# MobSF — Automated Mobile Application Security Testing > Open-source framework for automated static and dynamic analysis of Android, iOS, and Windows mobile applications. ## Install Save as a script file and run: # MobSF — Automated Mobile Application Security Testing ## Quick Use ```bash docker pull opensecurity/mobile-security-framework-mobsf docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf # Open http://localhost:8000 and upload an APK, IPA, or APPX file ``` ## Introduction MobSF (Mobile Security Framework) is an automated, all-in-one mobile application pen-testing, malware analysis, and security assessment framework. It supports static and dynamic analysis of Android, iOS, and Windows mobile apps, providing actionable security findings without requiring deep manual expertise. ## What MobSF Does - Performs static analysis on APK, IPA, APPX, and source code archives - Runs dynamic analysis with real-time API monitoring and network traffic capture - Detects hardcoded secrets, insecure permissions, and vulnerable code patterns - Generates detailed PDF and JSON security reports with CVSS scores - Provides a REST API for CI/CD pipeline integration ## Architecture Overview MobSF is a Python/Django web application. Static analysis decompiles binaries using tools like jadx (Android) and class-dump (iOS), then applies rule-based pattern matching and manifest inspection. Dynamic analysis instruments a running app on an emulator or device, intercepting network calls via a built-in proxy and hooking runtime behavior with Frida. ## Self-Hosting & Configuration - Run via Docker for the simplest setup (single container, no external dependencies) - Requires Python 3.8+ and JDK 8+ for source installations - Configure dynamic analysis by connecting an Android emulator or a jailbroken iOS device - Set environment variables for proxy ports, report storage paths, and API keys - Supports PostgreSQL or SQLite as the backing database ## Key Features - Unified platform covering both static and dynamic mobile security testing - Supports Android (APK/AAB), iOS (IPA), and Windows (APPX) binaries - Built-in Frida scripts for runtime instrumentation and hook-based analysis - REST API enables automated scanning in CI/CD workflows - Generates compliance-ready reports mapping to OWASP Mobile Top 10 ## Comparison with Similar Tools - **QARK** — Android-only static scanner; MobSF covers iOS and Windows too - **AndroBugs** — Lightweight Android vulnerability scanner; lacks dynamic analysis - **Objection** — Runtime exploration tool for mobile apps; MobSF adds static analysis and reporting - **Drozer** — Android-specific security assessment; no iOS support - **Appknox** — Commercial mobile security platform; MobSF is fully open source ## FAQ **Q: Does MobSF require a rooted device for dynamic analysis?** A: Android dynamic analysis works with standard emulators. iOS dynamic analysis requires a jailbroken device. **Q: Can I integrate MobSF into my CI/CD pipeline?** A: Yes. MobSF exposes a REST API for uploading binaries, triggering scans, and retrieving results programmatically. **Q: What file types does MobSF accept?** A: APK, AAB, IPA, APPX, and ZIP archives containing mobile app source code. **Q: Is MobSF suitable for enterprise use?** A: Yes. Many organizations use MobSF in their SDLC. It can run on-premise with no data leaving your network. ## Sources - https://github.com/MobSF/Mobile-Security-Framework-MobSF - https://mobsf.github.io/docs/ --- Source: https://tokrepo.com/en/workflows/asset-7ad4e172 Author: Script Depot