analyzer. A network packet analyzer presents
captured packet data in as much detail as possible and perform a deep inspection of hundreds
of protocols. It helps the tester to see what is happening on their networks using live capture
from many different network media that include Ethernet, Wireless LAN, Bluetooth, USB, and
more. The specific media types supported may be limited by several factors, including
hardware and operating system. It can be downloaded and installed as it provides the tester
an open-sourced and paid version for commercial or organization use.

Figure 3.9 Wireshark Official Logo

Wireshark can perform three (3) main parts:
1. Packet Capture: Wireshark listens to a network connection in real-time and captures
entire streams of traffic.
2. Filtering: Wireshark is capable of slicing and dicing all of this random live data using
filters to obtain just the required information.
3. Visualization: Wireshark, like any good packet sniffer, allows a tester to get into the
very middle of a network packet and visualize the entire conversations and network
streams.

57

B. VIRUSTOTAL
Virus Total is an online service tool that analyses suspicious files and URLs to detect any
types of malicious software and malicious content using anti-virus engines and website
scanners. It provides and an API that allows users to access the information generated by
VirusTotal. The file and URL characterization tools used by VirusTotal cover a wide range of
purposes: heuristic engines, known-bad signatures, metadata extraction, identification of
malicious signals and more. VirusTotal is free to the end users for non-commercial use.

Figure 3.10 VirusTotal Official Logo

Malicious activities or signatures are updated frequently by VirusTotal as they are distributed
by anti-virus companies VirusTotal not only tells you whether a submitted file detected as
malicious by antivirus solution but also displays each engine's detection label.
The URL scanners feature will discriminate between malware sites, phishing sites, suspicious
sites, etc. Some engines will give extra information by stating explicitly whether a given URL
belongs to a particular botnet, which brand is targeted by a given phishing site, and so on.

58

C. OWASP ZED ATTACK PROXY (ZAP)
OWASP ZAP is a free, open-source penetration tool being maintained by Open Web
Application Security Project (OWASP). ZAP is designed specifically for testing web
applications and is both flexible and extensive. It is intended to be used by new to application
security as well as professional penetration testers.

Figure 3.11 OWASP ZAP Official Logo

ZAP is what is known as a “man-in-the-middle proxy”. It stands between the tester’s browser
and the web application so that it can intercept and inspect messages sent between browser
and web application, modify the contents if needed, and then forward those packets on to the
destination. It can be used as a stand-alone application, and as a daemon process.
ZAP provides functionality for a range of skill levels – from developers, to testers new to
security testing, to security testing specialists. ZAP has versions for each major OS and
Docker, so you are not tied to a single OS. Additional functionality is freely available from a
variety of add-ons in the ZAP Marketplace, accessible from within the ZAP client.
Because ZAP is open-source, the source code can be examined to see exactly how the
functionality is implemented. Anyone can volunteer to work on ZAP, fix bugs, add features,
create pull requests to pull fixes into the project, add-ons to support specialized situations.

59

D. IMMUNIWEB AI

ImmuniWeb AI is a company that provides platform leveraging Artificial Intelligence (AI) and
Machine Learning technology that provides both web and mobile security testing through its
technologies. The company creates multiple AI-based products alongside human intelligence
to detect more vulnerabilities and risks within applications, open-source software and other
programs without returning false positive results.

Figure 3.12 ImmuniWeb AI Official Logo

Furthermore, it helps enterprise customers from over fifty (50) countries to test, secure and
protect their applications, cloud and infrastructure, reduce supply chain attacks, prevent data
breaches and maintains compliance requirements. ImmuniWeb AI provides:

❖ API Penetration Testing
❖ Attack Surface Management
❖ Cloud Penetration Testing
❖ Cloud Security Posture Management
❖ Continuous Penetration Testing
❖ Cyber Threat Intelligence
❖ Dark Web Monitoring
❖ Digital Brand Protection
❖ GDPR Penetration Testing
❖ Mobile Penetration Testing
❖ Network Security Assessment
❖ PCI DSS Penetration Testing
❖ Third-Party Risk Management
❖ WAF Security Testing
❖ Web Penetration Testing
❖ Web Application Scanning

60

E. SONARQUBE
SonarQube is a Code Quality Assurance tool that collects and analyses source code and
provides reports for the project’s code quality. It combines static and dynamic analysis tools
and enables quality to be measured continually over time.

Figure 3.13 SonarQube Official Logo

Sonarqube also ensures application security, code reliability, and reduces technical debt by
making your code base clean and maintainable. Sonarqube also provides support for 27
different languages, including C, C++, Java, Javascript, PHP, GO, Python, and much
more.SonarQube also provides Ci/CD integration, and gives feedback during code review with
branch analysis and pull request decoration.
SonarQube platform significantly rises the lifetime of applications by reducing complexities,
duplications and potential bugs in the code, by keeping neat and clean code architecture and
increased unit tests. SonarQube increases maintainability of the software and has the ability
to handle changes.

61

F. CHECKMARX SAST (CxSAST)
Checkmarx SAST is another popular enterprise-grade flexible and accurate static analysis tool
that can identify hundreds of security vulnerabilities in any code early in the development
process over 25 coding and scripting languages. CxSAST is a flexible and accurate static
analysis solution used to find hundreds of types of security vulnerabilities in custom code and
open-source components. Integrations with build tools, continuous Integration servers, IDEs,
bug tracking solutions, and other development tools allows CxSAST to adapt to your existing
software development lifecycle.

Figure 3.14 Checkmarx SAST Official Logo

In Continuous Integration and Agile environments, security must be integrated into the
development process. Other static analysis solutions don’t fit well due to their lengthy scan
times. Checkmarx CxSAST resolves this by using incremental scanning to analyze only newly
introduced or modified the code, reduce scanning time by up to 80%, and integrates with CI
Servers to automate security testing. CxSAST is available as a standalone product and can
be effectively integrated into the Software Development Lifecycle (SDLC) to streamline
detection and remediation. CxSAST can be deployed on-premise in a private data center or
hosted via a public cloud.

62

G. SYNOPSYS COVERITY

Synopsys Coverity is a SAST tool to rapidly find and fix bugs like critical defects,
vulnerabilities, and lapses in compliance standards; it is easy to use, accurate, scalable, and
integrates well into development environments.

Figure 3.15 Synopsys Official Logo

Since Coverity helps to identify vulnerabilities in source code early, thus save organizations
time and efforts, and money in the long run. Coverity can also be used for both mobile and
web applications. Key features of Coverity are as follows:

❖ It integrates seamlessly with any build system and generates a high-fidelity
representation of the source code to ensure a deep understanding of its behavior.

❖ It provides full path coverage, ensuring that every line of code and every potential
execution path are tested. It utilizes multiple patented techniques to ensure deep,
accurate analysis.

❖ It provides highly accurate analysis results so developers do not waste time managing
large volume of false positive results through a deep understanding of the source code
and the underlying frameworks. This enables them to effectively build security into the
development lifecycle.

❖ It allows rapid integration of critical tools and systems used to support the development
process such as source control management, build and continuous integration, bug
tracking, integrated development environments (IDE) and application lifecycle
management (ALM) solutions.

❖ It is an open platform that allows developers to import third party analysis results into
the workflow to view and manage all types of defects in the same way with a single
view of software defects and risks.

.

63

TUTORIAL

1. Identify two (2) advantages and disadvantages when
performing static analysis.

2. List four (4) methods that can be used by an
organization when performing static analysis.

3. List three (3) alternatives tools that can provide similar
result and analysis in performing malware analysis.

64

CHAPTER 4

STATIC ANALYSIS WITH MobSF

65

4.1 PERFORMING STATIC ANALYSIS

4.1.1 CHECKLIST

Static analysis is emerging as an attractive way to detect violations of code quality and security
requirements. Static analysis scans code looking for confusing codes, bad practices, and
property violations. Unlike code review and dynamic analysis, static analysis is automatic that
verifies the absence of entire classes of bugs. Therefore, this chapter has provided a simple
checklist that can be used by a beginner to run a static analysis using MobSF. In order to
perform a static analysis using MobSF, a beginner can use the following steps:

STEP DETAILS
1
2 Identify Device to use (in this example 1, using linux ubuntu)
3 Install basic requirements
4 Install MobSF
5 Run MobSF in web browser: Localhost/127.0.0.1:8000
6 Download APK file from any online sources
7 Upload APK file in the MobSF
8 Click run to perfom static analysis: MobSF will automatically perform static
9 analysis
Analyze the results: Static Analyzer Interface of MobSF
Download and print PDF report for future references

The installation process is straightforward and easy to understand. However, there is a
consideration of selecting a device and prerequisite requirements need to be fulfil to ensure
that performing a static analysis can be run without problems. The installation guidelines are
provided in previous chapter.

66

4.1.2 MobSF MAIN PAGE

After successfully following the installation guidelines the in previous chapter, MobSF can be
accessed on the web browser by typing a localhost URL http://127.0.0.1:8000. Thus, we can
analyze and identify all the possible vulnerabilities that will be performed by MobSF by
uploading an APK or IPA file on MobSF.

Figure 4.1 Mobile Security Framework Main Page

67

The best practice to use the MobSF is by familiarizing the interface first and understand on
how to use the tool. The features of MobSF are as follows.

FEATURE DETAILS
Upload and Analyze Files
To upload a APK or IPA file that user wants to perform
Recent Scans penetration testing
Static Analyzer
To preview and download recently scanned APK or IPA
files conducted by user themselves or other people who

recently used MobSF

Static Analysis report presentation view

Dynamic Analyzer Dynamic Analysis report presentation view
API Documentations
API Documentations that can be used by any user to
About MobSF understand the MobSF framework
Searching Bar for MD5 files
Brief introduction and name of developers of MobSF

Search Bar for the hashing algorithm
(unstable and currently cannot be used)

68

A. UPLOAD AND ANALYZE FILES
We can either click the Upload & Analyze button or easily drag and drop the APK or IPA file
at the area as shown in the red box in Figure 4.2 and Figure 4.3 respectively.

Figure 4.2 Upload and Analyze button

Drag and drop
the file

Figure 4.3 Drag and Drop method
69

B. RECENT SCANS
This part is to show the recently scanned of APK by any user of the MobSF around the world
or even yourself. It will only display the most fifteen (15) recent scanned. Anyone while using
the tool may download the Static Report or perform other activities that are provided by clicking
the button on the right side. Click on the tab as shown in Figure 4.4.

Click Recent Scans
Tab to find more

Figure 4.4 Recent Scans Tab

Figure 4.5 Recent Scans Tab

70

C. STATIC ANALYZER
This part is the main activity area for MobSF. We can just upload the APK or IPA file on the
and wait for the result to come out since the static analyzer is performing automatically. As
the scanning completes, the result of the static analysis will be shown as Figure 4.7.

Figure 4.6 Static Analyzer Interface before scanning

Figure 4.7 Static Analyzer Interface after completed scanning

71

D. DYNAMIC ANALYZER
This area is a bit trickier for beginners as Dynamic Analyzer is not supported for localhost
and needs to be configured with a few libraries and with a virtual emulator such as
Genymotion. Dynamic Analyzer is used to perform dynamic analysis for real-time based.

Click Dynamic Analyzer Tab
to perform Dynamic Analysis

Figure 4.8 Dynamic Analyzer Tab

Figure 4.9 Dynamic Analyzer Tab

72

E. API DOCUMENTATIONS
The API Documentations tab is provided by the MobSF developers for easy reference to users
on the technical contents that includes instructions on how to effectively integrate the API.

Click API Docs
Tab to find more

Figure 4.10 API Documentation Tab

Figure 4.11 API Documentation Tab

73

F. ABOUT MobSF
The ABOUT tab is the section of where people go to find out about the website and details on
MobSF developers. There are few active contributors and people can find out the former
contributors by browsing the MobSF Documentation at the web browser:
https://github.com/MobSF/Mobile-Security-Framework-MobSF.

Click About to identify more
details of MobSF developers

Figure 4.12 About MobSF Tab

Figure 4.13 About MobSF Tab

74

G. SEARCHING BAR FOR MD5 FILES
This area is to provide easy access or search for specific MD5 algorithms. However, there
is no specific explanations by the developers on the problems that arises when user try
to use the search bar. There are numerous reports on the function of the search bar.

Use Search Bar to
search MD5 algorithms
that recently scanned

Figure 4.14 Search MD5 Tab

Figure 4.15 Search MD5 Tab Error Complaints

75

4.1.3 STATIC ANALYZER WALKTHROUGH

As mentioned in the previous subtopic, the process to initialize analysis is straightforward and
simple, where the user can just drop/drag or upload the file and wait for the MobSF to perform
the static analysis. Once the scanning completed, the results will be displayed, and the user
can also download the report in PDF format and print.

Figure 4.16 Static Analysis Result in MobSF

Users can browse the result by clicking any features provided on the left side of the report (in
the red box). The static analysis report consists of the following elements:

❖ Information
❖ Scan Options
❖ Signer Certificate
❖ Permission
❖ Android API
❖ Browsable Activities
❖ Security Analysis
❖ Malware Analysis
❖ Reconnaissance
❖ PDF Report
❖ Print Report
❖ Start Dynamic Analysis

76

A. INFORMATION
This section is the detailed information on the file that has been uploaded and performed the
static analysis. It displays the most important keys in information security, which include the
security algorithms implemented when developing the source code of the application, the total
size of the file including the libraries, the process file, databases and the main activity file of
the application. The information consists of the file information and application information.

Figure 4.17 Information Section

❖ File Information: The name of the file officially published by the developers, the total
size of the file, the secure hash algorithm used by the developer (MD5, SHA and
SH256).

❖ APP Information: The name of the application officially published by the developers
in the play store, package name of the application and the file used to run the
application, the version of supported Software Development Kit (SDK) to install the
application, and the version of the application.

In this example, we have used UAT v4.4 (VAPT testing).apk as the targeted file to be tested.
Thus, the information that was generated by MobSF can be extracted from the report as
follows:

Figure 4.18 Information Section

77

The following table is the security algorithm used by the developers that were extracted from
the report for easy understanding and analysis for beginners.

INFORMATION REPORT GENERATED DETAILS

File Name UAT v4.4 The name of the file officially published by the
Size (VAPT testing).apk developers
MD5
47.33MB The total size of the file
SHA1
f4160ff7165c28356351115 MD5 is to perform message-direct algorithm of

cc1528595 hash function producing a 128-bit hash value

06a7123a0c29ee6cc6785 SHA1 is to perform a cryptographic hash
92162aa36507c4e8ed6 function that takes an input and produced an

output of 160 bits hash value.

SHA256 d4363d98042a9a087e9c8 SHA256 is to perform authentication and
8012bfc462cc9bf8426edd encryption protocols including SSL, TLS,
a0f4a05eac36ef1a1dc33 IPsec, SSH, and PGP for the application

❖ MD5: MD5 is used for a secure cryptographic hash algorithm for authenticating digital
signatures.

❖ SHA1: Secure Hash Algorithm 1 is used to authenticate message sent between the
client and server during the TLS handshake.

❖ SHA256: Secure Hash Algorithm 256-bit is patented cryptographic hash function that
outputs a value that is 256 bits long.

78

The following table is the summary of the tested application from overall information. The most
important details on the summary report are the Security Score that MobSF has calculated by
referring OWASP Top Ten categories. In this case, the application tested is defined as High
Risk with a score of 34/100.

INFORMATION REPORT GENERATED DETAILS

App Name Compass UAT The name of the app officially published
Package Name com.xoxoday.compassuat by the developers in play store
Main Activity
com.xoxoday.compass. Package name of the application
Target SDK SplashActivity
Android Version Name The file use to run the application
Android Version Code Min 21 | Target 30
Version of supported Software
Security Score 2.0.1 Development Kit (SDK) to install the
23
Tracker Detection application
34/100
The version of the Android OS
4/428 supported to run the application

The version of the Android OS
supported to run the application

MobSF detected there are 34/100 as
High Risk

MobSF detected there are either four
(4) user or device trackers will be used

if installing this application

79

To have a deep understanding of how MobSF works, it provides one (1) button to view the
summary report in simple graphical interface as shown in the Figure 4.19. When you click on
the button MobSF Scorecard, it will display the graphic as shown in Figure 4.20.

Figure 4.19 Information Section

The scorecard is a very powerful and useful because it provides the overall performance
metric by developers in managing and developing an application to improve security and
finding any vulnerabilities of the source codes.

Figure 4.20 MobSF Application Security Scorecard

80

The following table is the details of the Security Scorecard. It displays the security score,
tracker detection, security grad and severity level and the total number of severity level.

INFORMATION REPORT DETAILS
Security Score GENERATED
Tracker Detection MobSF detected there are 34/100 as High Risk
Security Grade 34/100
MobSF detected there are either four (4) user
Severity Level 4/428 or device trackers will be used if installing this

C application

High MobSF classified the application as grade C
Medium (High Risk) and can be checked by clicking
“MobSF Scorecard” or download the report
Info
Secure 4 Detected
Hotspot
9 Detected

0 Detected
0 Detected

1 Detected

81

The user can read each of the vulnerabilities found with a detail explanation in the report as
follows:

Figure 4.21 MobSF Application Security Scorecard Explanation

This section provides the user to understand of the summary of the report performed by the
MobSF after running the static analysis of the uploaded file. As discussed in the previous
chapter, MobSF will perform the static analysis by running all the activities based on the
components: Activities, Services, Receivers, and Providers. Users can click “VIEW” from
each of the components to analyse the report.

Figure 4.22 Summarize the Report

82

B. SCAN OPTIONS
This section allows the user to determine whether to do rescanning of the file and perform the
Dynamic Analysis. To perform Dynamic Analysis, the MobSF provides the code sources to
allow users to edit the code and rescan the file if the code has been fixed.

Figure 4.23 Summarize the Report

C. SIGNER CERTIFICATES
This section helps the user to analyze if the developer has officially signed the certificate for
mobile application security. However, from Figure 4.24, the application contains a high severity
of vulnerability with a debug certificate. MobSF also detected that the application used a very
simple hash algorithm as encryption and cryptographic method which signed conflicted SHA1
and RSA keys.

Figure 4.24 Signer Certificates Information

83

D. PERMISSION

This section list all the permitted activities that are seems suspicious and may contain
malicious codes or performs malicious intention that may not be noticed by the user of the
application.

Figure 4.25 Application Permission

PERMISSION STATUS INFO DESCRIPTION

android.permission. Normal Full Internet access Allows an application to create
INTERNET Normal network sockets.
Dangerous View network status
android.permission. Unknown Allows an application to view
ACCESS_ Signature Read/modify/delete the status of all networks.
external storage
NETWORK_STATE contents Allows an application to write
to external storage.
android.permission. Unknown permission
WRITE_ Unknown permission from
C2DM permissions android reference
EXTERNAL_
STORAGE Permission for the cloud to
device messaging.
android.permission.
STORAGE

com.google.android.
c2dm.permission.
RECEIVE

84

E. ANDROID API DETAILS
This section list all possible suspicious Android API attached or extracted from the application.
In this report, there is no sign of any suspicious API.

Figure 4.26 Android Application Programming Interface

F. BROWSABLE ACTIVITIES
This section list all the browsable activities in the application files that can be performed by
anyone across the globe by searching the activities on the world wide web.

Figure 4.27 Browsable Activities

85

G. SECURITY ANALYSIS
In this section, there are a few security analyses implemented in MobSF as follows:

❖ Network Security
In this section, the MobSF will scan the application if there is a fulfilment of network security
criteria implemented. In this example generated, a localhost is detected with high severity.

Figure 4.28 Network Security

❖ Manifest Analysis
This section list all the browsable activities in the application files by searching the activities
on the world wide web. Every application project must have a Manifest file at the root of the
project source set. The file describes important information about the application to the
Android build tools, the Android operating system and Google Play.

Figure 4.29 Manifest Analysis

86

❖ Code Analysis
Code analysis is the process of source code analyzation that involved the detection of
vulnerabilities and functional errors in deployed application without actually executing the
programs.

Figure 4.30 Code Analysis

87

❖ Shared Library Binary Analysis
This section is the details on any threat assessment and vulnerability testing at the binary code
level done by MobSF. It can also analyze third-party libraries to provide better analysis and
deep visibility into how applications will interact with libraries.

Figure 4.31 Shared Library Binary Analysis

88

❖ NIAP Analysis
NIAP stands for National Information Assurance Partnership that specifies an implementation-
independent set of security requirements for a category of Information Technology (IT) that
meet specific federal customer needs. The NIAP security evaluations are performed by
approved independent commercial testing laboratories.

Figure 4.32 NIAP Analysis

❖ File Analysis
File analysis supports the user to identify and determine the application and file status by
inspecting the files that users attempt to download or open remotely for viruses and other
malicious content.

Figure 4.33 File Analysis

89

H. MALWARE ANALYSIS

This section is the process of understanding the behaviours and purpose of a suspicious file
or URL. The output of the analysis aids in the detection and mitigation of the potential threat.

❖ APKiD Analysis

The purpose of APKiD analysis in MobSF is to provide a user an information about how and
APK was made. It identifies many compilers, packers, and others. APKiD is also to determine
either the APK file is malware or pirated version.

Figure 4.34 APKiD Analysis

❖ Quark Analysis

Quark Analysis is testing on Quark Engine which is an open-source software for automating
analysing of suspicious Android Application or any potential malicious behaviour. Quark
Engine is a full-featured Android analysis framework written in Python for identifying threat
intelligence inside the APK files.

Figure 4.35 Quark Analysis

90

❖ Server Locations
Server location is the physical location of the data center where the application is hosted. If
the server is located closer to the user, the user can expect faster data transfer speed and it
will load quicker and do not have to wait long until the application gets loaded. When choosing
a web hosting provider, developers might need to consider the destination of their targeted
customers or users.

Figure 4.36 Server Locations

❖ Domain Malware Check
Domain malware check used by MobSF to scan websites and generates site scan web
security reports. It will scan and investigate the domain and IP address to check any
suspicious scripts, malicious median and other application security threats hidden into
legitimate content and located on the server or websites.

Figure 4.37 Domain Malware Check

91

I. RECONNAISSANCE

Reconnaissance in information security is the practice of covertly discovering and collecting
information about a system. In this section, MobSF checks and every part of the system.

❖ URLs

Figure 4.38 URLs

❖ Firebase Database

❖ Emails Figure 4.39 Firebase Database
Figure 4.40 Emails

92

❖ Trackers

Figure 4.41 Trackers

❖ Strings

Figure 4.42 Strings

❖ Possible Hardcoded Secrets

Figure 4.43 Possible Hardcoded Secrets

93

J. COMPONENTS
❖ Activities

Figure 4.44 Activities

❖ Services

Figure 4.45 Services

94

❖ Receivers

Figure 4.46 Receivers

❖ Providers

❖ Libraries Figure 4.47 Providers
Figure 4.48 Libraries

95

❖ Files

Figure 4.49 Files

96

K. PDF REPORT AND PRINT SECTION
Once MobSF is up and running, any mobile application file is ready to be uploaded and MobSF
will analyze the file and create a report to summarize the functionality within the application
including potential issues that should be noted and checked out. As for testing or analyzing
multiple files at once, you can return to the generated reports at any time via the “Recent
Scans” tab which will show all the files that have been uploaded to MobSF. These reports can
be exported in PDF format for review outside of the application or shared with other teams.
MobSF reports contain information on everything from if a file is securely signed and how that
was done, to the functionality that the application will utilize once installed on a device.

Figure 4.50 PDF and Print Report

97