Back to Details

performing-android-app-static-analysis-with-mobsf

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Performing Android App Static Analysis with MobSF

使用MobSF执行Android应用静态分析

When to Use

使用时机

Use this skill when:
  • Conducting security assessment of Android APK or AAB files before production release
  • Integrating automated mobile security scanning into CI/CD pipelines
  • Performing initial triage of Android applications during penetration testing engagements
  • Reviewing third-party Android applications for supply chain security risks
Do not use this skill as a replacement for manual code review or dynamic analysis -- MobSF static analysis catches pattern-based vulnerabilities but misses runtime logic flaws.
在以下场景使用此技能:
  • 生产发布前对Android APK或AAB文件进行安全评估
  • 将自动化移动安全扫描集成到CI/CD流水线中
  • 渗透测试期间对Android应用进行初步分类
  • 审查第三方Android应用以排查供应链安全风险
请勿将此技能作为人工代码审查或动态分析的替代方案——MobSF静态分析可检测基于模式的漏洞,但无法发现运行时逻辑缺陷。

Prerequisites

前提条件

  • MobSF v4.x installed via Docker (
    docker pull opensecurity/mobile-security-framework-mobsf
    ) or local setup
  • Target Android APK, AAB, or source code ZIP
  • Python 3.10+ for MobSF REST API integration
  • JADX decompiler (bundled with MobSF) for Java/Kotlin source recovery
  • Network access to MobSF web interface (default: http://localhost:8000)
  • 通过Docker安装MobSF v4.x(
    docker pull opensecurity/mobile-security-framework-mobsf
    )或本地部署
  • 目标Android APK、AAB或源代码ZIP包
  • 用于MobSF REST API集成的Python 3.10+
  • 用于恢复Java/Kotlin源代码的JADX反编译器(随MobSF捆绑提供)
  • 可访问MobSF Web界面的网络权限(默认地址:http://localhost:8000)

Workflow

工作流程

Step 1: Deploy MobSF and Obtain API Key

步骤1:部署MobSF并获取API密钥

Launch MobSF using Docker for isolated, reproducible scanning:
bash
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
Retrieve the REST API key from the MobSF web interface at 
http://localhost:8000/api_docs
or from the startup console output. The API key enables programmatic scanning.
使用Docker启动MobSF以实现隔离、可复现的扫描:
bash
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
从MobSF Web界面的
http://localhost:8000/api_docs
或启动控制台输出中获取REST API密钥。API密钥用于实现程序化扫描。

Step 2: Upload APK for Static Analysis

步骤2:上传APK进行静态分析

Upload the target APK using the MobSF REST API:
bash
curl -F "file=@target_app.apk" http://localhost:8000/api/v1/upload \
  -H "Authorization: <API_KEY>"
Response includes the 
hash
identifier used for subsequent API calls. MobSF automatically decompiles the APK using JADX, extracts the AndroidManifest.xml, and indexes all resources.
使用MobSF REST API上传目标APK:
bash
curl -F "file=@target_app.apk" http://localhost:8000/api/v1/upload \
  -H "Authorization: <API_KEY>"
响应包含后续API调用所需的
hash
标识符。MobSF会自动使用JADX反编译APK,提取AndroidManifest.xml并索引所有资源。

Step 3: Trigger and Retrieve Static Scan Results

步骤3:触发并获取静态扫描结果

Initiate the static scan and retrieve results:
bash
undefined
启动静态扫描并获取结果:
bash
undefined

Trigger scan

触发扫描

curl -X POST http://localhost:8000/api/v1/scan
-H "Authorization: <API_KEY>"
-d "scan_type=apk&file_name=target_app.apk&hash=<FILE_HASH>"
curl -X POST http://localhost:8000/api/v1/scan
-H "Authorization: <API_KEY>"
-d "scan_type=apk&file_name=target_app.apk&hash=<FILE_HASH>"

Retrieve JSON report

获取JSON报告

curl -X POST http://localhost:8000/api/v1/report_json
-H "Authorization: <API_KEY>"
-d "hash=<FILE_HASH>"
undefined
curl -X POST http://localhost:8000/api/v1/report_json
-H "Authorization: <API_KEY>"
-d "hash=<FILE_HASH>"
undefined

Step 4: Analyze Critical Findings

步骤4:分析关键发现

MobSF static analysis covers these categories mapped to OWASP Mobile Top 10 2024:
Manifest Analysis (M8 - Security Misconfiguration):
  • Exported activities, services, receivers, and content providers without permission guards
  • android:debuggable="true"
    left enabled
  • android:allowBackup="true"
    enabling data extraction via ADB
  • Missing 
    android:networkSecurityConfig
    for certificate pinning
Code Analysis (M1 - Improper Credential Usage):
  • Hardcoded API keys, passwords, and tokens in Java/Kotlin source
  • Insecure SharedPreferences usage for storing sensitive data
  • Weak or broken cryptographic implementations (ECB mode, static IV, hardcoded keys)
Network Security (M5 - Insecure Communication):
  • Missing certificate pinning configuration
  • Custom TrustManagers that accept all certificates
  • Cleartext HTTP traffic allowed without exception domains
Binary Analysis (M7 - Insufficient Binary Protections):
  • Missing ProGuard/R8 obfuscation
  • Native library vulnerabilities (stack canaries, NX bit, PIE)
  • Debugger detection absence
MobSF静态分析涵盖以下与OWASP Mobile Top 10 2024对应的类别:
清单分析(M8 - 安全配置错误)
  • 未设置权限防护的导出型活动、服务、接收器和内容提供者
  • 保留启用状态的
    android:debuggable="true"
  • 允许通过ADB提取数据的
    android:allowBackup="true"
  • 缺少用于证书固定的
    android:networkSecurityConfig
代码分析(M1 - 凭证使用不当)
  • Java/Kotlin源代码中的硬编码API密钥、密码和令牌
  • 使用不安全的SharedPreferences存储敏感数据
  • 弱加密或损坏的加密实现(ECB模式、静态IV、硬编码密钥)
网络安全(M5 - 不安全通信)
  • 缺少证书固定配置
  • 接受所有证书的自定义TrustManagers
  • 允许无例外域的明文HTTP流量
二进制分析(M7 - 二进制保护不足)
  • 未使用ProGuard/R8混淆
  • 原生库漏洞(栈保护、NX位、PIE)
  • 缺少调试器检测

Step 5: Generate and Export Reports

步骤5:生成并导出报告

Export findings in multiple formats for stakeholder communication:
bash
undefined
导出多种格式的分析结果以与相关方沟通:
bash
undefined

PDF report

PDF报告

curl -X POST http://localhost:8000/api/v1/download_pdf
-H "Authorization: <API_KEY>"
-d "hash=<FILE_HASH>" -o report.pdf
curl -X POST http://localhost:8000/api/v1/download_pdf
-H "Authorization: <API_KEY>"
-d "hash=<FILE_HASH>" -o report.pdf

JSON for programmatic processing

用于程序化处理的JSON

curl -X POST http://localhost:8000/api/v1/report_json
-H "Authorization: <API_KEY>"
-d "hash=<FILE_HASH>" -o report.json
undefined
curl -X POST http://localhost:8000/api/v1/report_json
-H "Authorization: <API_KEY>"
-d "hash=<FILE_HASH>" -o report.json
undefined

Step 6: Integrate into CI/CD Pipeline

步骤6:集成到CI/CD流水线

Add MobSF scanning as a build gate:
yaml
undefined
将MobSF扫描添加为构建网关:
yaml
undefined

GitHub Actions example

GitHub Actions示例

  • name: MobSF Static Analysis run: | UPLOAD=$(curl -s -F "file=@app/build/outputs/apk/release/app-release.apk"
    http://mobsf:8000/api/v1/upload -H "Authorization: $MOBSF_API_KEY") HASH=$(echo $UPLOAD | jq -r '.hash') curl -s -X POST http://mobsf:8000/api/v1/scan
    -H "Authorization: $MOBSF_API_KEY"
    -d "scan_type=apk&file_name=app-release.apk&hash=$HASH" SCORE=$(curl -s -X POST http://mobsf:8000/api/v1/scorecard
    -H "Authorization: $MOBSF_API_KEY" -d "hash=$HASH" | jq '.security_score') if [ "$SCORE" -lt 60 ]; then exit 1; fi
undefined
  • name: MobSF Static Analysis run: | UPLOAD=$(curl -s -F "file=@app/build/outputs/apk/release/app-release.apk"
    http://mobsf:8000/api/v1/upload -H "Authorization: $MOBSF_API_KEY") HASH=$(echo $UPLOAD | jq -r '.hash') curl -s -X POST http://mobsf:8000/api/v1/scan
    -H "Authorization: $MOBSF_API_KEY"
    -d "scan_type=apk&file_name=app-release.apk&hash=$HASH" SCORE=$(curl -s -X POST http://mobsf:8000/api/v1/scorecard
    -H "Authorization: $MOBSF_API_KEY" -d "hash=$HASH" | jq '.security_score') if [ "$SCORE" -lt 60 ]; then exit 1; fi
undefined

Key Concepts

关键概念

TermDefinition
Static AnalysisExamination of application code and resources without executing the program; catches structural and pattern-based vulnerabilities
APK DecompilationProcess of recovering Java/Kotlin source from compiled Dalvik bytecode using tools like JADX or apktool
AndroidManifest.xmlConfiguration file declaring app components, permissions, and security attributes; primary target for manifest analysis
Certificate PinningTechnique binding an app to specific server certificates to prevent man-in-the-middle attacks via rogue CAs
ProGuard/R8Code obfuscation and shrinking tools that make reverse engineering more difficult by renaming classes and removing unused code
术语定义
Static Analysis无需运行程序即可检查应用代码和资源;可检测结构性和基于模式的漏洞
APK Decompilation使用JADX或apktool等工具从编译后的Dalvik字节码恢复Java/Kotlin源代码的过程
AndroidManifest.xml声明应用组件、权限和安全属性的配置文件;是清单分析的主要目标
Certificate Pinning将应用绑定到特定服务器证书的技术,可防止通过恶意CA发起的中间人攻击
ProGuard/R8代码混淆和压缩工具,通过重命名类和移除未使用代码增加逆向工程难度

Tools & Systems

工具与系统

  • MobSF: Automated mobile security analysis framework supporting static and dynamic analysis of Android/iOS apps
  • JADX: Dex-to-Java decompiler for recovering readable source code from Android APK files
  • apktool: Tool for reverse engineering Android APK files, decoding resources to near-original form
  • Android Lint: Google's static analysis tool for Android-specific code quality and security issues
  • Semgrep: Pattern-based static analysis engine with mobile-specific rule packs for custom vulnerability detection
  • MobSF: 支持Android/iOS应用静态和动态分析的自动化移动安全分析框架
  • JADX: 从Android APK文件恢复可读源代码的Dex转Java反编译器
  • apktool: 用于逆向工程Android APK文件的工具,可将资源解码为接近原始的形式
  • Android Lint: Google推出的针对Android特定代码质量和安全问题的静态分析工具
  • Semgrep: 基于模式的静态分析引擎,带有移动专用规则包,可自定义检测漏洞

Common Pitfalls

常见陷阱

  • Ignoring false positives: MobSF flags patterns like 
    password
    in variable names even when not storing actual credentials. Triage all HIGH findings manually before reporting.
  • Missing obfuscated code: Static analysis accuracy drops significantly against obfuscated apps. Supplement with dynamic analysis for apps using DexGuard or custom packers.
  • Outdated MobSF rules: Security rules evolve with Android API levels. Ensure MobSF is updated to match the target app's 
    targetSdkVersion
    .
  • Skipping native code analysis: MobSF analyzes Java/Kotlin but has limited coverage of native C/C++ libraries. Use 
    checksec
    and manual review for 
    .so
    files.
  • 忽略误报: MobSF会标记类似变量名中包含
    password
    的模式,即使并未存储实际凭证。在报告前需人工排查所有高风险发现。
  • 遗漏混淆代码: 针对混淆应用的静态分析准确性会大幅下降。对于使用DexGuard或自定义打包工具的应用,需补充动态分析。
  • MobSF规则过时: 安全规则会随Android API级别更新。确保MobSF版本与目标应用的
    targetSdkVersion
    匹配。
  • 跳过原生代码分析: MobSF可分析Java/Kotlin代码,但对原生C/C++库的覆盖有限。对于
    .so
    文件,需使用
    checksec
    和人工审查。