Simple File Manager APK analysis using MobSF

Outline: [Article Title]

Keyword: [Enter Targeted Keyword]

Keyword MSV: [Enter Targeted Keyword’s Monthly Search Volume]

Author: [Enter Author Name]

Due Date: [Enter Due Date]

Publish Date: [Enter Desired Publish Date]

User Persona: [Enter Targeted Reader and/or User Persona]

Simple File Manager apk analysis using MobSF

Mobile technology has been more pervasive in every sphere of society over the previous decade. Cell phones and tablets are widely used to access the web, run apps, receive email, post to social media, make financial and banking activities, and so on so forth.The use of mobile devices for both personal and corporate purposes has increased dramatically. Mobility and flexibility have been greatly facilitated by the introduction of mobile devices and the proliferation of mobile applications. As a result, there have been concerns expressed regarding maintaining security when traveling across the digital environment.

Mobile device security is becoming increasingly important as a main source of concern for users’ privacy. Despite the fact that mobile device companies are concerned about a user’s security and data privacy, the use of internet-based applications poses significant challenges in terms of resolving threats and vulnerabilities while maintaining a user’s data privacy. The majority of software programs are designed to do a specific task and are optimized for a specific set of devices, such as smartphones and tablets. Due to many risks, weaknesses, and vulnerabilities, protecting data on mobile devices is a very risky endeavor.

Security Challenges Faced with Mobile Devices

The use of wireless technology and mobile devices is increasing every day, resulting in a exponentially growing mobile market. The rise in the construction and maintenance of secure identities for mobile devices has posed a significant issue for individuals, society, and organizations, especially in mobile added value services such as mobile banking, mobile ticketing, and a variety of other services.Cyber criminals are increasingly targeting mobile devices as a source of threats and vulnerabilities. Many vulnerable programs/applications for mobile devices are available on the internet, making them a prime target for attackers looking to disrupt security systems, create hazards, and spread malwares. The capacity of a hacker and the security of a firm are becoming increasingly disparate. Mobile device security solutions and regulations must be made more flexible and tightly regulated to resist this kind of trend.

Mobile Security Risks

Threats and assaults that were previously successful on desktop computers are now being tested on mobile devices. As the level of defense rises, so does the quantity of simple targets. Hackers and attackers are focusing on the weakest link in the chain, resulting in a slew of successful fradulent activities.

Application-based Threats:

Internet users have access to a vast number of downloadable apps, many of which have multiple security flaws. Malicious programs can be found on websites, with fraud or scams posing as the greatest threat.

Network-based Threats:

Mobile devices offer the best support for cellular networks and wireless LAN, both of which are prone to different types of risks to users.

Web based Threats:

Mobile devices use web-based applications almost all of the time due to the nature of these activities, web-based attacks pose a substantial hazard to mobile devices.

Highlighting the importance of mobile security.

Staying secure these days is extremely challenging, and our significant reliance on mobile technology makes it even more difficult. Personal social media accounts, emails, sensitive texts, and even bank account information are all stored on our cellphones. Despite the fact that these data are often highly sensitive and may include valuable information, we continue to keep them insdie our mobile devices.Furthermore, smartphones are used for the majority of business-to-business transactions. Social media usage is also largely confined to cellphones as a result of which, a business without mobile or smartphone apps is ineffective.

It’s no secret that mobile technology is rapidly evolving. There are literally millions and billions of individuals on the internet, many of whom use their smartphones. This enormous user base raises a slew of new security and risk concerns. It is critical to understand the mobile security framework and defend yourself from potential security threats in order to optimize revenue while avoiding high risks and dangers.

Cybercriminals and hackers are simply following the crowd and exploiting security holes and backdoors to gain an advantage over their rivals. Because there are more Windows PCs than Macs in the globe, hackers choose to target them.Not only that, there are so many Windows-based computers to steal from, cybercriminals and hackers are more likely to devote more time to honing and polishing their skills on making malware/virus and attacking Windows-based devices.

When it comes to Android vs. iOS, the same is true. Android users are more vulnerable to security risks and attacks than their iOS counterparts due to Android’s large user base and open-source nature. Apple’s iOS, on the other hand, is a closed-source software platform. Developers must confirm their credentials and go through a rigorous application procedure in order to publish even a simple app on the iOS platform. As a result, iOS apps are less vulnerable to security issues than those on other mobile platforms. P.S iOS has its own set of security risks and weaknesses. It’s also not completely safe from security risks and flaws.

Mobile Security Frameworks.

The importance of mobile security is growing. As a result, developers have created mobile security frameworks and even published them to the broader public as fully open-source software. Regardless of whether you’re using Android, iOS, or another mobile OS, this software is meant to mark and test the efficiency of the mobile app. Appmon, Runtime Mobile Security (RMS), OWASP MSTG, and MobSF are just a few of the technologies and tools on the market. MobSF is without a doubt one of the most user-friendly options accessible. It’s a completely free and open-source tool for evaluating the security of mobile/smartphone applications.

What’s the deal with MobSF?

MobSF(Mobile Security Framework) is an automated, all in one security assessment framework.It can analyze Android, iOS, and Windows binaries and source codes automatically, but currently only Java and Objective C source codes are currently supported. MobSF may also be used to capture web traffic from an application, which can subsequently be routed to fuzzing tools like Burp suite and Owasp zap.

MobSF is an open-source security program that is absolutely free. In December of 2014, the project began. Developers from a number of regions are now collaborating on MobSF. MobSF is a great tool for developers because it allows them to find security flaws in their apps while they’re still being developed. It also helps security engineers perform mobile app security audits by allowing them to perform security analysis on both the final production-ready binaries and the source code.

MobSF also has a REST API that DevSecOps experts or anyone can use to incorporate it into their CI/CD pipelines, and malware researchers may use it to quickly detect malicious activity and malware signatures in their applications.It’s also feasible to perform sandbox dynamic runtime analysis and determine the malware’s behavior in real time with the help of MobSF.

MobSF is a self-hosted, and it runs as a web application. It is cross-platform, meaning it runs on Linux, Mac OS X, and Windows operating systems. The MobSF’s static analysis component can be run in a Docker container or on a virtual machine. MobSF must be installed in the host operating system in order to perform dynamic analysis. It won’t support dynamic analysis if it is installed inside a dockerized environment or a virtualualized environment.

Setting up MobSF.

MobSF is an open-source project that is actively being developed. So, the documentation is subject to change. Therefore, be sure to always use the most up-to-date documentation from MobSF’s official documentation site.

However, before we begin using MobSF, let us first install it on our PC. There are numerous ways to install and use MobSF:

First Method of installing MobSF:

The first way to install MobSF is to manually install all of the prerequisites and then run the setup script required for your Host Operating System.

Prerequisites requirements

For Mac users

• Install Git
• Install Python 3.8-3.9
• After installing Python 3.8+, go to /Applications/Python 3.8/ and run Update Shell Profile.command first and then Install Certificates.command
• Install JDK 8+
• Install command line tools xcode-select --install
• Download & Install wkhtmltopdf
• Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux. More Info

For Ubuntu/Debian based Linux users:

• Install Git sudo apt-get install git
• Install Python 3.8-3.9 sudo apt-get install python3.8
• Install JDK 8+ sudo apt-get install openjdk-8-jdk
• Install the following dependencies

sudo apt install python3-dev python3-venv python3-pip build-essential libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev wkhtmltopdf

• Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux. More info

For Windows users

• Install Git
• Install Python 3.8-3.9
• Install JDK 8+
• Install Microsoft Visual C++ Build Tools
• Install OpenSSL (non-light)
• Download & Install wkhtmltopdf .
• Add the folder that contains wkhtmltopdf binary to environment variable PATH.

NOTE: Set JAVA_HOME environment variable. iOS IPA Analysis works only on Mac, Linux and Docker containers.

So, once all of the prerequisites have been installed, you can proceed to the installation stage.

_ Second method of installing MobSF _:

If you only need to do static analysis and don’t want to perform dynamic analysis, you may always utilize prebuilt MobSF docker images. To pull and deploy prebuilt MobSF docker images, copy and paste the following commands into the command line:

Note: Ensure that Docker is running on your computer.

docker pull opensecurity/mobile-security-framework-mobsf

docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

_ Third method of running MobSF _:

You can use the cloud version of MobSF instead of installing it on your computer if you don’t want to install MobSF on your PC. To do so, go to Mobsf.live.

Setting up MobSF.

MobSF is an open-source project that is actively being developed. So, the documentation is subject to change. Therefore, be sure to always use the most up-to-date documentation from MobSF’s official documentation page. There are several methods of Installing and running MobSF:

First Method of installing MobSF:

The first method of installing MobSF is to manually install all of the prerequisite requirements and then run the setup script for your Host Operating System.

Prerequisites requirements

Mac

• Install Git
• Install Python 3.8-3.9
• After installing Python 3.8+, go to /Applications/Python 3.8/ and run Update Shell Profile.command first and then Install Certificates.command
• Install JDK 8+
• Install command line tools xcode-select --install
• Download & Install wkhtmltopdf
• Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux. More Info

Ubuntu/Debian based Linux:

• Install Git sudo apt-get install git
• Install Python 3.8-3.9 sudo apt-get install python3.8
• Install JDK 8+ sudo apt-get install openjdk-8-jdk
• Install the following dependencies

sudo apt install python3-dev python3-venv python3-pip build-essential libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev wkhtmltopdf

• Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux. More info

Windows

• Install Git
• Install Python 3.8-3.9
• Install JDK 8+
• Install Microsoft Visual C++ Build Tools
• Install OpenSSL (non-light)
• Download & Install wkhtmltopdf .
• Add the folder that contains wkhtmltopdf binary to environment variable PATH.

NOTE: Set JAVA_HOME environment variable. iOS IPA Analysis works only on Mac, Linux and Docker containers.

So, once you’ve installed all of the prerequisites, you can move on to the installation step.

_ Second method of installing MobSF _:

You may always use prebuilt MobSF docker images if you simply need to do static analysis and don’t want to do dynamic analysis. Copy and paste the following commands into the command line to pull and deploy prebuilt MobSF docker images:

Note: Ensure that Docker is running on your computer.

docker pull opensecurity/mobile-security-framework-mobsf

docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

_ Third method of installing MobSF _:

If you don’t want to install MobSF on your personal computer, you can use the cloud version of MobSF instead. To do so, go to Mobsf.live.

Static Analysis using MobSF

MobSF Installation

What is a static analysis?

Static analysis is also often known as static code analysis, it is the practice of looking for faults in a computer program without running it. Static analysis is most typically performed on a program’s source code using tools that convert the code to an abstract syntax tree (AST) in order to completely evaluate the code’s structure and, as a result, find flaws in it. An Abstract Syntax Tree (AST) is a tree representation of a computer program’s source code that shows the source code’s structure.

Let’s get started and run MobSF static analysis.

• First, make sure your host PC has all of the necessary requirements loaded and then proceed to clone the entire repository in a specific folder on your computer.

Note: In this tutorial, we will use ‘Windows’ as the host operating system and FreeOTP apk ‘Android’ apk binaries for static/dynamic analysis.

• Installing all the packages/dependencies.

For Linux / mac:

./setup.sh

For Windows:

./setup.bat

• Execute the ‘Run’ command now.

For Linux & mac:

./run.sh

For Windows:

./run.bat

MobSF is now immediately accessible from the browser. Simply drag & drop or pick the apk file you want to study to begin the static analysis process.

Features of MobSF static analysis

Information Section:

This section residing at the very top displays the app’s various scores, such as the average CVSS, security score, and number of recognized trackers. The File information section, which is located next to the App score, displays the file’s name, size, and basic hashes. The App Information section, which appears next to the File Information section, provides information about the app, such as the package name, main activity, and current version.

APP scores

This section displays the app’s various scores, such as the average CVSS, security score, and number of trackers recognized.

MobSF scorecard

This section provides a detailed visual representation of the scores for several findings.

The average CVSS score is determined by calculating the average CVSS score, whereas the Security score is decided by the severity.

Every app receives a perfect score of 100. MobSF deducts 15 points from the score for each finding with a high severity. MobSF subtracts ten points for each finding that has a severity warning and adds five points for each finding that has a good severity. The app security score is considered 100 as long as the calculated score is greater than 100. If the estimated value is less than zero, the app security score is assigned a value of 10.

File information

The file’s name, size, and basic hashes are displayed in the File information section, which is located next to the App score.

App Information

The App Information section, which sits next to the File Information section, contains information about the app’s package name, main activity, and current version of the pplication.

Playstore description

This section will simply list the app’s description published on the Google Play Store.

Component section

This section lists the various basic components used in Android apps, such as Activities, which is simply a single screen in your app with a user-interactive interface, Services, which is a background-running part of the app, Receivers, which allows users to register for system or application events, and Providers, which simply provides its own UI for working with the data.

Scan Option

This features include options such as Rescan and dynamic analysis. Not only that, but it also has a decompiled code section that displays decompiled versions of android manifest files, java source code, and smali source code, as well as the ability to download the java source code, smali code, and even the apk file itself.

Signer Certificate

The Signer Certificate section includes basic information about a code signing certificate, such as the signature version, hash algorithms used, fingerprints, and issuer identifications. If anything is discovered, good or bad, it will be listed in the certificate status box with a brief description.

Application permission

All of the permissions used by the application (Open camera apk) are listed in the Permissions section, along with their status, information, and descriptions.

Android API

Android API section provides the information about all the api which is being used inside this particular application.

Browsable activities

This Browsable activities section will simply lists out all the browsable activities, such as all the activities which can be browsed by a particular scheme.

Security Analysis:

The security analysis section includes manifest, code, binary, NIAP, and file analysis.

Network Security

Manifest Analysis

MobSF runs a static analysis on Android Manifest files to find any vulnerabilities. It then lists all of the issues/concerns, as well as their severity and a full description, inside this section.

Code analysis

MobSF performs static analysis on all decompiled java source code and then provides a report that includes all issues encountered, as well as their severity, standard, and file location, which is displayed in this section.

Binary Analysis

MobSF lists out all of the issues that have been detected on the shared objects and displays it inside this particular section.

NIAP Analysis

The Department of Defense and other government agencies must ensure that their mobile apps meet the National Information Assurance Partnership’s security guidelines (NIAP). The National Intelligence Assessment Program (NIAP) certifies commercial hardware and software used in national security systems. So this section will showcase all of the NIAP results, including their Identifier, requirement, characteristics, and brief explanations.

File analysis

Currently, it is completely blank, but MobSF lists all of the sensitive files, such as certificates, that are hard coded within the application within this section.

Malware analysis

APKiD analysis

This section provides a solid understanding/picture of the application’s behavior from a code perspective.

Server location

This is MobSF’s best feature because it contains a beautiful World Map UI that shows the assessed app’s whole server locations in exact detail.

Quark analysis

Domain malware check

MobSF extracts domains from binaries and compares them to domains recorded in its database that aren’t malicious. As a consequence, it assesses if a domain is excellent or harmful based on such information.

Reconnaissance

URLs

All of the URLs found in the various source code files for that application will be listed and displayed in this area by MobSF.

Firebase DB

MobSF is capable of extracting all of the Firebase database URLs from the app, as well as doing a secondary check to determine if the database is publicly accessible.

Emails

MobSF can extract all of the emails contained in the source code and display them in this section.

Trackers

MobSF is capable of extracting out all the possible trackers that are currently being used inside the application and display it inside this particular section.

Trackers are simply development toolkits or add-ons that collect data and information on behalf of the application.

Strings

MobSF lists out all the hard coded strings in the binary, especially the ones from the strings resource.

Possible hardcoded secrets

Components

Components refer to the different sections of the application. This section includes a list of all the activities, services, receivers, providers, and libraries that this application employs. It also contains all files found in the application’s binaries.

Activities

Activities are simply a single screen in your app with an interface that the user can interact with.

Services

Services are part of application which runs in the background.

Receviers

Receviers allows users to register for system or in any kind of application events.

Providers

Providers provides its own UI for working with the data.

PDF report

The PDF report section enables you to create a professional-looking PDF report containing high-level information about the various findings of the analyzed application.

Visit this link to see the full report on this Simple File Manager application.

What is Dynamic analysis?

The process of testing and assessing a program while it is running is known as dynamic analysis. Dynamic analysis, often known as dynamic code scanning, is a technique for detecting and correcting mistakes, memory problems, and other program execution issues. Before moving on to dynamic analysis, static analysis is required.

Dynamic analysis mechanism

Before instrumenting the genymotion vm, MobSf will install the apk. For instrumentation, Xposed and Frida are used; Frida is for Android 5.0 and up, and Xposed is for Android 5.0 and below. In the genymotion VM, there are several agents as well. Once the app has been instrumented, the agents will begin capturing and gathering data relevant to it. After the report is finished, the collected data will be forwarded to MobSF, and the app’s full data will be dumped into the device for further investigation.

Before beginning the analysis, double-check that the dynamic analyzer is configured for MobSF. To execute android dynamic analysis perfectly, you must first run a genymotion VM before launching MobSF.

If mobsf fails to detect the virtual machine, this error will be thrown.

Starting Dynamic analysis

Select ‘Start Dynamic Analysis’ from the ‘scan options’ menu.

You should be able to see the dashboard if everything went well.

MobSF Dynamic analysis features :

Show/Stop Screen:

This feature allows you to display the screen of the emulated device on the web interface. Some basic functions, such as touches and clicks, can be performed directly from the web interface.

Unset/set https test

Remove Root Certificate(CA):

This feature is responsible for intercepting the traffic of the device.

TLS/ SSL test:

The TLS/SSL Security test allows you to evaluate your application’s network security. These tests are only applicable to applications that use the HTTP protocol to connect to the internet.

Exported Activity Tester:

This test enables you to dynamically test for exported actions, which is useful for developing dynamic proofs of concepts and validating static analysis results.

Activity Tester:

You can use this test to forcefully test all non-exported actions.

Get Dependencies:

This functionality helps in the gathering of all information regarding the application’s runtime dependencies.

Take Screenshots:

This feature enables you to capture a ‘screenshot’ of a device that is currently running in a virtual machine.

Logcat Stream:

The Logcat stream shows all of the device’s logs in real time.

A new window will be opened, and all real-time logs will begin to stream.

MobSF does not yet have the capability to perform autonomous dynamic analysis. This is due to MobSF’s lack of understanding of your app’s business logic, how to fill in the login and password fields, or what data it should provide. To get the most out of MobSF dynamic analysis, you must walk through the application’s various business logic and difficulties while MobSF performs security analysis in the background.

Initializing the Dynamic Analysis Process :

The first step in the dynamic analysis process is to select start instrumentation, which loads the application and allows MobSF to instrument it.

Instrumentation with Frida

Use the console to see the output created by these Frida scripts, or look in the Frida live logs folder. Whether you’re running a custom Frida script or writing one, Frida live logs will show you all of the output from the various Frida scripts.

Once the instrumentation process is complete, the Live API monitor button will be enabled. The live API monitor simply logs all API calls that occur during the course of the application.

Frida Code editor

The MobSF dynamic analyzer also gives you access to the Frida code editor, where you can load custom or pre-built Frida scripts.

Generate Report:

Whenever the Generate Report option is selected, MobSF is advised to stop all analysis and generate a report. The final report should look something like this after the dynamic analysis is completed.

Click here to see the full dynamic analysis report of the Simple File Manager apk application.

Closing

MobSF is a very useful tool for developers because it helps them find security flaws in apps while they’re still being developed, as well as do static analysis directly on the source code of those apps. It also aids security engineers in performing mobile app security audits by allowing them to conduct security analysis on both the final production-ready binaries and source code. MobSF also offers a REST API that DevSecOps professionals may use to integrate it directly into CI/CD pipelines, and malware researchers can use to quickly and effectively discover harmful behavior and malware signatures in applications.This article may have been entertaining as well as instructive in terms of how to install MobSF and use it from the ground up on a variety of platforms. Join Aviyel’s community to learn more about the open source project, get tips on how to contribute, and join active dev groups.

Call-to-Action

Aviyel is a collaborative platform that assists open source project communities in monetizing and long-term sustainability. To know more visit Aviyel.com and find great blogs and events, just like this one! Sign up now for early access, and don’t forget to follow us on our socials!