Esta página se muestra en inglés. Una traducción al español está en curso.
ScriptsJul 1, 2026·3 min de lectura

MobSF — Automated Mobile Application Security Testing

Open-source framework for automated static and dynamic analysis of Android, iOS, and Windows mobile applications.

Listo para agents

Instalación lista para agent

Este activo puede instalarse después de elegir el runtime, revisar el plan y ejecutar el comando correspondiente.

Native · 98/100Política: permitir
Superficie agent
Cualquier agent MCP/CLI
Tipo
Skill
Instalación
Single
Confianza
Confianza: Established
Entrada
MobSF
Comando de instalación directa
npx -y tokrepo@latest install 7ad4e172-754b-11f1-9bc6-00163e2b0d79 --target codex

Ejecutar después de confirmar el plan con dry-run.

Introduction

MobSF (Mobile Security Framework) is an automated, all-in-one mobile application pen-testing, malware analysis, and security assessment framework. It supports static and dynamic analysis of Android, iOS, and Windows mobile apps, providing actionable security findings without requiring deep manual expertise.

What MobSF Does

  • Performs static analysis on APK, IPA, APPX, and source code archives
  • Runs dynamic analysis with real-time API monitoring and network traffic capture
  • Detects hardcoded secrets, insecure permissions, and vulnerable code patterns
  • Generates detailed PDF and JSON security reports with CVSS scores
  • Provides a REST API for CI/CD pipeline integration

Architecture Overview

MobSF is a Python/Django web application. Static analysis decompiles binaries using tools like jadx (Android) and class-dump (iOS), then applies rule-based pattern matching and manifest inspection. Dynamic analysis instruments a running app on an emulator or device, intercepting network calls via a built-in proxy and hooking runtime behavior with Frida.

Self-Hosting & Configuration

  • Run via Docker for the simplest setup (single container, no external dependencies)
  • Requires Python 3.8+ and JDK 8+ for source installations
  • Configure dynamic analysis by connecting an Android emulator or a jailbroken iOS device
  • Set environment variables for proxy ports, report storage paths, and API keys
  • Supports PostgreSQL or SQLite as the backing database

Key Features

  • Unified platform covering both static and dynamic mobile security testing
  • Supports Android (APK/AAB), iOS (IPA), and Windows (APPX) binaries
  • Built-in Frida scripts for runtime instrumentation and hook-based analysis
  • REST API enables automated scanning in CI/CD workflows
  • Generates compliance-ready reports mapping to OWASP Mobile Top 10

Comparison with Similar Tools

  • QARK — Android-only static scanner; MobSF covers iOS and Windows too
  • AndroBugs — Lightweight Android vulnerability scanner; lacks dynamic analysis
  • Objection — Runtime exploration tool for mobile apps; MobSF adds static analysis and reporting
  • Drozer — Android-specific security assessment; no iOS support
  • Appknox — Commercial mobile security platform; MobSF is fully open source

FAQ

Q: Does MobSF require a rooted device for dynamic analysis? A: Android dynamic analysis works with standard emulators. iOS dynamic analysis requires a jailbroken device.

Q: Can I integrate MobSF into my CI/CD pipeline? A: Yes. MobSF exposes a REST API for uploading binaries, triggering scans, and retrieving results programmatically.

Q: What file types does MobSF accept? A: APK, AAB, IPA, APPX, and ZIP archives containing mobile app source code.

Q: Is MobSF suitable for enterprise use? A: Yes. Many organizations use MobSF in their SDLC. It can run on-premise with no data leaving your network.

Sources

Discusión

Inicia sesión para unirte a la discusión.
Aún no hay comentarios. Sé el primero en compartir tus ideas.

Activos relacionados