Skip to main content

mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code.

Project description

mobsfscan

mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Android XML, Swift and Objective C Code. mobsfscan uses MobSF static analysis rules and is powered by semgrep and libsast pattern matcher.

Made with Love in India Tweet

PyPI version License python platform Build

Support mobsfscan

Donate to MobSF

If you liked mobsfscan and find it useful, please consider donating.

e-Learning Courses & Certifications

MobSF Course Automated Mobile Application Security Assessment with MobSF -MAS

Android Security Tools Course Android Security Tools Expert -ATX

Installation

pip install mobsfscan

Requires Python 3.7+

Command Line Options

$ mobsfscan
usage: mobsfscan [-h] [--json] [--sarif] [--sonarqube] [--html] [--type {android,ios,auto}]
                 [-o OUTPUT] [-c CONFIG] [-mp {default,billiard,thread}] [-w] [--no-fail] [-v]
                 [path ...]

positional arguments:
  path                  Path can be file(s) or directories with source code

options:
  -h, --help            show this help message and exit
  --json                set output format as JSON
  --sarif               set output format as SARIF 2.1.0
  --sonarqube           set output format compatible with SonarQube
  --html                set output format as HTML
  --type {android,ios,auto}
                        optional: force android or ios rules explicitly
  -o OUTPUT, --output OUTPUT
                        output filename to save the result
  -c CONFIG, --config CONFIG
                        location to .mobsf config file
  -mp {default,billiard,thread}, --multiprocessing {default,billiard,thread}
                        optional: specify multiprocessing strategy
  -w, --exit-warning    non zero exit code on warning
  --no-fail             force zero exit code, takes precedence over --exit-warning
  -v, --version         show mobsfscan version

Example Usage

$ mobsfscan tests/assets/src/
- Pattern Match ████████████████████████████████████████████████████████████ 3
- Semantic Grep ██████ 37

mobsfscan: v0.3.0 | Ajin Abraham | opensecurity.in
╒══════════════╤════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╕
│ RULE ID       android_webview_ignore_ssl                                                                                                                             │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ DESCRIPTION   Insecure WebView Implementation. WebView ignores SSL Certificate errors and accept any SSL Certificate. This application is vulnerable to MITM attacks │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ TYPE          RegexAnd                                                                                                                                               │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ PATTERN       ['onReceivedSslError\\(WebView', '\\.proceed\\(\\);']                                                                                                  │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ SEVERITY      ERROR                                                                                                                                                   │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ INPUTCASE     exact                                                                                                                                                  │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ CVSS          7.4                                                                                                                                                    │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ CWE           CWE-295 Improper Certificate Validation                                                                                                                │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ OWASP-MOBILE  M3: Insecure Communication                                                                                                                             │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ MASVS         MSTG-NETWORK-3                                                                                                                                         │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ REF           https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification                │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ FILES         ╒════════════════╤═════════════════════════════════════════════════════════════════════════════════════════════╕                                       │
│                File            ../test_files/android_src/app/src/main/java/opensecurity/webviewignoressl/MainActivity.java                                        │
│               ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤                                       │
│                Match Position  1480 - 1491                                                                                                                        │
│               ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤                                       │
│                Line Number(s)  50                                                                                                                                 │
│               ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤                                       │
│                Match String    .proceed();                                                                                                                        │
│               ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤                                       │
│                File            ../test_files/android_src/app/src/main/java/opensecurity/webviewignoressl/MainActivity.java                                        │
│               ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤                                       │
│                Match Position  1331 - 1357                                                                                                                        │
│               ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤                                       │
│                Line Number(s)  46                                                                                                                                 │
│               ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤                                       │
│                Match String    onReceivedSslError(WebView                                                                                                         │
│               ╘════════════════╧═════════════════════════════════════════════════════════════════════════════════════════════╛                                       │
╘══════════════╧════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╛

Python API

>>> from mobsfscan.mobsfscan import MobSFScan
>>> src = 'tests/assets/src/java/java_vuln.java'
>>> scanner = MobSFScan([src], json=True)
>>> scanner.scan()
{
    'results': {
        'android_logging': {
            'files': [{
                'file_path': 'tests/assets/src/java/java_vuln.java',
                'match_position': (13, 73),
                'match_lines': (19, 19),
                'match_string': '            Log.d("htbridge", "getAllRecords(): " + records.toString());'
            }],
            'metadata': {
                'cwe': 'CWE-532 Insertion of Sensitive Information into Log File',
                'owasp-mobile': 'M1: Improper Platform Usage',
                'masvs': 'MSTG-STORAGE-3',
                'reference': 'https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs',
                'description': 'The App logs information. Please ensure that sensitive information is never logged.',
                'severity': 'INFO'
            }
        },
        'android_certificate_pinning': {
            'metadata': {
                'cwe': 'CWE-295 Improper Certificate Validation',
                'owasp-mobile': 'M3: Insecure Communication',
                'masvs': 'MSTG-NETWORK-4',
                'reference': 'https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4',
                'description': 'This App does not use TLS/SSL certificate or public key pinning to detect or prevent MITM attacks in secure communication channel.',
                'severity': 'INFO'
            }
        },
        'android_root_detection': {
            'metadata': {
                'cwe': 'CWE-919 - Weaknesses in Mobile Applications',
                'owasp-mobile': 'M8: Code Tampering',
                'masvs': 'MSTG-RESILIENCE-1',
                'reference': 'https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1',
                'description': 'This App does not have root detection capabilities. Running a sensitive application on a rooted device questions the device integrity and affects users data.',
                'severity': 'INFO'
            }
        },
        'android_prevent_screenshot': {
            'metadata': {
                'cwe': 'CWE-200 Information Exposure',
                'owasp-mobile': 'M2: Insecure Data Storage',
                'masvs': 'MSTG-STORAGE-9',
                'reference': 'https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#finding-sensitive-information-in-auto-generated-screenshots-mstg-storage-9',
                'description': 'This App does not have capabilities to prevent against Screenshots from Recent Task History/ Now On Tap etc.',
                'severity': 'INFO'
            }
        },
        'android_safetynet_api': {
            'metadata': {
                'cwe': 'CWE-353 Missing Support for Integrity Check',
                'owasp-mobile': 'M8: Code Tampering',
                'masvs': 'MSTG-RESILIENCE-1',
                'reference': 'https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1',
                'description': "This App does not uses SafetyNet Attestation API that provides cryptographically-signed attestation, assessing the device's integrity. This check helps to ensure that the servers are interacting with the genuine app running on a genuine Android device. ",
                'severity': 'INFO'
            }
        },
        'android_detect_tapjacking': {
            'metadata': {
                'cwe': 'CWE-200 Information Exposure',
                'owasp-mobile': 'M1: Improper Platform Usage',
                'masvs': 'MSTG-PLATFORM-9',
                'reference': 'https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-for-overlay-attacks-mstg-platform-9',
                'description': "This app does not has capabilities to prevent tapjacking attacks. An attacker can hijack the user's taps and tricks him into performing some critical operations that he did not intend to.",
                'severity': 'INFO'
            }
        }
    },
    'errors': []
}

Configure mobsfscan

A .mobsf file in the root of the source code directory allows you to configure mobsfscan. You can also use a custom .mobsf file using --config argument.

---
- ignore-filenames:
  - skip.java

  ignore-paths:
  - __MACOSX
  - skip_dir

  ignore-rules:
  - android_kotlin_logging
  - android_safetynet_api
  - android_prevent_screenshot
  - android_detect_tapjacking
  - android_certificate_pinning
  - android_root_detection
  - android_certificate_transparency

  severity-filter:
  - WARNING
  - ERROR

Suppress Findings

You can suppress findings from source files by adding the comment // mobsf-ignore: rule_id1, rule_id2 to the line that trigger the findings.

Example:

String password = "strong password"; // mobsf-ignore: hardcoded_password

CI/CD Integrations

You can enable mobsfscan in your CI/CD or DevSecOps pipelines.

Github Action

Add the following to the file .github/workflows/mobsfscan.yml.

name: mobsfscan

on:
  push:
    branches: [ master, main ]
  pull_request:
    branches: [ master, main ]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4.2.2
    - uses: actions/setup-python@v5.3.0
      with:
        python-version: '3.12'
    - name: mobsfscan
      uses: MobSF/mobsfscan@main
      with:
        args: '. --json'

Example: pivaa with mobsfscan github action

Github Code Scanning Integration

Add the following to the file .github/workflows/mobsfscan_sarif.yml.

name: mobsfscan sarif
on:
  push:
    branches: [ master, main ]
  pull_request:
    branches: [ master, main ]

jobs:
  mobsfscan:
    runs-on: ubuntu-latest
    name: mobsfscan code scanning
    steps:
    - name: Checkout the code
      uses: actions/checkout@v4.2.2
    - uses: actions/setup-python@v5.3.0
      with:
        python-version: '3.12'
    - name: mobsfscan
      uses: MobSF/mobsfscan@main
      with:
        args: '. --sarif --output results.sarif || true'
    - name: Upload mobsfscan report
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: results.sarif

mobsfscan github code scanning

Gitlab CI/CD

Add the following to the file .gitlab-ci.yml.

stages:
    - test
mobsfscan:
    image: python
    before_script:
        - pip3 install --upgrade mobsfscan
    script:
        - mobsfscan .

Example:

Travis CI

Add the following to the file .travis.yml.

language: python
install:
    - pip3 install --upgrade mobsfscan
script:
    - mobsfscan .

Circle CI

Add the following to the file .circleci/config.yaml

version: 2.1
jobs:
  mobsfscan:
    docker:
      - image: cimg/python:3.9.6
    steps:
      - checkout
      - run:
          name: Install mobsfscan
          command: pip install --upgrade mobsfscan
      - run:
           name: mobsfscan check
           command: mobsfscan .

Docker

Prebuilt image from DockerHub

docker pull opensecurity/mobsfscan
docker run -v /path-to-source-dir:/src opensecurity/mobsfscan /src

Build Locally

docker build -t mobsfscan .
docker run -v /path-to-source-dir:/src mobsfscan /src

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mobsfscan-0.4.5.tar.gz (46.1 kB view details)

Uploaded Source

Built Distribution

mobsfscan-0.4.5-py3-none-any.whl (65.9 kB view details)

Uploaded Python 3

File details

Details for the file mobsfscan-0.4.5.tar.gz.

File metadata

  • Download URL: mobsfscan-0.4.5.tar.gz
  • Upload date:
  • Size: 46.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.1 CPython/3.12.7

File hashes

Hashes for mobsfscan-0.4.5.tar.gz
Algorithm Hash digest
SHA256 d8fa83c1b152d2122db196632d7f8545ac38819b8743d0ddac7b0ffe3f9133cc
MD5 ba7b216d1d8acc8fab484b726ef5f35c
BLAKE2b-256 8d7d89a0ef2976c6cb9a4d8064ec763bbce8f79cafa7ea78d9841e3d8cd19726

See more details on using hashes here.

File details

Details for the file mobsfscan-0.4.5-py3-none-any.whl.

File metadata

  • Download URL: mobsfscan-0.4.5-py3-none-any.whl
  • Upload date:
  • Size: 65.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.1 CPython/3.12.7

File hashes

Hashes for mobsfscan-0.4.5-py3-none-any.whl
Algorithm Hash digest
SHA256 81f2ebcb75c3da9fa763fa74142e3220a88a3565a78571bd21ab075c45eaa01b
MD5 88964635ef132794bd3f6d6769bbab37
BLAKE2b-256 6a4cf9ece22eaea2afbd97c21d0cb233c7035c33b0e34553ef7ed69790724b95

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page