QKSMS APK analysis using MobSF

Outline: [Article Title]

Keyword: [Enter Targeted Keyword]

Keyword MSV: [Enter Targeted Keyword’s Monthly Search Volume]

Author: [Enter Author Name]

Due Date: [Enter Due Date]

Publish Date: [Enter Desired Publish Date]

User Persona: [Enter Targeted Reader and/or User Persona]

QKSMS apk analysis using MobSF

Over the previous decade, modern phones have become more widespread in all aspects of society. Cell phones and tablets are widely used to access the internet, run apps, get email, post to social media, and conduct financial and banking transactions, among other things. The use of mobile devices for both personal and professional uses has skyrocketed. Mobility and flexibility have been substantially aided by the development of mobile applications and the availability of mobile devices. As a result, concerns about maintaining security while navigating the digital domain have been voiced.

The security of mobile devices is becoming more relevant as a cause of concern for users’ privacy. Despite the fact that mobile device manufacturers are concerned about user security and data privacy, using internet-based applications creates substantial hurdles in terms of resolving threats and vulnerabilities while safeguarding a user's data privacy. The vast majority of software applications are created to do a certain activity and are tailored for a specific set of devices, such as smartphones and tablets. Protecting data on mobile devices is a high-risk activity due to numerous hazards and flaws.

Mobile Threats.

Threats and assaults that were previously successful on desktop computers are now being tested on mobile devices. As the level of defense rises, so does the quantity of simple targets. Hackers and attackers are focusing on the weakest link in the chain, resulting in a slew of successful frauds.

• Physical Threats:
• Application-based Threats:
• Network based Threats:
• Web based Threats:

Privacy and Security Concerns with Mobile

As wireless technology progresses and mobile device usage improves, the mobile market continues to rise. Individuals, society, and organizations have had significant difficulty generating and maintaining secure identities for mobile devices, especially in mobile added value services such as mobile banking, mobile ticketing, and a variety of other types of services.

Understanding the depth of mobile security.

It’s hard to stay secure these days, and our significant reliance on mobile technology makes it even harder. Personal social media profiles, emails, vital texts, and even bank account information may all be found on our mobile phones. Despite the fact that these data are frequently sensitive and may include valuable information, we continue to preserve them on file. In addition, cellphones are used to conduct the majority of business-to-business transactions. Most individuals use social media on their cellphones as well. As a result, a business without a mobile or smartphone app is ineffective. It’s no secret that mobile technology is rapidly evolving. Millions and billions of people use the internet, with many of them relying heavily on their cellphones.

What is MobSF ?

MobSF(Mobile Security Framework) is an automated, all in one security assessment framework.It can analyze Android, iOS, and Windows binaries and source codes automatically, albeit only Java and Objective C source codes are currently supported. MobSF may also be used to capture web traffic from an application, which can subsequently be routed to fuzzing tools like Burp suite and Owasp zap.

MobSF is a completely free open-source security application. The project began in December of 2014. MobSF now has developers from a number of different locations working together. MobSF is a very useful tool for developers because it helps them find security flaws in their apps while they’re still being developed not only that It also aids security engineers in performing mobile app security audits by allowing them to conduct security analysis on both the final production-ready binaries and the source code. MobSF also offers a REST API that DevSecOps experts or anyone can use to integrate it straight into their CI/CD pipelines, and malware researchers may use it to quickly detect harmful behavior and malware signatures in their application. It’s also feasible to perform sandbox dynamic runtime analysis and determine the malware’s behavior in real time with the help of MobSF.MobSF is a self-hosted, and it runs as a web application. It is cross-platform, meaning it runs on Linux, Mac OS X, and Windows operating systems. The MobSF’s static analysis component can be run in a Docker container or on a virtual machine. MobSF must be installed in the host operating system in order to perform dynamic analysis. It won’t support dynamic analysis if it is installed inside a dockerized environment or a virtualualized environment.

Setting up MobSF.

MobSF is an open-source project that is actively being developed. So, the documentation is subject to change. Therefore, be sure to always use the most up-to-date documentation from MobSF’s official documentation page.

There are several methods of Installing and running MobSF:

First Method of installing MobSF:

The first method of installing MobSF is to manually install all of the prerequisite requirements and then run the setup script for your Host Operating System.

Prerequisites requirements

For Mac users

• Install Git
• Install Python 3.8-3.9
• After installing Python 3.8+, go to /Applications/Python 3.8/ and run Update Shell Profile.command first and then Install Certificates.command
• Install JDK 8+
• Install command line tools xcode-select --install
• Download & Install wkhtmltopdf
• Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux. More Info

For Ubuntu/Debian based Linux users:

• Install Git sudo apt-get install git
• Install Python 3.8-3.9 sudo apt-get install python3.8
• Install JDK 8+ sudo apt-get install openjdk-8-jdk
• Install the following dependencies

sudo apt install python3-dev python3-venv python3-pip build-essential libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev wkhtmltopdf

• Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux. More info

For Windows users

• Install Git
• Install Python 3.8-3.9
• Install JDK 8+
• Install Microsoft Visual C++ Build Tools
• Install OpenSSL (non-light)
• Download & Install wkhtmltopdf .
• Add the folder that contains wkhtmltopdf binary to environment variable PATH.

NOTE: Set JAVA_HOME environment variable. iOS IPA Analysis works only on Mac, Linux and Docker containers.

So, once all of the prerequisites have been installed, you can proceed to the installation stage.

_ Second method of installing MobSF _:

If you only need to do static analysis and don’t want to perform dynamic analysis, you may always utilize prebuilt MobSF docker images. To pull and deploy prebuilt MobSF docker images, copy and paste the following commands into the command line:

Note: Ensure that Docker is running on your computer.

docker pull opensecurity/mobile-security-framework-mobsf

docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

_ Third method of running MobSF _:

You can use the cloud version of MobSF instead of installing it on your computer if you don’t want to install MobSF on your PC. To do so, go to Mobsf.live.

Static Analysis using MobSF

MobSF Installation

What is a static analysis?

Static analysis, often known as static code analysis, is the process of examining a computer program without running it to find flaws. Static analysis is most typically performed on a program’s source code using tools that convert the code to an abstract syntax tree (AST) in order to completely evaluate the code’s structure and, as a result, find flaws. An Abstract Syntax Tree (AST) is a tree representation of the source code of a computer program that shows the structure of the source code.

Let’s get started and run MobSF static analysis.

• First, make sure your host PC has all of the necessary requirements loaded and then proceed to clone the repository.

Note: In this tutorial, we’ll use ‘Windows’ as the host operating system and QKSMS apk ‘Android’ apk binaries for static and dynamic analysis.

• Installing all the dependencies.

For Linux / mac:

./setup.sh

For Windows:

./setup.bat

• Now, It is time to execute the Run command.

For Linux & mac:

./run.sh

For Windows:

./run.bat

MobSF can now be accessed directly from the browser. To begin the static analysis process, simply drag and drop or choose the apk file you wish to investigate.

Features of MobSF static analysis

Information Section:

This section displays the app’s various scores, such as the average CVSS, security score, and number of recognized trackers. The File information section, which is located next to the App score, displays the file’s name, size, and basic hashes. The App Information section, which shows next to the File Information section, contains a number of details about the app, including the package name, main activity, and current version.

APP scores

This section displays the app’s various scores, such as the average CVSS, security score, and number of trackers recognized.

MobSF scorecard

This section provides a detailed visual representation of the ratings for numerous discoveries.

The average CVSS score is determined by calculating the average CVSS score, whereas the Security score is decided by the severity.

Each app is given a perfect score of 100. For each finding with a high severity, MobSF subtracts 15 points from the score. MobSF deducts ten points for each finding with a severity warning and adds 5 to the score for each finding with a good severity. As long as the calculated score is higher than 100, the app security score is considered 100. And if the estimated value is less than 0, then the app security score is evaluated as 10.

File information

The file’s name, size, and basic hashes are displayed in the File information section, which is positioned next to the App score.

App Information

The App Information section, which resides next to the File Information section, contains information about the app’s package name, main activity, and current version of the pplication.

Playstore description

This section will simply list the description of the app as it appears on the Google Play Store.

Component section

This section lists the various basic components used in Android apps, such as Activities, which is simply a single screen in your app with a user-interactive interface, Services, which is a background-running part of the app, Receivers, which allows users to register for system or application events, and Providers, which simply provides its own UI for working with the data.

Scan Option

This features include options such as Rescan and dynamic analysis. Not only that, but it also has a decompiled code section that displays decompiled versions of android manifest files, java source code, and smali source code, as well as the ability to download the java source code, smali code, and even the apk file itself.

Signer Certificate

The Signer Certificate section contains fundamental information about a code signing certificate, such as the signature version, hash techniques used, fingerprints, and issuer identifications. If anything, good or bad, is detected, it will be mentioned in the certificate status box with a brief description.

Application permission

All of the permissions used by the application (QKSMS apk) are listed in the Permissions section, along with their status, information, and descriptions.

Android API

The Android API section contains information about all of the APIs that are used in this application.

Browsable activities

This section will simply include all of the browsable activities, such as all of the activities that may be browsed by a specific scheme.

Security Analysis:

Manifest, code, binary, NIAP, and file analysis are all included in the security analysis section.

Network Security

Manifest Analysis

MobSF performs a static analysis on Android Manifest files in order to identify any kind of vulnerabilities. Inside this section, it then includes all of the issues/concerns, as well as their severity and a detailed description about it.

Code analysis

MobSF runs static analysis on all decompiled java source code and then generates a report that includes all issues detected as well as their severity, standard, and file location, which is displayed in this section.

Binary Analysis

MobSF lists all of the faults that have been found on shared objects and displays them in this section.

NIAP Analysis

The Department of Defense and other government agencies must ensure that their mobile apps meet the National Information Assurance Partnership’s security guidelines (NIAP). The National Intelligence Assessment Program (NIAP) certifies commercial hardware and software used in national security systems. So this section will showcase all of the NIAP results, including their Identifier, requirement, characteristics, and brief explanations.

File analysis

MobSF lists all of the sensitive files, such as certificates, that are hard coded within the application in this particular section.

Malware analysis

APKiD analysis

This section provides a solid understanding/picture of the application’s behavior from a code perspective.

Server location

This is MobSF’s finest feature because it includes a gorgeous World Map UI that displays the evaluated app’s entire server location in pin-point detail.

Quark analysis

Domain malware check

MobSF retrieves domains from binaries and compares them to non-malicious domains in its database. As a result, depending on this information, it determines if a domain is good or dangerous.

Reconnaissance

URLs

All of the URLs found in the various source code files for that application will be listed and displayed in this area by MobSf.

Firebase DB

MobSF is capable of extracting all of the Firebase database URLs from the app, as well as doing a secondary check to determine if the database is publicly accessible.

Emails

MobSF can extract all of the emails present in the source code and display them in this section.

Trackers

MobSF can extract all of the available trackers that are currently being used within the application and display them in this section.

Trackers are simply a development toolkits or add-ons that collect data and information on the application’s behalf.

Strings

MobSF lists out all the hard coded strings in the binary, especially the ones from the strings resource.

Possible hardcoded secrets

Components

Components refer to the different sections of the application. This section includes a list of all the activities, services, receivers, providers, and libraries that this application employs. It also contains all files found in the application’s binaries.

Activities

Activities are simply a single screen in your app with an interface that the user can interact with.

Services

Services are part of application which runs in the background.

Receviers

Receviers allows users to register for system or in any kind of application events.

Providers

Providers provides its own UI for working with the data.

PDF report

The PDF report section allows you to create a professional-looking PDF report that contains high-level information about the various findings of that particular analyzed application.

Visit this link to see the full report on this specific application.

What is Dynamic analysis ?

Dynamic analysis is the process of testing and analyzing a program while it is executing. Dynamic analysis, also known as dynamic code scanning, aids in the detection and correction of errors, memory issues, and other issues with program execution. Before moving on to dynamic analysis, static analysis is required.

Dynamic analysis mechanism

MobSf will first install the apk on the genymotion vm before instrumenting it.Xposed and Frida are used for instrumentation; Frida is used for Android 5.0 and up, and Xposed is used for Android 5.0 and below. There are some agents deployed in the genymotion VM as well. The agents will start capturing and gathering data relevant to the app once it has been instrumented. The collected data will be emailed back to MobSF after the report is completed, and the app’s full data will be dumped into the device for additional study.

Always make sure you’ve configured the dynamic analyzer for MobSF before starting the analysis. You must start a genymotion VM before launching MobSF to perform android dynamic analysis flawlessly.

This error will be thrown if mobsf fails to detect the vurtual machine.

You must start a genymotion VM before launching MobSF to perform android dynamic analysis without any issues.

Starting Dynamic analysis

Open scan options and click on Start Dynamic Analysis.

OR

If everything went well, you should be able to see the dashboard.

MobSF Dynamic analysis features and functionality:

Show/Stop Screen:

This feature provides the functionailty to displays the screen of the emulated device on the web interface. Some fundamental functions, including as touches and clicks, can be performed straight from the web interface.

Remove Root Certificate(CA):

This feature is responsible for intercepting the traffic of the device.

Unset/set

TLS/ SSL test:

The TLS/SSL Security test allows you to evaluate your application’s network security. These tests are only applicable to applications that use the HTTP protocol to connect to the internet. The TLS/SSL Security test allows you to evaluate your application’s network security. These tests are only applicable to applications that use the HTTP protocol to connect to the internet.

TLS Misconfiguration Test - Enable HTTPS MITM Proxy, Remove Root CA, Run the App for 25 seconds.

This test will uncover insecure configurations that allow HTTPS connections bypassing certificate errors or SSL/TLS errors in WebViews. This is equivalent to not having TLS.

TLS Pinning/Certificate Transparency Test - Enable HTTPS MITM Proxy, Install Root CA, Run the App for 25 seconds.

This test will evaluate the application’s TLS/SSL hardening controls and will check if the application implement certificate or public key pinning and or certificate transparency.

TLS Pinning/Certificate Transparency Bypass Test - Enable HTTPS MITM Proxy, Install Root CA, Bypass Certificate/Public Key Pinning or Certificate Transparency.

This test tries to bypass certificate or public key pinning and or certificate transparency controls in your application. MobSF can bypass most of the generic implementations.

Exported Activity Tester:

This test allows you to dynamically test for exported actions, which is important for developing dynamic proof of concepts and verifying the static analysis results.

Activity Tester:

This test can be used to forcefully test all non-exported actions.

Get Dependencies:

This feature aids in the collection of all information pertaining to the application’s ‘runtime’ dependencies.

Take Screenshots:

This feature enables you to capture a’screenshot’ of a device that is currently running in a virtual machine.

Logcat Stream:

The Logcat stream displays all of the device’s logs in real time.

A new window will be opened, and all real-time logs will begin to stream.

MobSF is currently unable to perform autonomous dynamic analysis. This is because MobSF doesn’t understand your app’s business logic, how to fill in the login and password fields, or what data it should provide. To get the most out of MobSF dynamic analysis, you must manually walk through the application’s various business logic and obstacles, while MobSF performs security analysis on these issues in the background.

Initializing the Dynamic Analysis Process :

The initial stage in the dynamic analysis process is to select start instrumentation, which will load the application and enable MobSF to instrument it.

Instrumentation with Frida

Use the console to see the output created by these Frida scripts, or look in the Frida live logs folder. Whether you’re running a custom Frida script or writing one, Frida live logs will show you all of the output from the various Frida scripts.

Once the instrumentation process is complete, the Live API monitor button will be enabled. The live API monitor simply logs all API calls that occur during the course of the application.

Frida Code editor

The MobSF dynamic analyzer also gives you access to the Frida code editor, where you can load custom or pre-built Frida scripts.

Generate Report:

When the Generate Report option is selected, MobSF is advised to stop all analysis and generate a report. The final report should look something like this after the dynamic analysis is completed.

Click here to see the full dynamic analysis report of the QKSMS apk application.

Closing

MobSF is a very useful tool for developers because it helps them find security flaws in apps while they’re still being developed, as well as do static analysis directly on the source code of those apps. It also aids security engineers in performing mobile app security audits by allowing them to conduct security analysis on both the final production-ready binaries and source code. MobSF also offers a REST API that DevSecOps professionals may use to integrate it directly into CI/CD pipelines, and malware researchers can use to quickly and effectively discover harmful behavior and malware signatures in applications.This article may have been entertaining as well as instructive in terms of how to install MobSF and use it from the ground up on a variety of platforms. Join Aviyel’s community to learn more about the open source project, get tips on how to contribute, and join active dev groups.

Call-to-Action

Aviyel is a collaborative platform that assists open source project communities in monetizing and long-term sustainability. To know more visit Aviyel.com and find great blogs and events, just like this one! Sign up now for early access, and don’t forget to follow us on our socials!