Outline: [Article Title]

Keyword: [Enter Targeted Keyword]

Keyword MSV: [Enter Targeted Keyword’s Monthly Search Volume]

Author: [Enter Author Name]

Due Date: [Enter Due Date]

Publish Date: [Enter Desired Publish Date]

User Persona: [Enter Targeted Reader and/or User Persona]


Firefox apk analysis using MobSF

AnalysisReport

Over the preceding decade, mobile technology has become more widespread in all aspects of society. Cell phones and tablets are commonly used to access the internet, run apps, get email, post to social media, and conduct financial and banking transactions, among other things. The use of mobile devices for both personal and professional uses has skyrocketed. The emergence of mobile devices and the proliferation of mobile applications have tremendously aided mobility and flexibility. As a result, there have been concerns raised about maintaining security while traveling in the digital world.The security of mobile devices is becoming more relevant as a cause of concern for users’ privacy. Despite the fact that mobile device manufacturers are concerned about user security and data privacy, using internet-based applications creates substantial hurdles in terms of resolving threats and vulnerabilities while safeguarding a user’s data privacy. The vast majority of software applications are created to do a certain activity and are tailored for a specific set of devices, such as smartphones and tablets. Protecting data on mobile devices is a difficult task due to numerous dangers and limitations.

Security Issues with Mobile Devices

The mobile market is growing as wireless technology advances and mobile device usage improves. The rise in the creation and maintenance of secure identities for mobile devices has posed a significant problem for individuals, society, and businesses, particularly in mobile added value services like mobile banking, mobile ticketing, and a range of other services.

Mobile security risks

Threats and assaults that worked on desktop computers are now being tested on mobile devices. The number of simple targets increases as the level of defense increases. Hackers and attackers are concentrating their efforts on the weakest link in the chain, which has resulted in a series of successful scams.

Importance of mobile security.

It’s difficult to be secure these days, and our heavy reliance on mobile technology makes it even more difficult. Our cellphones carry personal social media profiles, emails, important texts, and even bank account information. We continue to maintain these data on file despite the fact that they are frequently very sensitive and may contain useful information.

Furthermore, smartphones are used for the majority of business-to-business transactions. Social media usage is also largely confined to cellphones. As a result, a business without mobile or smartphone apps is ineffective. It’s no secret that mobile technology is rapidly evolving. There are literally millions and billions of individuals on the internet, many of whom use their smartphones. This enormous user base raises a slew of new security and risk concerns. It is critical to understand the mobile security framework and defend yourself from potential security threats in order to optimize revenue while avoiding dangers.

Cybercriminals and hackers are simply following the herd and exploiting security flaws and backdoors to get a competitive advantage over their opponents. Hackers prefer to target Windows PCs over Macs since there are more of them on the planet. Because there are so many Windows-based PCs to steal from, cybercriminals and hackers will spend more time honing and polishing their skills on targeting Windows-based devices. The same is true when it comes to Android vs and iOS. Android’s vast user base and open-source nature, so it is more subject to security concerns and assaults than iOS users. On the other hand, Apple’s iOS is a closed-source software platform ,so it is less likely to hacked.To launch even a simple software on the iOS platform, developers must verify their credentials and go through a rigorous application process. As a result, iOS apps are more secure than those on other mobile platforms. iOS comes with its own set of security flaws and hazards. It’s not fully free of security vulnerabilities and hazards.

Mobile Security Frameworks.

Mobile security is becoming increasingly important and critical. So, developers have constructed mobile security frameworks and even released them as fully open-source software to the general public. This software is aimed to mark and test the efficiency of the mobile app, regardless of whether you’re using Android, iOS, or another mobile OS.

Top Framweworks

Appmon, Runtime Mobile Security (RMS), OWASP MSTG, and MobSF are just a few of the technologies and tools on the market. MobSF is without a doubt one of the best and most user-friendly options available out there. It’s a completely free and open-source tool for evaluating the security of any mobile/smartphone applications.

What is MobSF?

MobSF (Mobile Security Framework) is a fully automated security assessment framework. It can perform automatic static analysis of Android, iOS, and Windows binaries and source codes, although it currently only supports Java and Objective C source codes. MobSF may also be used to capture web traffic from an application, which can then be delivered to security tools like Burp suite and Owasp zap for fuzzing web applications and APIs. MobSF is a completely free and open-source security tool. The project began in December of 2014. Developers from a range of nations now contribute to MobSF. It is a actively developed and maintained. MobSF is a very important tool not only for developers but everyone because it allows them to uncover security problems in apps while they’re still being created, as well as do static analysis directly on the source code of those apps. It also makes it easier for security engineers to conduct mobile app security audits by allowing them to conduct security analysis on both the final production-ready binaries and source code itself. MobSF also has a REST API that DevSecOps experts may use to integrate it directly into CI/CD pipelines, and malware researchers can use to find dangerous behavior and malware signatures in applications quickly and effectively. Real-time sandbox dynamic runtime analysis can also be used to see how malware behaves.MobSF is a web application that is self-hosted. It’s cross-platform, which means it can run on Linux, Mac OS X, and Windows computers. The static analysis component of the MobSF can be executed on a virtual machine or in a Docker container. In order to do dynamic analysis, MobSF must be installed on the host operating system. If it’s installed in a dockerized environment or a virtual machine, it won’t be able to perform dynamic analysis. To learn more about MobSF click here: What is MobSF?

Getting started with MobSF

Setting up MobSF: a step-by-step guide

MobSF is an open-source project which is being actively developed. So, the documentation is subject to change.As a result, always go to MobSF’s official documentation page for the most up-to-date information. MobSF can be installed and executed in a variety of ways:

_ First method (highly recommended) : _ The first method of installing MobSF is to manually install all of the required and then run the setup script for your Host Operating System.

Prerequisites requirements

Mac

  • Install Git
  • Install Python 3.8-3.9
  • After installing Python 3.8+, go to /Applications/Python 3.8/ and run Update Shell Profile.command first and then Install Certificates.command
  • Install JDK 8+
  • Install command line tools xcode-select –install
  • Download & Install wkhtmltopdf as per the wiki instructions
  • Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux. More Info

Ubuntu/Debian based Linux:

  • Install Git sudo apt-get install git
  • Install Python 3.8-3.9 sudo apt-get install python3.8
  • Install JDK 8+ sudo apt-get install openjdk-8-jdk
  • Install the following dependencies
sudo apt install python3-dev python3-venv python3-pip build-essential libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev wkhtmltopdf
  • Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux.

Windows

  • Install Git
  • Install Python 3.8-3.9
  • Install JDK 8+
  • Install Microsoft Visual C++ Build Tools
  • Install OpenSSL (non-light)
  • Download & Install wkhtmltopdf .
  • Add the folder that contains wkhtmltopdf binary to environment variable PATH.

NOTE: Set JAVA_HOME environment variable. iOS IPA Analysis works only on Mac, Linux and Docker containers.

So, once all of the prerequisites have been installed, you can proceed to the installation stage.

_ Second method of installing MobSF _:

If you only need to perform static analysis and don’t want to undertake dynamic analysis, you may always utilize prebuilt MobSF docker images. To pull and deploy prebuilt MobSF docker images, copy and paste the following commands into the command line:

Note: Ensure that Docker is running on your computer.

docker pull opensecurity/mobile-security-framework-mobsf

docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Static Analysis using MobSF

What is a static analysis?

Static analysis, often known as static code analysis, is the practice of looking for faults in a computer program without running it. Static analysis is most commonly performed on a program’s source code using tools that convert the code to an abstract syntax tree (AST) in order to fully analyze the structure of the code and, as a result, uncover faults. An Abstract Syntax Tree (AST) is a tree representation of a computer program’s source code that illustrates the source code’s structure.

Let’s get started and run MobSF static analysis.

  • First, make sure your host PC has all of the necessary requirements loaded.
  • Clone the repository in the second step.

Note: In this tutorial, we will be using Windows as host operating system and Firefox apk Android apk binaries for performing static/dynamic analysis

Clone

  • Installing all the dependencies.

For Linux / mac:

./setup.sh

For Windows:

./setup.bat

installation

installation

installation

MobSF

  • Now, execute the Run command.

For Linux / mac:

./run.sh 127.0.0.1:8000

For Windows:

./run.bat 127.0.0.1:8000

Mobsf running

MobSF running

MobSF is now accessible directly from the browser.

Firefox

Static analysis of Firefox apk binary:

Upload the apk file and start the analysis.

Firefox apk file

Analyzing

After analysis, the report of the Firefox apk file will be generated.

Note: If the binaries of apk are big, it will take a bit longer to perform analysis. Firefox is around 70 - 80mb so it will take around 5 - 10 minutes to perform analysis.

Dashboard

MobSF: Static analysis

Information Section:

infroamtion

APP scores

The app’s different scores are displayed, including the average CVSS, security score, and number of trackers recognized.

App score

MobSF scorecard

It displays the scores for numerous discoveries in a rich visual manner.

Scorecard

Code analysis findings are used to compute the average CVSS and Security score. The average CVSS score is calculated using the CVSS average score, whereas the Security score is determined by the severity of the threat.

score

Each app is given a perfect score of 100. Each finding with a high severity score is deducted 15 points by MobSF. MobSF deducts 10 points for each finding with a severity warning and adds five points for each finding with a positive severity. As long as the estimated score is greater than 100, the app security score is considered 100. The app security score is given a value of 10 if the estimated value is less than 0.

File information

In the File information section, which is located next to the App score, the application file’s name, size, and basic hashes are displayed.

File information

App score

The App Information section, which shows next to the File Information section, includes information about the app’s package name, main activity, and current version of the application.

app score

Playstore description

The description of the app as it appears on the Google Play Store will be listed in this section.

Playstore Information

Component section

Component Section

This section displays the number of fundamental components used in Android applications, such as Activities, which is simply a single screen in your app with an interface the user can interact with, Services, which is a part of the application which runs in the background, Receivers, which allows users to register for system or application events, and Providers, which provides its own UI for working with the data.

Scan Option

This features include options such as Rescan and dynamic analysis. Not only that, but it also has a decompiled code section that displays decompiled versions of android manifest files, java source code, and smali source code, as well as the ability to download the java source code, smali code, and even the apk file itself.

scan option

Signer Certificate

Basic information about a code signing certificate may be found in the Signer Certificate section, which includes the signature version, hash algorithms used, fingerprints, and issuer identifications, among other things. If anything, good or bad, is discovered, it will be presented in the certificate status area along with a brief summary.

signer certificate

Application permission

The Permissions section lists all of the permissions used by the application (Firefox apk), as well as their status, details, along with the descriptions.

Permission Section

Android API

The Android API section contains information about all of the APIs that are used in this application.

Android api

Android api

Android api

Browsable activities

This section will simply include all of the browsable activities, such as all of the activities that may be browsed by a specific scheme.

browsable activity

Security Analysis:

The security analysis section includes manifest, code, binary, NIAP, and file analysis.

security analysis

Network Security

Network security

Manifest Analysis

MobSF performs static analysis on Android Manifest files to identify any vulnerabilities. It lists out all of the concerns/issues, as well as their severity with detailed description inside this particular section.

Manifest analysis

Manifest analysis

Code analysis

MobSF performs static analysis on all decompiled java source code and then provides a report that includes all issues encountered, as well as their severity, standard, and file location, which is displayed inside this section.

code analysis

code analysis

code analysis

Binary Analysis

MobSF lists out all of the issues that have been detected on the shared objects and displays it inside this particular section.

Binary Analysis

Binary Analysis

Binary Analysis

Binary Analysis

NIAP Analysis

NIAP

NIAP

File analysis

Currently it is absolutely blank but inside this section MobSF lists out all of the sensitive files, such as certificates, that are hard coded within the application.

File analysis

Malware analysis

apkid analysis

APKiD analysis

This section provides a solid understanding/picture of the application’s behavior from a code perspective.

ApkiD analysis

Quark Analysis

This section will simply lists out the potential malicious behaviour as well as it evidennce.

quark analysis

quark analysis

Server location

This is MobSF’s finest feature because it includes a gorgeous World Map UI that plots the whole server locations of the evaluated app in exact detail.

server location

Domain malware check

MobSF retrieves domains from binaries and compares them to non-malicious domains stored in its database. As a result, it uses this information to determine if a domain is good or bad.

domain malware check

domain malware check

domain malware check

Reconnassance

reconnassance

URLs

All of the URLs identified in the various source code files for that application will be listed and shown by MobSf in this section.

urls

Firebase DB

MobSF can extract all of the Firebase database URLs from the app, as well as do a secondary check to see if the database is exposed to the public or not.

Firebase URLs

Emails

MobSF extracts all of the emails from the source code and displays them in this section.

emails

Trackers

MobSF is capable of extracting all of the available trackers that are currently being utilized within the app and displays them in this section.

Trackers

Trackers are simply a development toolkits or add-ons that collect data and information on the application’s behalf.

Strings

MobSF lists out all the hard coded strings in the binary, especially the ones from the strings resource .

strings

Possible hardcoded secrets

hard coded secrets

Components

Components relate to the distinct sections of the application. This section contains a list of all of the application’s actions, services, receivers, providers, and libraries. It also lists out all of the files found in the binaries of the application.

components

Activities

Activities are simly a single screen in your app with an interface the user can interact with

Activities

Activities

Services

Services are part of application which runs in the background

services

Services

Services

Receviers

Receviers allows users to register for system or application events

receviers

Receviers

Providers

Providers provides its own UI for working with the data

Providers

Providers

Libraries

Libraries

Files

Files

PDF report

The PDF report section allows you to create a professional-looking PDF report that contains high-level information about the various findings of that particular analyzed application.

report report report report report report report report report

Click here to view the full static analysis report of this specific application.


What is Dynamic analysis ?

The process of testing and evaluating a program while it is running is known as dynamic analysis. Dynamic analysis, also known as dynamic code scanning, assists in the discovery and correction of mistakes, memory difficulties, and other program execution concerns. Static analysis is essential before going on to dynamic analysis.

Dynamic analysis mechanism

MobSf will first install the apk on the genymotion vm before instrumenting it.Xposed and Frida are used for instrumentation; Frida is used for Android 5.0 and up, and Xposed is used for Android 5.0 and below. There are some agents deployed in the genymotion VM as well. The agents will start capturing and gathering data relevant to the app once it has been instrumented. The collected data will be emailed back to MobSF after the report is completed, and the app’s full data will be dumped into the device for additional study.

Always make sure you’ve configured the dynamic analyzer for MobSF before starting the analysis. You must start a genymotion VM before launching MobSF to perform android dynamic analysis flawlessly.

This error will be thrown if mobsf fails to detect the vurtual machine.

Virtual machine error

virtual machine

virtual machine

virtual machine

Starting Dynamic analysis

Open scan options and click on Start Dynamic Analysis.

dynamic analysis

If everything went well, you should be able to see the dashboard.

MobSF Dynamic analysis features and functionality:

Show/Stop Screen:

show screen

image

This feature provides the functionailty to displays the screen of the emulated device on the web interface. Some fundamental functions, including as touches and clicks, can be performed straight from the web interface.

Remove Root Certificate(CA):

remove

install

This feature is responsible for intercepting the traffic of the device.

TLS/ SSL test:

TLS/SSL Security test allows you to assess the network security of your application. These tests are only applicable to applications that connect to the internet using the HTTP protocol.

tls ssl

tls ssl

tls ssl

Exported Activity Tester:

This test allows you to dynamically test for exported actions, which is important for developing dynamic proof of concepts and verifying the static analysis results.

exported activity

Activity Tester:

You can use this test to forcefully test all non-exported actions.

activity tester

Get Dependencies:

This functionality aids in the gathering of all information regarding the application’s runtime dependencies.

dependencies

Take Screenshots:

This feature allows you to take a screenshot of a device that is running in a virtual machine.

screenshot

Logcat Stream:

The Logcat stream displays all of the device’s real-time logs.

logcat stream

A new window will be opened

image

Currently, MobSF lacks the capacity to perform autonomous dynamic analysis. This is due to the fact that MobSF has no idea what your app’s business logic is, how to fill in the login and password fields, or what data it should offer. To get the most out of MobSF dynamic analysis, you must personally walk through the application’s multiple business logic and difficulties, while MobSF does security analysis on these issues in the background.

Starting the Dynamic Analysis Process and :

The initial stage in the dynamic analysis process is to select start instrumentation, which will load the application and enable MobSF to instrument it.

instrumentation

image

Instrumentation with Frida

Use the console to see the output created by these Frida scripts, or look in the Frida live logs folder. Whether you’re running a custom Frida script or writing one, Frida live logs will show you all of the output from the various Frida scripts.

live logs

Once the instrumentation process is complete, the Live API monitor button will be enabled. The live API monitor simply logs all API calls that occur during the course of the application.

api

Frida Code editor

MobSF dynamic analyzer also provides access to the Frida code editor where custom or pre-built Frida scripts can be loaded.

code editor

Generate Report:

MobSF is advised to stop all analysis and generate a report when the Generate Report option is selected.After the dynamic analysis is completed, the final report should look somewhat like this.

report

report

Click here to see the full dynamic analysis report of the Firefox v97.2.0 application.

Closing

MobSF is a very useful tool for developers because it helps them find security flaws in apps while they’re still being developed, as well as do static analysis directly on the source code of those apps. It also aids security engineers in performing mobile app security audits by allowing them to conduct security analysis on both the final production-ready binaries and source code. MobSF also offers a REST API that DevSecOps professionals may use to integrate it directly into CI/CD pipelines, and malware researchers can use to quickly and effectively discover harmful behavior and malware signatures in applications.This article may have been entertaining as well as instructive in terms of how to install MobSF and use it from the ground up on a variety of platforms. Join Aviyel’s community to learn more about the open source project, get tips on how to contribute, and join active dev groups.

Call-to-Action

Aviyel is a collaborative platform that assists open source project communities in monetizing and long-term sustainability. To know more visit Aviyel.com and find great blogs and events, just like this one! Sign up now for early access, and don’t forget to follow us on our socials!