Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

MobSF (Mobile Security Framework) is an all-in-one automated framework for mobile app pentesting and malware analysis. Performs static and dynamic analysis, generates detailed security reports, and exposes a REST API for CI/CD integration. Supports: APK · IPA · APPX · source code zips Latest release: v4.4.6: github.com/MobSF/Mobile-Security-Framework-MobSF
Fastest path. No dependency setup required. 
docker pull opensecurity/mobile-security-framework-mobsf:latest
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
With persistent storage (keep scan history between runs): 
docker run -it --rm \
  -p 8000:8000 \
  -v ~/mobsf-data:/home/mobsf/.MobSF \
  opensecurity/mobile-security-framework-mobsf:latest
Access: http://localhost:8000 Default credentials: mobsf / mobsf

Install: Local (Linux / macOS)

Requirements: Python 3.12+, Git, OpenSSL, wkhtmltopdf (for PDF reports) 
# Dependencies (Debian/Ubuntu)
sudo apt install python3.12 python3.12-venv git openssl wkhtmltopdf

# Clone
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF

# Setup
./setup.sh

# Run
./run.sh 127.0.0.1:8000
macOS (Homebrew): 
brew install [email protected] wkhtmltopdf
./setup.sh
./run.sh 127.0.0.1:8000

Static Analysis

Upload via Web UI

  1. Open http://localhost:8000
  2. Drag and drop the APK (or IPA/APPX) into the upload zone
  3. MobSF decompiles, analyzes, and presents a full report

Upload via REST API

# Get API key from http://localhost:8000/api_docs
API_KEY="your_api_key_here"

# Upload APK
curl -F "[email protected]" \
     -H "Authorization: $API_KEY" \
     http://localhost:8000/api/v1/upload

# Response contains a hash:
# {"hash": "abc123...", "file_name": "target.apk", "scan_type": "apk"}

HASH="abc123..."

# Trigger scan
curl -X POST \
     --url http://localhost:8000/api/v1/scan \
     --data "scan_type=apk&file_name=target.apk&hash=$HASH" \
     -H "Authorization: $API_KEY"

# Get JSON report
curl -X POST \
     --url http://localhost:8000/api/v1/report_json \
     --data "hash=$HASH" \
     -H "Authorization: $API_KEY" \
     -o report.json

# Download PDF report
curl -X POST \
     --url http://localhost:8000/api/v1/download_pdf \
     --data "hash=$HASH" \
     -H "Authorization: $API_KEY" \
     -o report.pdf

What the Static Report Covers

SectionWhat it Finds
Manifest AnalysisExported components, dangerous flags, permissions
Code AnalysisHardcoded secrets, insecure APIs, crypto issues
Binary AnalysisCompiler flags, NX/PIE, stack canaries
Network SecurityCleartext traffic, pinning config, domains
File AnalysisEmbedded keys, certs, sensitive resource files
CVSS ScoringSeverity ratings per finding
OWASP MappingEach finding mapped to MASVS category

Dynamic Analysis: Android

Dynamic analysis requires a real device or emulator with root access.

Emulator Setup (Android-x86 / AVD)

Recommended: Genymotion or Android Studio AVD with a non-Google Play image (root accessible). 
# Check MobSF detects the device
adb devices

Start Dynamic Analysis

  1. Upload and scan the APK (static scan must run first)
  2. Click “Start Dynamic Analysis” in the report
  3. MobSF installs the app and its instrumentation agent on the device
  4. Interact with the app through the emulator while MobSF captures:
    • Network traffic (HTTP/HTTPS with SSL unpinning)
    • Filesystem reads/writes
    • Logcat output
    • Screenshot timeline
    • Exported activity/service invocations
  5. Click “Stop Analysis” → MobSF generates a dynamic report

Dynamic Report Covers

  • Decrypted HTTPS traffic (via injected proxy)
  • Files created/modified during runtime
  • Sensitive data leaked to logs
  • Exported component interactions
  • Screenshot evidence

mobsfscan: CI/CD Integration

Static analysis scanner for source code, usable in pipelines without the full MobSF server. 
pip install mobsfscan

# Scan source directory
mobsfscan ./android-source/

# JSON output for pipeline parsing
mobsfscan --json -o results.json ./android-source/
GitHub Actions example: 
- name: MobSF Static Scan
  uses: MobSF/mobsfscan@main
  with:
    args: '. --json --output results.json'

Useful API Endpoints

MethodEndpointDescription
POST/api/v1/uploadUpload APK/IPA/APPX
POST/api/v1/scanTrigger scan on uploaded file
POST/api/v1/report_jsonGet full JSON report
POST/api/v1/download_pdfDownload PDF report
GET/api/v1/scansList all previous scans
POST/api/v1/delete_scanDelete scan by hash
POST/api/v1/dynamic/get_appsList apps for dynamic analysis
Full API docs: http://localhost:8000/api_docs

Online Demo

No setup needed for quick static analysis: mobsf.live: upload and scan directly in browser.