Initial commit - 611 cybersecurity skills across all subdomains

This commit is contained in:
mukul975
2026-02-25 10:47:44 +01:00
commit 22a7ab1462
1765 changed files with 280648 additions and 0 deletions
@@ -0,0 +1,159 @@
---
name: performing-android-app-static-analysis-with-mobsf
description: >
Performs automated static analysis of Android applications using Mobile Security Framework (MobSF)
to identify hardcoded secrets, insecure permissions, vulnerable components, weak cryptography,
and code-level security flaws without executing the application. Use when assessing Android APK/AAB
files for security vulnerabilities before deployment, during penetration testing, or as part of
CI/CD security gates. Activates for requests involving Android static analysis, MobSF scanning,
APK security assessment, or mobile application code review.
domain: cybersecurity
subdomain: mobile-security
author: mahipal
tags: [mobile-security, android, mobsf, static-analysis, owasp-mobile, penetration-testing]
version: 1.0.0
license: MIT
---
# Performing Android App Static Analysis with MobSF
## When to Use
Use this skill when:
- Conducting security assessment of Android APK or AAB files before production release
- Integrating automated mobile security scanning into CI/CD pipelines
- Performing initial triage of Android applications during penetration testing engagements
- Reviewing third-party Android applications for supply chain security risks
**Do not use** this skill as a replacement for manual code review or dynamic analysis -- MobSF static analysis catches pattern-based vulnerabilities but misses runtime logic flaws.
## Prerequisites
- MobSF v4.x installed via Docker (`docker pull opensecurity/mobile-security-framework-mobsf`) or local setup
- Target Android APK, AAB, or source code ZIP
- Python 3.10+ for MobSF REST API integration
- JADX decompiler (bundled with MobSF) for Java/Kotlin source recovery
- Network access to MobSF web interface (default: http://localhost:8000)
## Workflow
### Step 1: Deploy MobSF and Obtain API Key
Launch MobSF using Docker for isolated, reproducible scanning:
```bash
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
```
Retrieve the REST API key from the MobSF web interface at `http://localhost:8000/api_docs` or from the startup console output. The API key enables programmatic scanning.
### Step 2: Upload APK for Static Analysis
Upload the target APK using the MobSF REST API:
```bash
curl -F "file=@target_app.apk" http://localhost:8000/api/v1/upload \
-H "Authorization: <API_KEY>"
```
Response includes the `hash` identifier used for subsequent API calls. MobSF automatically decompiles the APK using JADX, extracts the AndroidManifest.xml, and indexes all resources.
### Step 3: Trigger and Retrieve Static Scan Results
Initiate the static scan and retrieve results:
```bash
# Trigger scan
curl -X POST http://localhost:8000/api/v1/scan \
-H "Authorization: <API_KEY>" \
-d "scan_type=apk&file_name=target_app.apk&hash=<FILE_HASH>"
# Retrieve JSON report
curl -X POST http://localhost:8000/api/v1/report_json \
-H "Authorization: <API_KEY>" \
-d "hash=<FILE_HASH>"
```
### Step 4: Analyze Critical Findings
MobSF static analysis covers these categories mapped to OWASP Mobile Top 10 2024:
**Manifest Analysis (M8 - Security Misconfiguration)**:
- Exported activities, services, receivers, and content providers without permission guards
- `android:debuggable="true"` left enabled
- `android:allowBackup="true"` enabling data extraction via ADB
- Missing `android:networkSecurityConfig` for certificate pinning
**Code Analysis (M1 - Improper Credential Usage)**:
- Hardcoded API keys, passwords, and tokens in Java/Kotlin source
- Insecure SharedPreferences usage for storing sensitive data
- Weak or broken cryptographic implementations (ECB mode, static IV, hardcoded keys)
**Network Security (M5 - Insecure Communication)**:
- Missing certificate pinning configuration
- Custom TrustManagers that accept all certificates
- Cleartext HTTP traffic allowed without exception domains
**Binary Analysis (M7 - Insufficient Binary Protections)**:
- Missing ProGuard/R8 obfuscation
- Native library vulnerabilities (stack canaries, NX bit, PIE)
- Debugger detection absence
### Step 5: Generate and Export Reports
Export findings in multiple formats for stakeholder communication:
```bash
# PDF report
curl -X POST http://localhost:8000/api/v1/download_pdf \
-H "Authorization: <API_KEY>" \
-d "hash=<FILE_HASH>" -o report.pdf
# JSON for programmatic processing
curl -X POST http://localhost:8000/api/v1/report_json \
-H "Authorization: <API_KEY>" \
-d "hash=<FILE_HASH>" -o report.json
```
### Step 6: Integrate into CI/CD Pipeline
Add MobSF scanning as a build gate:
```yaml
# GitHub Actions example
- name: MobSF Static Analysis
run: |
UPLOAD=$(curl -s -F "file=@app/build/outputs/apk/release/app-release.apk" \
http://mobsf:8000/api/v1/upload -H "Authorization: $MOBSF_API_KEY")
HASH=$(echo $UPLOAD | jq -r '.hash')
curl -s -X POST http://mobsf:8000/api/v1/scan \
-H "Authorization: $MOBSF_API_KEY" \
-d "scan_type=apk&file_name=app-release.apk&hash=$HASH"
SCORE=$(curl -s -X POST http://mobsf:8000/api/v1/scorecard \
-H "Authorization: $MOBSF_API_KEY" -d "hash=$HASH" | jq '.security_score')
if [ "$SCORE" -lt 60 ]; then exit 1; fi
```
## Key Concepts
| Term | Definition |
|------|-----------|
| **Static Analysis** | Examination of application code and resources without executing the program; catches structural and pattern-based vulnerabilities |
| **APK Decompilation** | Process of recovering Java/Kotlin source from compiled Dalvik bytecode using tools like JADX or apktool |
| **AndroidManifest.xml** | Configuration file declaring app components, permissions, and security attributes; primary target for manifest analysis |
| **Certificate Pinning** | Technique binding an app to specific server certificates to prevent man-in-the-middle attacks via rogue CAs |
| **ProGuard/R8** | Code obfuscation and shrinking tools that make reverse engineering more difficult by renaming classes and removing unused code |
## Tools & Systems
- **MobSF**: Automated mobile security analysis framework supporting static and dynamic analysis of Android/iOS apps
- **JADX**: Dex-to-Java decompiler for recovering readable source code from Android APK files
- **apktool**: Tool for reverse engineering Android APK files, decoding resources to near-original form
- **Android Lint**: Google's static analysis tool for Android-specific code quality and security issues
- **Semgrep**: Pattern-based static analysis engine with mobile-specific rule packs for custom vulnerability detection
## Common Pitfalls
- **Ignoring false positives**: MobSF flags patterns like `password` in variable names even when not storing actual credentials. Triage all HIGH findings manually before reporting.
- **Missing obfuscated code**: Static analysis accuracy drops significantly against obfuscated apps. Supplement with dynamic analysis for apps using DexGuard or custom packers.
- **Outdated MobSF rules**: Security rules evolve with Android API levels. Ensure MobSF is updated to match the target app's `targetSdkVersion`.
- **Skipping native code analysis**: MobSF analyzes Java/Kotlin but has limited coverage of native C/C++ libraries. Use `checksec` and manual review for `.so` files.
@@ -0,0 +1,126 @@
# MobSF Static Analysis Report Template
## Engagement Information
| Field | Value |
|-------|-------|
| Application Name | [APP_NAME] |
| Package Name | [PACKAGE_NAME] |
| Version | [VERSION] |
| Target SDK | [TARGET_SDK] |
| Min SDK | [MIN_SDK] |
| File Hash (SHA256) | [HASH] |
| Analysis Date | [DATE] |
| Analyst | [ANALYST] |
| MobSF Version | [MOBSF_VERSION] |
## Executive Summary
**Security Score**: [SCORE]/100
**Overall Risk Rating**: [HIGH/MEDIUM/LOW]
[Brief narrative of key findings and overall security posture]
## Findings Summary
| Severity | Count | Categories |
|----------|-------|------------|
| Critical | [N] | [Categories] |
| High | [N] | [Categories] |
| Medium | [N] | [Categories] |
| Low | [N] | [Categories] |
| Info | [N] | [Categories] |
## Manifest Analysis
### Exported Components
| Component Type | Name | Permission Guard | Risk |
|---------------|------|-------------------|------|
| Activity | [NAME] | [PERMISSION/None] | [RISK] |
| Service | [NAME] | [PERMISSION/None] | [RISK] |
| Receiver | [NAME] | [PERMISSION/None] | [RISK] |
| Provider | [NAME] | [PERMISSION/None] | [RISK] |
### Permissions Requested
| Permission | Protection Level | Justification | Risk |
|-----------|-----------------|---------------|------|
| [PERMISSION] | [dangerous/normal/signature] | [JUSTIFICATION] | [RISK] |
### Manifest Flags
| Flag | Value | Expected | Status |
|------|-------|----------|--------|
| android:debuggable | [VALUE] | false | [PASS/FAIL] |
| android:allowBackup | [VALUE] | false | [PASS/FAIL] |
| android:usesCleartextTraffic | [VALUE] | false | [PASS/FAIL] |
## Code Analysis Findings
### Finding [N]: [TITLE]
- **Severity**: [CRITICAL/HIGH/MEDIUM/LOW]
- **CWE**: [CWE-ID]
- **OWASP Mobile**: [M1-M10]
- **MASVS**: [MASVS-CATEGORY]
- **Description**: [DESCRIPTION]
- **Affected Files**:
- [FILE_PATH:LINE_NUMBER]
- **Evidence**: [CODE_SNIPPET]
- **Recommendation**: [REMEDIATION_STEPS]
## Network Security Analysis
| Check | Result | Details |
|-------|--------|---------|
| Certificate Pinning | [Present/Absent] | [DETAILS] |
| Network Security Config | [Present/Absent] | [DETAILS] |
| Cleartext Traffic | [Allowed/Blocked] | [DETAILS] |
| TLS Version | [VERSION] | [DETAILS] |
## Binary Analysis
| Check | Result | Details |
|-------|--------|---------|
| Code Obfuscation | [Yes/No] | [DETAILS] |
| Root Detection | [Present/Absent] | [DETAILS] |
| Debug Detection | [Present/Absent] | [DETAILS] |
| Emulator Detection | [Present/Absent] | [DETAILS] |
| Native Libraries (NX) | [Enabled/Disabled] | [DETAILS] |
| Native Libraries (PIE) | [Enabled/Disabled] | [DETAILS] |
| Native Libraries (Stack Canary) | [Present/Absent] | [DETAILS] |
## Recommendations
### Critical (Immediate Action Required)
1. [RECOMMENDATION]
### High (Fix Before Release)
1. [RECOMMENDATION]
### Medium (Address in Next Sprint)
1. [RECOMMENDATION]
### Low (Track in Backlog)
1. [RECOMMENDATION]
## OWASP Mobile Top 10 2024 Compliance
| ID | Risk | Status | Findings |
|----|------|--------|----------|
| M1 | Improper Credential Usage | [PASS/FAIL] | [DETAILS] |
| M2 | Inadequate Supply Chain Security | [PASS/FAIL] | [DETAILS] |
| M3 | Insecure Authentication/Authorization | [PASS/FAIL] | [DETAILS] |
| M4 | Insufficient Input/Output Validation | [PASS/FAIL] | [DETAILS] |
| M5 | Insecure Communication | [PASS/FAIL] | [DETAILS] |
| M6 | Inadequate Privacy Controls | [PASS/FAIL] | [DETAILS] |
| M7 | Insufficient Binary Protections | [PASS/FAIL] | [DETAILS] |
| M8 | Security Misconfiguration | [PASS/FAIL] | [DETAILS] |
| M9 | Insecure Data Storage | [PASS/FAIL] | [DETAILS] |
| M10 | Insufficient Cryptography | [PASS/FAIL] | [DETAILS] |
@@ -0,0 +1,44 @@
# Standards Reference: Android Static Analysis with MobSF
## OWASP Mobile Top 10 2024 Mapping
| OWASP ID | Risk | MobSF Coverage |
|----------|------|----------------|
| M1 | Improper Credential Usage | Detects hardcoded API keys, passwords, tokens in source code and resources |
| M2 | Inadequate Supply Chain Security | Identifies third-party library versions with known CVEs |
| M5 | Insecure Communication | Flags missing certificate pinning, cleartext traffic, weak TLS |
| M7 | Insufficient Binary Protections | Checks ProGuard/R8 obfuscation, native binary protections |
| M8 | Security Misconfiguration | Analyzes AndroidManifest.xml for exported components, debug flags, backup settings |
| M9 | Insecure Data Storage | Detects SharedPreferences misuse, world-readable files, SQLite without encryption |
| M10 | Insufficient Cryptography | Identifies ECB mode, static IV, hardcoded encryption keys, weak algorithms |
## OWASP MASVS v2.0 Control Mapping
| MASVS Category | Controls | MobSF Static Checks |
|----------------|----------|---------------------|
| MASVS-STORAGE | Sensitive data storage | SharedPreferences analysis, file permission checks, database encryption |
| MASVS-CRYPTO | Cryptographic implementations | Algorithm strength, key management, IV randomness |
| MASVS-AUTH | Authentication mechanisms | Credential storage, biometric implementation review |
| MASVS-NETWORK | Network security | Network security config, certificate pinning, cleartext detection |
| MASVS-PLATFORM | Platform interaction | Intent filter analysis, content provider security, WebView configuration |
| MASVS-CODE | Code quality | Code obfuscation, debug symbols, error handling |
| MASVS-RESILIENCE | Reverse engineering resistance | Root detection, tamper detection, debugger detection |
## NIST SP 800-163 Rev 1: Vetting the Security of Mobile Applications
- Section 4.1: Static analysis as mandatory step in mobile app vetting process
- Section 4.2: Automated tools should check for known vulnerability patterns
- Section 5: Integration of vetting into enterprise mobile device management
## CWE Mappings for Common MobSF Findings
| CWE ID | Title | MobSF Finding Category |
|--------|-------|----------------------|
| CWE-312 | Cleartext Storage of Sensitive Information | Hardcoded credentials in source |
| CWE-319 | Cleartext Transmission of Sensitive Information | Missing HTTPS enforcement |
| CWE-327 | Use of Broken Cryptographic Algorithm | Weak crypto detection |
| CWE-330 | Use of Insufficiently Random Values | Static IV, predictable random |
| CWE-532 | Insertion of Sensitive Information into Log File | Logging sensitive data |
| CWE-749 | Exposed Dangerous Method or Function | Exported components without guards |
| CWE-919 | Weaknesses in Mobile Applications | General mobile-specific checks |
| CWE-925 | Improper Verification of Intent by Broadcast Receiver | Unprotected broadcast receivers |
@@ -0,0 +1,70 @@
# Workflows: Android Static Analysis with MobSF
## Workflow 1: Standalone APK Assessment
```
[Obtain APK] --> [Deploy MobSF Docker] --> [Upload via API] --> [Run Static Scan]
| |
v v
[Verify APK integrity] [Review Manifest Analysis]
[Check signing certificate] [Review Code Analysis]
[Review Binary Analysis]
[Review Network Analysis]
|
v
[Triage HIGH/CRITICAL findings]
[Validate false positives]
[Generate PDF report]
```
## Workflow 2: CI/CD Pipeline Integration
```
[Developer pushes code] --> [Build APK] --> [Upload to MobSF] --> [Static Scan]
|
+-----------+-----------+
| |
[Score >= 60] [Score < 60]
| |
[Pass gate] [Fail build]
[Archive report] [Notify developer]
[Continue pipeline] [Block deployment]
```
## Workflow 3: Third-Party App Vetting
```
[Receive third-party APK] --> [MobSF Static Scan] --> [Automated scoring]
|
v
[Manual review of:]
- Excessive permissions
- Data exfiltration indicators
- Known malware signatures
- C2 communication patterns
|
v
[Risk assessment report]
[Approve/Reject for enterprise use]
```
## Workflow 4: Comparative Analysis Across Versions
```
[APK v1.0] --> [MobSF Scan] --> [Baseline report]
|
[APK v2.0] --> [MobSF Scan] --> [Compare findings] --> [New vulnerabilities introduced?]
| |
v [Yes: Block release]
[Regression report] [No: Approve release]
```
## Decision Matrix: When to Escalate
| Finding Severity | MobSF Category | Action |
|-----------------|----------------|--------|
| CRITICAL | Hardcoded production API keys | Immediate key rotation, block release |
| HIGH | Exported activity with sensitive data | Manual verification, fix before release |
| MEDIUM | Missing certificate pinning | Add to sprint backlog, risk acceptance if internal app |
| LOW | Debug logging of non-sensitive data | Track in issue tracker, fix in next release |
| INFO | Missing ProGuard rules | Recommend but do not block |
@@ -0,0 +1,234 @@
#!/usr/bin/env python3
"""
MobSF Automated Static Analysis Pipeline
Automates APK upload, scanning, and report generation via MobSF REST API.
Designed for CI/CD integration with configurable security score thresholds.
Usage:
python process.py --apk target.apk --api-key <KEY> [--threshold 60] [--output report.json]
"""
import argparse
import json
import sys
import time
import hashlib
from pathlib import Path
from urllib.parse import urljoin
try:
import requests
except ImportError:
print("ERROR: 'requests' package required. Install with: pip install requests")
sys.exit(1)
class MobSFScanner:
"""Interfaces with MobSF REST API for automated static analysis."""
def __init__(self, base_url: str, api_key: str):
self.base_url = base_url.rstrip("/")
self.api_key = api_key
self.session = requests.Session()
self.session.headers.update({"Authorization": api_key})
def upload_apk(self, apk_path: str) -> dict:
"""Upload APK file to MobSF for analysis."""
endpoint = f"{self.base_url}/api/v1/upload"
apk_file = Path(apk_path)
if not apk_file.exists():
raise FileNotFoundError(f"APK not found: {apk_path}")
if not apk_file.suffix.lower() in (".apk", ".aab", ".zip", ".ipa"):
raise ValueError(f"Unsupported file type: {apk_file.suffix}")
with open(apk_path, "rb") as f:
files = {"file": (apk_file.name, f, "application/octet-stream")}
response = self.session.post(endpoint, files=files)
response.raise_for_status()
result = response.json()
print(f"[+] Uploaded: {apk_file.name} (hash: {result.get('hash', 'N/A')})")
return result
def run_static_scan(self, file_hash: str, file_name: str, scan_type: str = "apk") -> dict:
"""Trigger static analysis scan."""
endpoint = f"{self.base_url}/api/v1/scan"
data = {
"scan_type": scan_type,
"file_name": file_name,
"hash": file_hash,
}
response = self.session.post(endpoint, data=data)
response.raise_for_status()
print(f"[+] Static scan completed for: {file_name}")
return response.json()
def get_report_json(self, file_hash: str) -> dict:
"""Retrieve JSON scan report."""
endpoint = f"{self.base_url}/api/v1/report_json"
data = {"hash": file_hash}
response = self.session.post(endpoint, data=data)
response.raise_for_status()
return response.json()
def get_scorecard(self, file_hash: str) -> dict:
"""Retrieve security scorecard."""
endpoint = f"{self.base_url}/api/v1/scorecard"
data = {"hash": file_hash}
response = self.session.post(endpoint, data=data)
response.raise_for_status()
return response.json()
def download_pdf_report(self, file_hash: str, output_path: str) -> str:
"""Download PDF report."""
endpoint = f"{self.base_url}/api/v1/download_pdf"
data = {"hash": file_hash}
response = self.session.post(endpoint, data=data)
response.raise_for_status()
with open(output_path, "wb") as f:
f.write(response.content)
print(f"[+] PDF report saved: {output_path}")
return output_path
def extract_critical_findings(report: dict) -> dict:
"""Extract and categorize critical findings from MobSF report."""
findings = {
"manifest_issues": [],
"code_issues": [],
"network_issues": [],
"binary_issues": [],
"crypto_issues": [],
}
# Manifest analysis
manifest = report.get("manifest_analysis", [])
if isinstance(manifest, list):
for item in manifest:
severity = item.get("stat", item.get("severity", "info"))
if severity.lower() in ("high", "warning"):
findings["manifest_issues"].append({
"title": item.get("title", "Unknown"),
"description": item.get("desc", item.get("description", "")),
"severity": severity,
})
# Code analysis
code_analysis = report.get("code_analysis", {})
if isinstance(code_analysis, dict):
for category, items in code_analysis.items():
if isinstance(items, dict):
metadata = items.get("metadata", {})
severity = metadata.get("severity", "info")
if severity.lower() in ("high", "warning"):
findings["code_issues"].append({
"category": category,
"description": metadata.get("description", ""),
"severity": severity,
"files": list(items.get("files", {}).keys())[:5],
})
# Network security
network = report.get("network_security", [])
if isinstance(network, list):
for item in network:
severity = item.get("severity", "info")
if severity.lower() in ("high", "warning"):
findings["network_issues"].append({
"title": item.get("scope", "Unknown"),
"description": item.get("description", ""),
"severity": severity,
})
return findings
def evaluate_security_score(scorecard: dict, threshold: int) -> bool:
"""Evaluate whether the app meets the minimum security threshold."""
score = scorecard.get("security_score", 0)
print(f"\n[*] Security Score: {score}/100 (threshold: {threshold})")
if score >= threshold:
print("[+] PASS: Application meets minimum security threshold")
return True
else:
print("[-] FAIL: Application does not meet minimum security threshold")
return False
def main():
parser = argparse.ArgumentParser(
description="MobSF Automated Static Analysis Pipeline"
)
parser.add_argument("--apk", required=True, help="Path to APK/AAB file")
parser.add_argument("--api-key", required=True, help="MobSF REST API key")
parser.add_argument(
"--url", default="http://localhost:8000", help="MobSF server URL"
)
parser.add_argument(
"--threshold", type=int, default=60, help="Minimum security score (0-100)"
)
parser.add_argument("--output", default="mobsf_report.json", help="Output report path")
parser.add_argument("--pdf", help="Optional PDF report output path")
parser.add_argument(
"--ci-mode", action="store_true", help="Exit with non-zero code on failure"
)
args = parser.parse_args()
scanner = MobSFScanner(args.url, args.api_key)
# Upload
upload_result = scanner.upload_apk(args.apk)
file_hash = upload_result["hash"]
file_name = Path(args.apk).name
scan_type = "apk" if file_name.endswith(".apk") else "aab"
# Scan
scanner.run_static_scan(file_hash, file_name, scan_type)
# Get reports
report = scanner.get_report_json(file_hash)
scorecard = scanner.get_scorecard(file_hash)
# Extract findings
critical_findings = extract_critical_findings(report)
# Build summary
summary = {
"file": file_name,
"hash": file_hash,
"security_score": scorecard.get("security_score", 0),
"threshold": args.threshold,
"pass": scorecard.get("security_score", 0) >= args.threshold,
"findings_summary": {
"manifest_issues": len(critical_findings["manifest_issues"]),
"code_issues": len(critical_findings["code_issues"]),
"network_issues": len(critical_findings["network_issues"]),
"binary_issues": len(critical_findings["binary_issues"]),
"crypto_issues": len(critical_findings["crypto_issues"]),
},
"critical_findings": critical_findings,
}
# Save JSON report
with open(args.output, "w") as f:
json.dump(summary, f, indent=2)
print(f"[+] Report saved: {args.output}")
# Optional PDF
if args.pdf:
scanner.download_pdf_report(file_hash, args.pdf)
# Evaluate
passed = evaluate_security_score(scorecard, args.threshold)
if args.ci_mode and not passed:
sys.exit(1)
if __name__ == "__main__":
main()