Outline: [Article Title]

Keyword: [Enter Targeted Keyword]

Keyword MSV: [Enter Targeted Keyword’s Monthly Search Volume]

Author: [Enter Author Name]

Due Date: [Enter Due Date]

Publish Date: [Enter Desired Publish Date]

User Persona: [Enter Targeted Reader and/or User Persona]


FreeOTP apk analysis using MobSF

AnalysisReport

Mobile technology has been more prevalent in all aspects of society during the last decade. Cell phones and tablets are used to access the internet, run apps, get email, post to social media, and make financial and banking activities. The use of mobile devices for personal and professional purposes has increased dramatically. Mobility and flexibility have been greatly enhanced by the introduction of mobile devices and the proliferation of mobile applications. As a result, there have been concerns raised about maintaining security while traveling in the digital world.Mobile device security is becoming increasingly important as a source of privacy worry for consumers. Despite the fact that mobile device manufacturers are concerned about user security and data privacy, employing internet-based applications presents significant challenges in terms of addressing threats and vulnerabilities while protecting a user’s data privacy. The bulk of software apps are designed to do a certain task and are optimized for specific devices, such as smartphones and tablets. Due to multiple hazards and constraints, protecting data on mobile devices is a challenging undertaking.

Data privacy & Security Issues with Mobile Devices

As wireless technology progresses and mobile device usage improves, the mobile market continues to rise. The development in the formation and maintenance of secure identities for mobile devices has posed a significant dilemma for individuals, society, and organizations, especially in mobile added value services such as mobile banking, mobile ticketing, and a variety of other services.

Understanding mobile security.

These days, staying safe is really very difficult, and that challenge is made more difficult by our heavy reliance on mobile devices. Our smartphones include a wealth of information, including personal social media accounts, emails, sensitive messages, and even bank account information. However, despite the fact that these data tend to be very sensitive and may contain useful information, we continue to store them.In addition, most business-to-business transactions are conducted through smartphones. The use of social media tends to be confined to smartphones as well. Business without mobile or smartphone apps is, thus, ineffective. It’s no secret that mobile technology is advancing at a quick pace. On the internet, there are literally millions and billions of people, many of whom use their smartphones. This large user base opens up a whole new world of security and risk issues. To maximize earnings while avoiding risks, it is important to grasp mobile security framework and protect yourself from potential security threats.

Mobile Security Frameworks.

Mobile security is becoming increasingly important and critical. So, developers have constructed mobile security frameworks and even released them as fully open-source software to the general public. Regardless of whether you’re using Android, iOS, or another mobile OS, this software is meant to mark and test the efficiency of the mobile app. Appmon, Runtime Mobile Security (RMS), OWASP MSTG, and MobSF are just a few of the technologies and tools on the market. MobSF is without a doubt one of the most user-friendly options accessible. It’s a completely free and open-source tool for analyzing the security loopholes of anykind of mobile/smartphone applications.

What is MobSF ?

MobSF(Mobile Security Framework) is an automated, all in one security assessment framework. It can do automatic static analysis of Android, iOS, and Windows binaries as well as source codes, although only Java and Objective C source codes are currently supported. MobSF can also be used to record web traffic from an application, which can then be sent to various security tools such as Burp suite and Owasp zap for web-application or API fuzzing.

MobSF is an open-source security tool which is absolutely free. In December of 2014, the project began. Currently, MobSF employs developers from a variety of countries. This project is actively developed and maintained. MobSF is an extremely valuable tool for developers because it assists them in discovering security issues in apps while they are still under development. MobSF also helps security engineers do mobile app security audits by allowing them to perform security analysis on both the final production-ready binaries and the source code itself. MobSF also has a REST API that DevSecOps specialists or anyone can utilize to integrate it directly into their CI/CD pipelines, and malware researchers can use it to spot dangerous behavior and malware signatures in their application very fast and efficiently. It’s also feasible to perform sandbox dynamic runtime analysis and determine the malware’s behavior in real time with the help of MobSF.MobSF is a self-hosted, and it runs as a web application. It is cross-platform, meaning it runs on Linux, Mac OS X, and Windows operating systems. The MobSF’s static analysis component can be run in a Docker container or on a virtual machine. MobSF must be installed in the host operating system in order to perform dynamic analysis. It won’t support dynamic analysis if it is installed inside a dockerized environment or a virtualualized environment.

Setting up MobSF.

MobSF is an open-source project that is actively being developed. So, the documentation is subject to change. Therefore, be sure to always use the most up-to-date documentation from MobSF’s official documentation page. There are several methods of Installing and running MobSF:

First Method of installing MobSF:

The first method of setting up MobSF is by installing all the prerequisite requirements manually and then running the setup script corresponding to your Host Operating systems.

Prerequisites requirements

Mac

  • Install Git
  • Install Python 3.8-3.9
  • After installing Python 3.8+, go to /Applications/Python 3.8/ and run Update Shell Profile.command first and then Install Certificates.command
  • Install JDK 8+
  • Install command line tools xcode-select –install
  • Download & Install wkhtmltopdf as per the wiki instructions
  • Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux. More Info

Ubuntu/Debian based Linux:

  • Install Git sudo apt-get install git
  • Install Python 3.8-3.9 sudo apt-get install python3.8
  • Install JDK 8+ sudo apt-get install openjdk-8-jdk
  • Install the following dependencies
sudo apt install python3-dev python3-venv python3-pip build-essential libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev wkhtmltopdf
  • Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux.

Windows

  • Install Git
  • Install Python 3.8-3.9
  • Install JDK 8+
  • Install Microsoft Visual C++ Build Tools
  • Install OpenSSL (non-light)
  • Download & Install wkhtmltopdf .
  • Add the folder that contains wkhtmltopdf binary to environment variable PATH.

NOTE: Set JAVA_HOME environment variable. iOS IPA Analysis works only on Mac, Linux and Docker containers.

So, once you’ve installed all of the prerequisites, you can move on to the installation step.

_ Second method of installing MobSF _:

If you only need to perform static analysis and don’t want to perform dynamic analysis, you may always utilize prebuilt MobSF docker images. To pull and deploy prebuilt MobSF docker images, copy and paste the following commands into the command line:

Note: Ensure that Docker is running on your computer.

docker pull opensecurity/mobile-security-framework-mobsf

docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

_ Third method of installing MobSF _:

If you don’t want to install MobSF on your personal computer, you can use the cloud version of MobSF instead. To do so, go to Mobsf.live.

MobSF Installation

MobSF Installation

Static Analysis using MobSF

What is a static analysis?

Static analysis, often known as static code analysis, is the process of examining a computer program without running it to find flaws. Static analysis is most typically performed on a program’s source code using tools that convert the code to an abstract syntax tree (AST) in order to completely evaluate the code’s structure and, as a result, find flaws. An Abstract Syntax Tree (AST) is a tree representation of the source code of a computer program that shows the structure of the source code.

Let’s get started and run MobSF static analysis.

  • First, make sure your host PC has all of the necessary requirements loaded.
  • Second, clone the repository.

Note: We’ll be using ‘Windows’ as the host operating system and FreeOTP apk ‘Android’ apk binaries for static/dynamic analysis in this tutorial.

Clone

  • Installing all the dependencies.

For Linux / mac:

./setup.sh

For Windows:

./setup.bat

installation

installation

installation

MobSF

  • Now, execute the Run command.

For Linux & mac:

./run.sh

For Windows:

./run.bat

Mobsf running

MobSF running

MobSF is now accessible directly from the browser itself.

Features of MobSF static analysis

Information Section:

The app’s various scores, such as the average CVSS, security score, and number of recognized trackers, are displayed in the information area at the top. The file’s name, size, and basic hashes are displayed in the File information section, which is positioned next to the App score. The App Information part, which appears next to the File Information section, offers numerous characteristics about the app, such as the package name, main activity, and current version of the application.

information section

infromation section

APP scores

The app’s various scores are displayed in this section, including the average CVSS, security score, and number of trackers recognized.

MobSF scorecard

This section shows a visual representation of the scores for several findings in a very great detail.

MobSF scorecard

The average CVSS score is determined by calculating the average CVSS score, whereas the Security score is decided by the severity.

CVSS

Each app is given a perfect score of 100. For each finding with a high severity, MobSF subtracts 15 points from the score. MobSF deducts ten points for each finding with a severity warning and adds 5 to the score for each finding with a good severity. As long as the calculated score is higher than 100, the app security score is considered 100. And if the estimated value is less than 0, then the app security score is evaluated as 10.

scorecard

application scores

File information

The File information section, which is located next to the App score, displays the file’s name, size, and basic hashes.

File info

App Information

The App Information section, which sits next to the File Information section, contains information about the app’s package name, main activity, and current version of the pplication.

App info

Playstore description

This section will simply list the app’s description published on the Google Play Store.

playstore

Component section

component section

This section lists the various fundamental components used in Android apps, such as Activities (a single screen in your app with a user-interactive interface), Services (a background-running part of the app), Receivers (allows users to register for system or application events), and Providers (provides its own UI for working with the data).

Scan Option

scan option

This features include options such as Rescan and dynamic analysis. Not only that, but it also has a decompiled code section that displays decompiled versions of android manifest files, java source code, and smali source code, as well as the ability to download the java source code, smali code, and even the apk file itself.

Signer Certificate

signer certificate

The Signer Certificate section includes basic information about a code signing certificate, such as the signature version, hash algorithms used, fingerprints, and issuer identifications. If anything, good or bad, is discovered, it will be presented in the certificate status box, along with a brief description.

Application permission

Application permission

All of the permissions used by the application (FreeOTP apk) are listed in the Permissions section, along with their status, information, and descriptions.

Android API

Android API section provides the information about all the api which is being used inside this particular application.

android API

Browsable activities

This Browsable activities section will simply lists out all the browsable activities, such as all the activities which can be browsed by a particular scheme.

Browsable activities

Security Analysis:

The security analysis section includes manifest, code, binary, NIAP, and file analysis.

security analysis

Network Security

Network security

Manifest Analysis

MobSF runs a static analysis on Android Manifest files to find any vulnerabilities. It then lists all of the issues/concerns, as well as their severity and a full description, inside this section.

manifest analysis

Code analysis

MobSF performs static analysis on all decompiled java source code and then provides a report that includes all issues encountered, as well as their severity, standard, and file location, which is displayed in this section.

Code analysis

Binary Analysis

MobSF lists out all of the issues that have been detected on the shared objects and displays it inside this particular section.

image

NIAP Analysis

image

File analysis

Currently it is absolutely blank but inside this section MobSF lists out all of the sensitive files, such as certificates, that are hard coded within the application.

File analysis

Malware analysis

malware analysis

APKiD analysis

This part provides a solid understanding/picture of the application’s behavior from a code perspective.

APKiD analysis

Server location

This is MobSF’s best feature because it contains a beautiful World Map UI that shows the assessed app’s whole server locations in exact detail.

server location

Quark analysis

quark analysis

Domain malware check

MobSF extracts domains from binaries and compares them to domains recorded in its database that aren’t malicious. As a consequence, it assesses if a domain is excellent or harmful based on such information.

domain

Reconnassance

Reconnassance

URLs

All of the URLs found in the various source code files for that application will be listed and displayed in this area by MobSf.

urls

Firebase DB

MobSF is capable of extracting all of the Firebase database URLs from the app, as well as doing a secondary check to determine if the database is publicly accessible.

firebase

Emails

All of the emails contained in the source code can be extracted by MobSF and displays it inside this particular section.

emails

Trackers

MobSF is capable of extracting out all the possible trackers that are currently being used inside the application and display it inside this particular section.

trackers

Trackers are simply a development toolkits or add-ons that collect data and information on the application’s behalf.

Strings

MobSF lists out all the hard coded strings in the binary, especially the ones from the strings resource.

strings

Possible hardcoded secrets

secrets

Components

Components refer to the different sections of the application. This section includes a list of all the activities, services, receivers, providers, and libraries that this application employs. It also contains all files found in the application’s binaries.

components

Activities

Activities are simply a single screen in your app with an interface that the user can interact with.

Activities

Activities

Services

Services are part of application which runs in the background.

Services

Services

Receviers

Receviers allows users to register for system or in any kind of application events.

Receviers

Receviers

Providers

Providers provides its own UI for working with the data.

Providers

Providers

PDF report

The PDF report section allows you to create a professional-looking PDF report that contains high-level information about the various findings of that particular analyzed application.

report report report report report report report report report report

Visit this link to see the full report on this specific application.

What is Dynamic analysis ?

Dynamic analysis is the process of testing and analyzing a program while it is executing. Dynamic analysis, also known as dynamic code scanning, aids in the detection and correction of errors, memory issues, and other issues with program execution. Before moving on to dynamic analysis, static analysis is required.

Dynamic analysis mechanism

MobSf will first install the apk on the genymotion vm before instrumenting it.Xposed and Frida are used for instrumentation; Frida is used for Android 5.0 and up, and Xposed is used for Android 5.0 and below. There are some agents deployed in the genymotion VM as well. The agents will start capturing and gathering data relevant to the app once it has been instrumented. The collected data will be emailed back to MobSF after the report is completed, and the app’s full data will be dumped into the device for additional study.

Always make sure you’ve configured the dynamic analyzer for MobSF before starting the analysis. You must start a genymotion VM before launching MobSF to perform android dynamic analysis flawlessly.

This error will be thrown if mobsf fails to detect the vurtual machine.

virtual machine

virtual machine

virtual machine

Starting Dynamic analysis

Open scan options and click on Start Dynamic Analysis.

dynamic analysis

dynamic analysis

If everything went well, you should be able to see the dashboard.

dashboard

MobSF Dynamic analysis features and functionality:

Show/Stop Screen:

show screen

image

This feature provides the functionailty to displays the screen of the emulated device on the web interface. Some fundamental functions, including as touches and clicks, can be performed straight from the web interface.

Remove Root Certificate(CA):

remove install

This feature is responsible for intercepting the traffic of the device.

TLS/ SSL test:

TLS/SSL Security test allows you to assess the network security of your application. These tests are only applicable to applications that connect to the internet using the HTTP protocol.

tls ssl

tls ssl

command prompot

tls ssl

Exported Activity Tester:

This test allows you to dynamically test for exported actions, which is important for developing dynamic proof of concepts and verifying the static analysis results.

exported activity

Activity Tester:

You can use this test to forcefully test all non-exported actions.

activity tester

Get Dependencies:

This functionality helps in the gathering of all information regarding the application’s runtime dependencies.

dependencies

Take Screenshots:

This feature allows you to take a screenshot of a device that is currently running in a virtual machine.

screenshot

Logcat Stream:

The Logcat stream shows all of the device’s logs in real time.

logcat stream

A new window will be opened

image

MobSF currently lacks the ability to perform autonomous dynamic analysis. This is because MobSF has no idea what your app’s business logic is, how to fill in the login and password fields, or what data it should provide. To get the most out of MobSF dynamic analysis, you must personally walk through the application’s multiple business logic and difficulties, while MobSF performs security analysis on these issues in the background.

Initializing the Dynamic Analysis Process :

The initial stage in the dynamic analysis process is to select start instrumentation, which will load the application and enable MobSF to instrument it.

image

Instrumentation with Frida

Use the console to see the output created by these Frida scripts, or look in the Frida live logs folder. Whether you’re running a custom Frida script or writing one, Frida live logs will show you all of the output from the various Frida scripts.

live logs

Once the instrumentation process is complete, the Live API monitor button will be enabled. The live API monitor simply logs all API calls that occur during the course of the application.

api

live api

Frida Code editor

MobSF dynamic analyzer also provides access to the Frida code editor where custom or pre-built Frida scripts can be loaded.

Frida

Generate Report:

MobSF is advised to stop all analysis and generate a report when the Generate Report option is selected.After the dynamic analysis is completed, the final report should look somewhat like this.

image

image image image image image image image image image image image image

Click here to see the full dynamic analysis report of the FreeOTP apk application.

Closing

MobSF is a very useful tool for developers because it helps them find security flaws in apps while they’re still being developed, as well as do static analysis directly on the source code of those apps. It also aids security engineers in performing mobile app security audits by allowing them to conduct security analysis on both the final production-ready binaries and source code. MobSF also offers a REST API that DevSecOps professionals may use to integrate it directly into CI/CD pipelines, and malware researchers can use to quickly and effectively discover harmful behavior and malware signatures in applications.This article may have been entertaining as well as instructive in terms of how to install MobSF and use it from the ground up on a variety of platforms. Join Aviyel’s community to learn more about the open source project, get tips on how to contribute, and join active dev groups.

Call-to-Action

Aviyel is a collaborative platform that assists open source project communities in monetizing and long-term sustainability. To know more visit Aviyel.com and find great blogs and events, just like this one! Sign up now for early access, and don’t forget to follow us on our socials!