AppSec PNW: Android and iOS Application Security with MobSF

#whoami
•Senior Application Security Engineer @ Chime Financial
•Application Security & Security Engineering ~10 years
•Authored couple of open source security projects
• MobSF, nodejsscan, OWASP Xenotix etc.
•Published research at Hack In Paris, Hack In the Box, PHDays, OWASP
AppSec, Blackhat Arsenal, Nullcon etc.
•Security Blog: ajinabraham.com 

Consultancy: opensecurity.ca
Disclaimer: All images used in this presentation belongs to their respective owners.

What is MobSF?
Free & Open Source Mobile Application Security tool
•Shipped as dockerized Python Django web application.
•Supports all the popular binary and source code formats.
•Supports Dynamic Analysis & Instrumented Security testing with popular 

emulators and virtual machines.

History & Stats
MobSF Timeline
•Open Source, licensed under GPL v3.
•Started out in Dec 2014 as an automation for repetitive task at work.
•Today we have contributors (90+) from all over the world.
•Actively developed and maintained.
•Free Slack Community Support Channel.
•1450+ closed issues, 870+ pull requests, 44 releases.

Before MobSF
How do I analyze Mobile applications in-house?
•Static Analysis:
•Different tools for decompiling, disassembling, SAST, converting, reporting
•Convert binary files to readable formats (ex: Binary XML/PLIST -> Text XML/PLIST)
•Disassemble & Decompile (ex: APK (DEX) -> JAR -> SMALI/JAVA)
•Binary Analysis of MachO/ELF/DEX/.so/.dylib
•Specialized tools for parsing and data extraction
•SAST, SCA, Secret Scanning etc. on code and configuration files
•Dynamic Analysis:
•Configuring a rooted and jail broken device/virtual machine
•Configure HTTPs proxy and install certificates
•Bypass TLS/cert pinning, root detection, anti-debug checks
•Install and setup instrumentation tools
•Log analysis, memory analysis, file system analysis.

After MobSF
Tada !!

Target Audience
How can MobSF help you?
•Developers: Identify security issues as and when applications are being
developed.
•Security Engineers/Pentesters: Perform interactive security assessment of
Mobile apps.
•DevSecOps Engineers: Integrate MobSF in your CI/CD pipeline for shift left
coverage.
•Malware Analysts: Identify malicious behaviour, patterns in code and at runtime.
•Layman: Anyone who is concerned about the privacy and security of the mobile
applications they are using.

How does it work?
Static Analysis
[INFO] 14/Jun/2024 20:21:05 - MIME Type: application/vnd.android.package-archive FILE: beetlebug.apk
[INFO] 14/Jun/2024 20:21:05 - Performing Static Analysis of Android APK
[INFO] 14/Jun/2024 20:21:05 - Scan Hash: 6ea61e5468c39ef4b9650661849a843e
[INFO] 14/Jun/2024 20:21:05 - Starting Analysis on: beetlebug.apk
[INFO] 14/Jun/2024 20:21:05 - Generating Hashes
[INFO] 14/Jun/2024 20:21:05 - Unzipping
[INFO] 14/Jun/2024 20:21:05 - APK Extracted
[INFO] 14/Jun/2024 20:21:05 - Getting Hardcoded Certificates/Keystores
[INFO] 14/Jun/2024 20:21:05 - Getting AndroidManifest.xml from APK
[INFO] 14/Jun/2024 20:21:05 - Converting AXML to XML
[INFO] 14/Jun/2024 20:21:07 - Parsing AndroidManifest.xml
[INFO] 14/Jun/2024 20:21:07 - Parsing APK with androguard
[INFO] 14/Jun/2024 20:21:07 - Starting analysis on AndroidManifest.xml
[INFO] 14/Jun/2024 20:21:07 - Extracting Manifest Data
[INFO] 14/Jun/2024 20:21:07 - Performing Static Analysis on: Beetlebug (app.beetlebug)
[INFO] 14/Jun/2024 20:21:07 - Fetching Details from Play Store: app.beetlebug
[INFO] 14/Jun/2024 20:21:07 - Manifest Analysis Started
[INFO] 14/Jun/2024 20:21:08 - App Link Assetlinks Check - [app.beetlebug.ctf.DeeplinkAccountActivity] https://beetlebug.com
[INFO] 14/Jun/2024 20:21:08 - Checking for Malware Permissions
[INFO] 14/Jun/2024 20:21:08 - Fetching icon path
[INFO] 14/Jun/2024 20:21:08 - Library Binary Analysis Started
[INFO] 14/Jun/2024 20:21:08 - Reading Code Signing Certificate
[INFO] 14/Jun/2024 20:21:08 - Getting Signature Versions
[INFO] 14/Jun/2024 20:21:08 - Running APKiD 2.1.5
[INFO] 14/Jun/2024 20:21:10 - Trackers Database is up-to-date
[INFO] 14/Jun/2024 20:21:10 - Detecting Trackers
[INFO] 14/Jun/2024 20:21:12 - APK -> JAVA
[INFO] 14/Jun/2024 20:21:12 - Decompiling to Java with jadx
[INFO] 14/Jun/2024 20:21:20 - DEX -> SMALI
[INFO] 14/Jun/2024 20:21:20 - Converting classes9.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes8.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes11.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes10.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes3.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes2.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes6.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes7.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes5.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Converting classes4.dex to Smali Code
[INFO] 14/Jun/2024 20:21:20 - Code Analysis Started on - java_source
[INFO] 14/Jun/2024 20:22:03 - Android SAST Completed
[INFO] 14/Jun/2024 20:22:03 - Android API Analysis Started
[INFO] 14/Jun/2024 20:22:47 - Android Permission Mapping Started
[INFO] 14/Jun/2024 20:22:53 - Android Permission Mapping Completed
[INFO] 14/Jun/2024 20:22:53 - Finished Code Analysis, Email and URL Extraction
[INFO] 14/Jun/2024 20:22:53 - Extracting Data from APK
[INFO] 14/Jun/2024 20:22:53 - Extracting Data from Source Code
[INFO] 14/Jun/2024 20:22:54 - Detecting Firebase URL(s)
[INFO] 14/Jun/2024 20:22:55 - Performing Malware Check on extracted Domains
[INFO] 14/Jun/2024 20:22:55 - Maltrail Database is up-to-date
[INFO] 14/Jun/2024 20:22:56 - Saving to Database
}
Extract app binary, generate hashes
}
Convert Plist/Manifest Files, 

Analyze Plist/Manifest files for vulnerabilities and misconfigurations

Analyze Application Permissions, Network configurations, IPC configurations
}
Perform Binary Analysis on Shared/Dynamic libs

Run specialized binary analysis tools against the application

Identify privacy concerns such as trackers
}
Convert binaries to human readable code formats

Decompile the code to SAST friendly languages
}SAST, API Analysis and Permission Mapping
}
Information Gathering, Secrets and other sensitive data extraction

Geolocation, malicious domain check

DEMO: Static Analysis
Android SAST
AppSec Scorecard
iOS SAST

How does it work?
Dynamic Analysis
Android APK
iOS IPA
Jailbroken iOS VM
/
Rooted Android VM
Corellium API
MobSF
Agents
MobSF
Agents
MobSF Agents
Scripts Helpers
HTTPs Proxy
Report, 

Logs,

Raw data

DEMO: Dynamic Analysis
Dynamic Analyzer
Report Generation

DEMO: Deeplink Exploitation
Static Analysis
Dynamic Verification

DEMO: Solve CTF Challenges
Android CTF Challenge
iOS CTF Challenge

DEMO: Defeat a Malware
Static Analysis Hints
Dynamic Analysis

DevSecOps
MobSF in CI/CD: REST APIs

DevSecOps
MobSF SAST in CI/CD
•pip install mobsfscan
mobsfscan <source_code_path>
•CLI and Library
mobsfscan GitHub action

Enterprise Ready
Enterprise support services
•Multi user authentication and access control
•SAML 2.0 SSO support
•SLA bound priority feature requests, bug fixes & consultancy (paid)
•Everything goes back to the community

Question?
Thanks for listening
•Kudos ! to core contributors Magaofei, Matan, &
Vincent
•Github: https://github.com/MobSF/Mobile-
Security-Framework-MobSF
•Documentation: https://mobsf.github.io/docs/
•Support Slack Channel: https://mobsf.slack.com
•Contact: ajin<AT>opensecurity.in | @ajinabraham