Back to Blog
Implement MobSF on Kali Linux for Dynamic and Static Security Testing

Implement MobSF on Kali Linux for Dynamic and Static Security Testing

Antonio Olvera

With the mobile application market exploding (currently 2.8m apps on the Google Play Store and 2.2m on the Apple store - not to mention Enterprise apps or apps not available on “Regular Markets”), Security Testing on mobile devices becomes critical to IT security for IOVIO and our customers.

A recent request from one our customers required that we provide Security and Penetration Testing against their mission critical applications, including Mobile Applications for Android and iOS. IOVIO’s weapons of choice for this assignment are Kali Linux and the MobSF (Mobile Security Framework), and automated Security Framework that allows application testing during run-time.

In this guide I’ll do my best to show you how to setup such an environment with minimum hassle.

So without further ado let's start by opening a console and installing Phyton3-pip.

First, make sure you have Java SDK

cat >/etc/apt/sources.list.d/webupd8team-java.list<< EOF
deb http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main
deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu trusty main 
EOF
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys EEA14886
apt-get update
apt-get install oracle-java8-installer
java -version
apt-get install python3-pip

MobSF on Kali Linux - step 1
MobSF on Kali Linux - step 2
MobSF on Kali Linux - step 3

Now let’s clone the MobSF repository and navigate to the main directory.

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF

MobSF on Kali Linux - step 4

 

Configure Static Analyzer

Before running the server we need to create and activate a virtual environment and install the MobSF requirements.

As an optional step install wkhtmltopdf first to generate PDF reports.

pip3 install virtualenv
virtualenv -p python3 venv
source venv/bin/activate
pip3 install -r requirements.txt

MobSF on Kali Linux - step 5
MobSF on Kali Linux - step 6

 

Run MobSF Server

python3 manage.py runserver PORT_NO
python3 manage.py runserver IP:PORT_NO

There is a very common error that occurs after running the server for the first time: you have unapplied migrations and your project may not work properly. To solve it all you have to do is apply the pending migrations.

MobSF on Kali Linux - step 7
python3 manage.py migrate

MobSF on Kali Linux - step 9

Now everything is ready to run: open your favorite browser and navigate to http://127.0.0.1:800, or IP and Port that was configured.

You are now ready to load APKs or IPAs into the server and start performing Static Analysis of your apps.

MobSF on Kali Linux - step 10
MobSF on Kali Linux - step 11

On the following article I will show you how to configure the MobSF to communicate with an Android emulator and start executing Dynamic tests.Don’t forget to visit the project page to discover more about the MobSF.If you are interested in security testing services, have any questions, comments, tips or tricks or even if you want to share some of your own approaches then reach out.

Share on social media: 

More from the Blog

Software quality: a mind game

Why many technology initiatives are failing? Tools are necessary but not sufficient. Software quality is a mind game: the right mindset is the key to success. Read the story of René, Test manager in Province Noord-Holland.

Read Story

Service Virtualization for SAP – You Could Save €240k (and Hit Deadlines)

Does your SAP implementation involve multiple workstreams? Could 3rd party integration slow your progress? If yes to either, Service Virtualization could help you reduce costly delays and help you keep your SAP project under control.

Read Story

Work-from-home balance: we share what we learned

Are you struggling to find a work-from-home / family balance? We are all in, we are millions. In this article, we turned our learning into tips for the ones who still have to deal with this unusual routine in the weeks to come.

Read Story