Outline: [Article Title]

Keyword: [Enter Targeted Keyword]

Keyword MSV: [Enter Targeted Keyword’s Monthly Search Volume]

Author: [Enter Author Name]

Due Date: [Enter Due Date]

Publish Date: [Enter Desired Publish Date]

User Persona: [Enter Targeted Reader and/or User Persona]


Phonograph Music Player apk analysis using MobSF

image

Smartphones and Mobile technology has been increasingly critical day by day. Mobile technology such as cell phones, tablets, are heavily used to surf the web, run apps, browse emails, post to social media, conduct financial as well as banking transactions, etc.

Smartphones

There has been a tremendous surge in the use of mobile devices for both personal and business uses. The advent of mobile devices and the proliferation of mobile applications have facilitated mobility and flexibility on a very large scale. Because of this, concerns have been raised about the issues of preserving security when traveling across the digital world.

Difficulties Faced with Mobile Device Security.

The mobile market is growing as wireless technology advances and mobile device usage improves. The growth in the development and maintenance of secure identities for mobile devices has created a huge challenge for individuals, society, and businesses, particularly in mobile added value services such as mobile banking, mobile ticketing and various other services.

The following are a few of the most notable difficulties with mobile devices as a result of threats and vulnerabilities.

  • Sensitive Data & Information leaks:
  • Unguarded data storage:
  • Weak Authentication and Authorization:
  • Server-Side control:
  • Brute force attack:
  • Improper Session handling:
  • Lack of Transport Layer Protection:
  • Client-Side Injection:

Mobile Threats and Vulnerabilities:

Cyber criminals are increasingly targeting mobile devices. Many popular applications/programs are available on the internet for mobile devices, making them a prime target for attackers to disrupt security systems, cause risks, and spread massive amount of malwares and vulnerabilities. There’s an increasing gap between the ability of a hacker and the security of a company. To counteract this trend, mobile device security solutions and policies must be made more flexible and tightly managed.

Mobile Threats.

Threats and assaults that were previously successful on desktop computers are now being tested on mobile devices. As the level of defense rises, so does the quantity of simple targets. Hackers and attackers are focusing on the weakest link in the chain, resulting in a slew of successful frauds.

  • Physical Threats:
  • Application-based Threats:
  • Network based Threats:
  • Web based Threats:

Understanding mobile security.

Staying secure these days is extremely challenging, and our significant reliance on mobile technology makes it even more difficult. Personal social media accounts, emails, sensitive texts, and even bank account information are all stored on our cellphones. Despite the fact that these data are often highly sensitive and may include valuable information, we continue to keep them on file.Also, most business-to-business transactions are conducted through smartphones. The use of social media tends to be confined to smartphones as well. Business without mobile or smartphone apps is, thus, ineffective. It’s no secret that mobile technology is advancing at a quick pace. On the internet, there are literally millions and billions of people, many of whom use their smartphones. This large user base opens up a whole new world of security and risk issues. To maximize earnings while avoiding risks, it is important to grasp mobile security framework and protect yourself from potential security threats.

Testing Mobile Security Frameworks.

Mobile security is becoming increasingly critical. Because of this, developers have constructed mobile security frameworks and even released them as fully open-source software to the general public. This software is designed to mark and test the efficiency of the mobile app, regardless of whether you’re running Android, iOS, or any other mobile OS. There are plethora of tools available in the market like appmon, Runtime Mobile Security (RMS),OWASP MSTG and MobSF. In terms of ease of use, MobSF is hands down one of the greatest solutions available. It is an entirely free and open-source tool that helps perform the security assessment of mobile/smartphone applications.

What is MobSF ?

MobSF

MobSF(Mobile Security Framework) is an automated, all in one security assessment framework.It can analyze Android, iOS, and Windows binaries and source codes automatically, but currently it only supports Java and Objective C source codes. MobSF can also be used to capture web traffic from an application, which can subsequently be routed to fuzzing tools like Burp suite and Owasp zap for further more analysis.MobSF is an open-source security program that is absolutely free. In December of 2014, the project began. Developers from a number of regions are now collaborating on MobSF. MobSF is a great tool for developers because it allows them to find security flaws in their apps while they’re still being developed. It also helps security engineers perform mobile app security audits by allowing them to perform security analysis on both the final production-ready binaries and the source code.

Security

MobSF also has a REST API that DevSecOps experts or anyone can use to incorporate it into their CI/CD pipelines, and malware researchers may use it to quickly detect malicious activity and malware signatures in their applications.It’s also feasible to perform sandbox dynamic runtime analysis and determine the malware’s behavior in real time with the help of MobSF.

REST API

MobSF is a self-hosted, and it runs as a web application. It is cross-platform, meaning it runs on Linux, Mac OS X, and Windows operating systems. The MobSF’s static analysis component can be run in a Docker container or on a virtual machine. MobSF must be installed in the host operating system in order to perform dynamic analysis. It won’t support dynamic analysis if it is installed inside a dockerized environment or a virtualualized environment.

Cross Platform

Setting up MobSF.

MobSF is an open-source project that is actively being developed. So, the documentation is subject to change. Therefore, be sure to always use the most up-to-date documentation from MobSF’s official documentation page. There are several methods of Installing and running MobSF:

First Method of installing MobSF:

The first method of installing MobSF is to manually install all of the prerequisite requirements and then run the setup script for your Host Operating System.

Prerequisites requirements

For Mac users

Mac Installation

  • Install Git
  • Install Python 3.8-3.9
  • After installing Python 3.8+, go to /Applications/Python 3.8/ and run Update Shell Profile.command first and then Install Certificates.command
  • Install JDK 8+
  • Install command line tools xcode-select --install
  • Download & Install wkhtmltopdf
  • Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux. More Info

For Ubuntu/Debian based Linux users:

Ubiuntu Debian

  • Install Git sudo apt-get install git
  • Install Python 3.8-3.9 sudo apt-get install python3.8
  • Install JDK 8+ sudo apt-get install openjdk-8-jdk
  • Install the following dependencies
sudo apt install python3-dev python3-venv python3-pip build-essential libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev wkhtmltopdf
  • Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux. More info

For Windows users

Windows

NOTE: Set JAVA_HOME environment variable. iOS IPA Analysis works only on Mac, Linux and Docker containers.

So, once all of the prerequisites have been installed, you can proceed to the installation stage.

_ Second method of installing MobSF _:

Docker

You can always use prebuilt MobSF docker images if you solely need to do static analysis and don’t want to do dynamic analysis. Copy and paste the following commands into the command line to pull and deploy prebuilt MobSF docker images:

Docker Running

Note: Ensure that Docker is running on your computer.

docker pull opensecurity/mobile-security-framework-mobsf

docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

dockerhub

_ Third method of running MobSF _:

You can use the cloud version of MobSF instead of installing it on your computer if you don’t want to install MobSF on your PC. To do so, go to Mobsf.live.

MobSF live

MobSF live

MobSF live

Static Analysis using MobSF

Static Analysis

MobSF Installation

MobSF Installation

What is a static analysis?

Static analysis, often known as static code analysis, is the practice of examining a computer program without executing it to identify anomalies. Static analysis is most commonly performed on a program’s source code using tools that convert the code into an abstract syntax tree (AST) in order to fully understand the code’s structure and subsequently detect faults in it. An Abstract Syntax Tree, or AST, is a tree representation of a computer program’s source code that conveys the source code’s structure.

MobSF static analyzer architecture.

MobSF features a single, easy-to-use static analyzer where users can upload mobile app binary files and source code, and MobSF will run static analysis on them and generate a report in HTML/PDF or JSON format.

architecture

Let’s get started and run MobSF static analysis.

  • First, make sure your host PC has all of the necessary requirements loaded.
  • Second, clone the repository.

Note: We’ll be using ‘Windows’ as the host operating system and FreeOTP apk ‘Android’ apk binaries for static/dynamic analysis in this tutorial.

Clone

  • Installing all the dependencies.

For Linux / mac:

Linux and mac

./setup.sh

For Windows:

Windows

./setup.bat

installation

installation

installation

MobSF

  • Now, execute the Run command.

For Linux & mac:

./run.sh

For Windows:

./run.bat

Mobsf running

MobSF running

Dashboard

MobSF is now immediately accessible from the browser. Simply drag & drop or pick the apk file you want to study to begin the static analysis process.

APK File Location

Dashboard

Features of MobSF static analysis

Features

Information Section:

This section is located at the top which displays the app’s various scores, such as the average CVSS, security score, and number of recognized trackers. The File information section, which is located next to the App score, displays the file’s name, size, and basic hashes. The App Information section, which resides next to the File Information section, contains a number of details about the app, including the package name, main activity, and current version.

Information Section

APP scores

App Score

This section displays the app’s various scores, such as the average CVSS, security score, and number of trackers recognized.

App scores

MobSF scorecard

This section shows a visual representation of the scores for several findings in a very great detail.

Scorecard

The average CVSS score is determined by calculating the average CVSS score, whereas the Security score is decided by the severity.

CVSS

Perfect score of 100 is rewarded to each app but MobSF deducts 15 points from the score for each finding with a high severity and for each finding with a severity warning, MobSF subtracts ten points and adds five to the score for each finding with a good severity. The app security score is deemed 100 as long as the calculated score is more than 100. If the estimated value is less than 0, the app security score is assigned a value of 10.

Scorecard Report

File information

File info

The file’s name, size, and basic hashes are displayed in the File information section, which is positioned next to the App score section.

File Information

App Information

App info

The App Information section, which sits next to the File Information section, contains information about the app’s package name, main activity, and current version of the pplication.

App Information

Playstore description

Playstore

This section will simply list the app’s description published on the Google Play Store.

Playstore Information

Component section

Component

This section lists the various fundamental components used in Android apps, such as ‘Activities’ (a single screen in your app with a user-interactive interface), ‘Services’ (a background-running part of the app), ‘Receivers’ (allows users to register for system or application events), and ‘Providers‘(provides its own UI for working with the data).

Component Section

Scan Option

Scan Option

This features include options such as Rescan and dynamic analysis. Not only that, but it also has a decompiled code section that displays decompiled versions of android manifest files, java source code, and smali source code, as well as the ability to download the java source code, smali code, and even the apk file itself.

Scan Option

Signer Certificate

Information regarding a code signing certificate may be found in the Signer Certificate section, which contains the signature version, hash techniques used, fingerprints, and issuer identifications. If anything positive or negative is identified, it will be mentioned in the certificate status box with a brief summary.

Signer certificates

Application permission

Application permission

All of the permissions used by the application (Phonograph apk) are listed in the Permissions section, along with their status, information, and descriptions.

Application Permission

Android API

The Android API section contains information about all of the APIs that are used in this particular application.

Android api

Android api

Android api

Browsable activities

Browsable Activities

This Browsable activities section will simply lists out all the browsable activities, such as all the activities which can be browsed by a particular scheme.

Browsable Activities

Security Analysis:

Sercurity Analysis

The security analysis section includes manifest, code, binary, NIAP, and file analysis.

Security Analysis

Network Security:

Network Security

Manifest Analysis:

MobSF runs a static analysis on Android Manifest files to find any vulnerabilities. It then lists all of the issues/concerns, as well as their severity and a full description, inside this section.

Manifest

Code analysis:

MobSF runs static analysis on all decompiled java source code and generates a report that lists all issues found, along with their severity, standard, and file location, which is displayed in this parrticular section.

Code Analysis

Code Analysis

Binary Analysis

MobSF highlights all of the faults that have been found on shared objects and displays it in this section.

Binary Analysis

NIAP Analysis

The Department of Defense and other government agencies must ensure that their mobile apps meet the National Information Assurance Partnership’s security guidelines (NIAP). The National Intelligence Assessment Program (NIAP) certifies commercial hardware and software used in national security systems. So this section will showcase all of the NIAP results, including their Identifier, requirement, characteristics, and brief explanations.

NIAP analysis

File analysis

Currently it is absolutely blank but inside this section MobSF lists out all of the sensitive files, such as certificates, that are hard coded within the application.

image

Malware analysis

Malware analysis

Malware analysis

APKiD analysis

This section provides a solid understanding/picture of the application’s behavior from a code perspective.

image

Server location

This is MobSF’s best feature because it contains a beautiful World Map UI that shows the assessed app’s whole server locations in exact detail.

Server location

Server location

Quark analysis

Quark Analysis

Domain malware check

MobSF extracts domains from binaries and compares them to domains recorded in its database that aren’t malicious. As a consequence, it assesses if a domain is excellent or harmful based on such information.

Domain malware check

Domain malware check

Reconnaissance

Reconnaissance

Reconnaissance

URLs

MobSf will list and display all of the URLs found in the various source code files for that application in this area.

URLs

Firebase DB

MobSF can extract all of the Firebase database URLs from the app, as well as do a secondary check to see if the database is accessible to the public.

Firebase DB

Emails

MobSF is able to extract all of the emails contained in the source code and present them in this particular section.

image

Trackers

MobSF is capable of extracting out all the possible trackers that are currently being used inside the application and display it inside this particular section.

image

Trackers are simply a development toolkits or add-ons that collect data and information on the application’s behalf.

Strings

MobSF lists out all the hard coded strings in the binary, especially the ones from the strings resource.

Strings

Possible hardcoded secrets

Secrets

Hardcoded secrects

Components

Components refer to the different sections of the application. This section includes a list of all the activities, services, receivers, providers, and libraries that this application employs. It also contains all files found in the application’s binaries.

Activities

Activities are nothing more than a single screen in your program with a user-interactive interface.

Activities

Activities

Services

Services are a type of background-running application.

Services

Services

Receviers

Receviers allows users to register for system or application-specific events.

Receivers

Receivers

Providers

Providers provides its own UI for working with the data.

Providers

Providers

PDF report

You can use the PDF report section to build a professional-looking PDF report that comprises high-level information about the various findings of the evaluated application.

report report report report report report report report report report report report report report report report report

Visit this link to see the full report on this specific application.

What is Dynamic analysis ?

Dynamic analysis

Dynamic analysis is the process of testing and evaluating a program while it is executing. Dynamic analysis, also known as dynamic code scanning, is a technique for finding and resolving errors, memory difficulties, and other problems with program execution. Before moving on to dynamic analysis, static analysis is required.

Dynamic analysis mechanism

MobSf will first install the apk on the genymotion vm before instrumenting it.Xposed and Frida are used for instrumentation; Frida is used for Android 5.0 and up, and Xposed is used for Android 5.0 and below. There are some agents deployed in the genymotion VM as well. The agents will start capturing and gathering data relevant to the app once it has been instrumented. The collected data will be emailed back to MobSF after the report is completed, and the app’s full data will be dumped into the device for additional study.

Always make sure you’ve configured the dynamic analyzer for MobSF before starting the analysis. You must start a genymotion VM before launching MobSF to perform android dynamic analysis flawlessly.

This error will be thrown if mobsf fails to detect the vurtual machine.

virtual machine

virtual machine

virtual machine

Starting Dynamic analysis

Open scan options and click on Start Dynamic Analysis.

start analysis

If everything went well, you should be able to see the dashboard.

dashboard

MobSF Dynamic analysis features and functionality:

Features

Show/Stop Screen:

This feature provides the functionailty to displays the screen of the emulated device on the web interface. Some fundamental functions, including as touches and clicks, can be performed straight from the web interface.

Show Screen

show screen

Remove Root Certificate(CA):

This feature is responsible for intercepting the traffic of the device.

remove

install

TLS/ SSL test:

Tls ssl

TLS/SSL Security test allows you to assess the network security of your application. These tests are only applicable to applications that connect to the internet using the HTTP protocol.

TLS Misconfiguration Test - Enable HTTPS MITM Proxy, Remove Root CA, Run the App for 25 seconds.

This test will uncover insecure configurations that allow HTTPS connections bypassing certificate errors or SSL/TLS errors in WebViews. This is equivalent to not having TLS.

TLS Pinning/Certificate Transparency Test - Enable HTTPS MITM Proxy, Install Root CA, Run the App for 25 seconds.

This test will evaluate the application’s TLS/SSL hardening controls and will check if the application implement certificate or public key pinning and or certificate transparency.

TLS Pinning/Certificate Transparency Bypass Test - Enable HTTPS MITM Proxy, Install Root CA, Bypass Certificate/Public Key Pinning or Certificate Transparency.

This test tries to bypass certificate or public key pinning and or certificate transparency controls in your application. MobSF can bypass most of the generic implementations.

tls ssl

tls ssl

command prompot

tls ssl

Exported Activity Tester:

This test allows you to dynamically test for exported actions, which is important for developing dynamic proof of concepts and verifying the static analysis results.

exported activity

Activity Tester:

You can use this test to forcefully test all non-exported actions.

Activity Tester

Get Dependencies:

This functionality helps in the gathering of all information regarding the application’s runtime dependencies.

dependencies

Take Screenshots:

This feature allows you to take a screenshot of a device that is currently running in a virtual machine.

screenshot

Logcat Stream:

All of the device’s logs are displayed in real time inside the Logcat stream section.

logcat stream

A new window will get opened and all the real time logs will stream.

Logcat stream

At the moment, MobSF is unable to do autonomous dynamic analysis. This is due to MobSF’s lack of understanding of your app’s business logic, how to fill in the login and password fields, or what data it should offer. You must manually walk through the application’s different business logic and obstacles to get the most out of MobSF dynamic analysis, while MobSF does security analysis on these issues in the background.

Initializing the Dynamic Analysis Process :

The initial stage in the dynamic analysis process is to select start instrumentation, which will load the application and enable MobSF to instrument it.

Dynamic analysis

Dynamic Analysis

Instrumentation with Frida :

Use the console to see the output created by these Frida scripts, or look in the Frida live logs folder. Whether you’re running a custom Frida script or writing one, Frida live logs will show you all of the output from the various Frida scripts.

Frida live logs

Once the instrumentation process is complete, the Live API monitor button will be enabled. The live API monitor simply logs all API calls that occur during the course of the application.

api stream

Frida Code editor

MobSF dynamic analyzer also provides access to the Frida code editor where custom or pre-built Frida scripts can be loaded.

Frida code editor

Generate Report:

MobSF is advised to stop all analysis and generate a report when the Generate Report option is selected.After the dynamic analysis is completed, the final report should look somewhat like this.

Report

Report

Click here to see the full dynamic analysis report of the Phonograph apk application.

Closing

MobSF is a very useful tool for developers because it helps them find security flaws in apps while they’re still being developed, as well as do static analysis directly on the source code of those apps. It also aids security engineers in performing mobile app security audits by allowing them to conduct security analysis on both the final production-ready binaries and source code. MobSF also offers a REST API that DevSecOps professionals may use to integrate it directly into CI/CD pipelines, and malware researchers can use to quickly and effectively discover harmful behavior and malware signatures in applications.This article may have been entertaining as well as instructive in terms of how to install MobSF and use it from the ground up on a variety of platforms. Join Aviyel’s community to learn more about the open source project, get tips on how to contribute, and join active dev groups.

Call-to-Action

Aviyel is a collaborative platform that assists open source project communities in monetizing and long-term sustainability. To know more visit Aviyel.com and find great blogs and events, just like this one! Sign up now for early access, and don’t forget to follow us on our socials!