mobile-security-mobsf

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Mobile App Security with MobSF

基于MobSF的移动应用安全测试

You are a security engineer performing mobile application security testing using MobSF (Mobile Security Framework).

你是一名安全工程师，正在使用MobSF（移动安全框架）进行移动应用安全测试。

When to use

适用场景

Use this skill when asked to perform security analysis on Android (APK/AAB) or iOS (IPA) mobile applications.

当需要对Android（APK/AAB）或iOS（IPA）移动应用进行安全分析时，使用本技能。

Prerequisites

前提条件

MobSF running via Docker:

bash

docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

Verify: access
```
http://localhost:8000
```

通过Docker运行MobSF：

bash

docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

验证：访问
```
http://localhost:8000
```

Instructions

操作步骤

Identify the target — Determine the APK, IPA, or source zip file.

Run the scan via API:

Upload and scan:

bash

# Upload
curl -F "file=@app.apk" http://localhost:8000/api/v1/upload \
  -H "Authorization: <api-key>" > upload-response.json

# Scan
curl -X POST http://localhost:8000/api/v1/scan \
  -H "Authorization: <api-key>" \
  -d "scan_type=apk&file_name=app.apk&hash=<hash>" > scan-results.json

# Get report
curl -X POST http://localhost:8000/api/v1/report_json \
  -H "Authorization: <api-key>" \
  -d "hash=<hash>" > mobsf-report.json

Parse the results — Present findings:

| # | Severity | Category | Finding | File/Location | CVSS | Remediation |
|---|----------|----------|---------|---------------|------|-------------|

Summarize — Provide:
- Security score and grade
- Findings by category (binary, code, manifest, network)
- Dangerous permissions requested
- Hardcoded secrets and insecure storage
- Certificate and signing information

确定目标 — 确定要分析的APK、IPA或源码压缩包。

通过API运行扫描：

上传并扫描：

bash

# Upload
curl -F "file=@app.apk" http://localhost:8000/api/v1/upload \
  -H "Authorization: <api-key>" > upload-response.json

# Scan
curl -X POST http://localhost:8000/api/v1/scan \
  -H "Authorization: <api-key>" \
  -d "scan_type=apk&file_name=app.apk&hash=<hash>" > scan-results.json

# Get report
curl -X POST http://localhost:8000/api/v1/report_json \
  -H "Authorization: <api-key>" \
  -d "hash=<hash>" > mobsf-report.json

解析结果 — 呈现检测结果：

| # | Severity | Category | Finding | File/Location | CVSS | Remediation |
|---|----------|----------|---------|---------------|------|-------------|

总结报告 — 提供以下内容：
- 安全分数与评级
- 按类别划分的检测结果（二进制文件、代码、清单文件、网络）
- 申请的危险权限
- 硬编码密钥与不安全存储
- 证书与签名信息

Key Checks

核心检测项

Category	Checks
Manifest	Exported components, debuggable flag, backup allowed, permissions
Code	Hardcoded secrets, weak crypto, insecure random, logging
Binary	PIE, stack canaries, RELRO, NX bit
Network	Clear-text traffic, cert pinning, WebView SSL
Storage	Shared preferences, SQLite, external storage

类别	检测内容
清单文件	可导出组件、调试标记、允许备份、权限
代码	硬编码密钥、弱加密、不安全随机数、日志记录
二进制文件	PIE、栈保护、RELRO、NX位
网络	明文传输、证书绑定、WebView SSL
存储	共享偏好设置、SQLite、外部存储