Performing Android App Static Analysis with MobSF

When to Use

Use this skill when:

• Conducting security assessment of Android APK or AAB files before production release
• Integrating automated mobile security scanning into CI/CD pipelines
• Performing initial triage of Android applications during penetration testing engagements
• Reviewing third-party Android applications for supply chain security risks

Do not use this skill as a replacement for manual code review or dynamic analysis -- MobSF static analysis catches pattern-based vulnerabilities but misses runtime logic flaws.

Prerequisites

• MobSF v4.x installed via Docker (docker pull opensecurity/mobile-security-framework-mobsf) or local setup
• Target Android APK, AAB, or source code ZIP
• Python 3.10+ for MobSF REST API integration
• JADX decompiler (bundled with MobSF) for Java/Kotlin source recovery
• Network access to MobSF web interface (default: http://localhost:8000)

Workflow

Step 1: Deploy MobSF and Obtain API Key

Launch MobSF using Docker for isolated, reproducible scanning:

docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Retrieve the REST API key from the MobSF web interface at http://localhost:8000/api_docs or from the startup console output. The API key enables programmatic scanning.

Step 2: Upload APK for Static Analysis

Upload the target APK using the MobSF REST API:

curl -F "file=@target_app.apk" http://localhost:8000/api/v1/upload \
  -H "Authorization: <API_KEY>"

Response includes the hash identifier used for subsequent API calls. MobSF automatically decompiles the APK using JADX, extracts the AndroidManifest.xml, and indexes all resources.

Step 3: Trigger and Retrieve Static Scan Results

Initiate the static scan and retrieve results:

# Trigger scan
curl -X POST http://localhost:8000/api/v1/scan \
  -H "Authorization: <API_KEY>" \
  -d "scan_type=apk&file_name=target_app.apk&hash=<FILE_HASH>"

# Retrieve JSON report
curl -X POST http://localhost:8000/api/v1/report_json \
  -H "Authorization: <API_KEY>" \
  -d "hash=<FILE_HASH>"

Step 4: Analyze Critical Findings

MobSF static analysis covers these categories mapped to OWASP Mobile Top 10 2024:

Manifest Analysis (M8 - Security Misconfiguration):

• Exported activities, services, receivers, and content providers without permission guards
• android:debuggable="true" left enabled
• android:allowBackup="true" enabling data extraction via ADB
• Missing android:networkSecurityConfig for certificate pinning

Code Analysis (M1 - Improper Credential Usage):

• Hardcoded API keys, passwords, and tokens in Java/Kotlin source
• Insecure SharedPreferences usage for storing sensitive data
• Weak or broken cryptographic implementations (ECB mode, static IV, hardcoded keys)

Network Security (M5 - Insecure Communication):

• Missing certificate pinning configuration
• Custom TrustManagers that accept all certificates
• Cleartext HTTP traffic allowed without exception domains

Binary Analysis (M7 - Insufficient Binary Protections):

• Missing ProGuard/R8 obfuscation
• Native library vulnerabilities (stack canaries, NX bit, PIE)
• Debugger detection absence

Step 5: Generate and Export Reports

Export findings in multiple formats for stakeholder communication:

# PDF report
curl -X POST http://localhost:8000/api/v1/download_pdf \
  -H "Authorization: <API_KEY>" \
  -d "hash=<FILE_HASH>" -o report.pdf

# JSON for programmatic processing
curl -X POST http://localhost:8000/api/v1/report_json \
  -H "Authorization: <API_KEY>" \
  -d "hash=<FILE_HASH>" -o report.json

Step 6: Integrate into CI/CD Pipeline

Add MobSF scanning as a build gate:

# GitHub Actions example
- name: MobSF Static Analysis
  run: |
    UPLOAD=$(curl -s -F "file=@app/build/outputs/apk/release/app-release.apk" \
      http://mobsf:8000/api/v1/upload -H "Authorization: $MOBSF_API_KEY")
    HASH=$(echo $UPLOAD | jq -r '.hash')
    curl -s -X POST http://mobsf:8000/api/v1/scan \
      -H "Authorization: $MOBSF_API_KEY" \
      -d "scan_type=apk&file_name=app-release.apk&hash=$HASH"
    SCORE=$(curl -s -X POST http://mobsf:8000/api/v1/scorecard \
      -H "Authorization: $MOBSF_API_KEY" -d "hash=$HASH" | jq '.security_score')
    if [ "$SCORE" -lt 60 ]; then exit 1; fi

Key Concepts

Tools & Systems

• MobSF: Automated mobile security analysis framework supporting static and dynamic analysis of Android/iOS apps
• JADX: Dex-to-Java decompiler for recovering readable source code from Android APK files
• apktool: Tool for reverse engineering Android APK files, decoding resources to near-original form
• Android Lint: Google's static analysis tool for Android-specific code quality and security issues
• Semgrep: Pattern-based static analysis engine with mobile-specific rule packs for custom vulnerability detection

Common Pitfalls

• Ignoring false positives: MobSF flags patterns like password in variable names even when not storing actual credentials. Triage all HIGH findings manually before reporting.
• Missing obfuscated code: Static analysis accuracy drops significantly against obfuscated apps. Supplement with dynamic analysis for apps using DexGuard or custom packers.
• Outdated MobSF rules: Security rules evolve with Android API levels. Ensure MobSF is updated to match the target app's targetSdkVersion.
• Skipping native code analysis: MobSF analyzes Java/Kotlin but has limited coverage of native C/C++ libraries. Use checksec and manual review for .so files.