> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# MobSF

> Mobile Security Framework: automated static and dynamic analysis for Android, iOS, and Windows apps. Installation, usage, and REST API.

## Overview

MobSF (Mobile Security Framework) is an all-in-one automated framework for mobile app pentesting and malware analysis. Performs static and dynamic analysis, generates detailed security reports, and exposes a REST API for CI/CD integration.

**Supports:** APK · IPA · APPX · source code zips

**Latest release:** v4.4.6: [github.com/MobSF/Mobile-Security-Framework-MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF)

***

## Install: Docker (Recommended)

Fastest path. No dependency setup required.

```bash theme={"dark"}
docker pull opensecurity/mobile-security-framework-mobsf:latest
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
```

With persistent storage (keep scan history between runs):

```bash theme={"dark"}
docker run -it --rm \
  -p 8000:8000 \
  -v ~/mobsf-data:/home/mobsf/.MobSF \
  opensecurity/mobile-security-framework-mobsf:latest
```

Access: `http://localhost:8000`
Default credentials: `mobsf` / `mobsf`

***

## Install: Local (Linux / macOS)

**Requirements:** Python 3.12+, Git, OpenSSL, wkhtmltopdf (for PDF reports)

```bash theme={"dark"}
# Dependencies (Debian/Ubuntu)
sudo apt install python3.12 python3.12-venv git openssl wkhtmltopdf

# Clone
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF

# Setup
./setup.sh

# Run
./run.sh 127.0.0.1:8000
```

macOS (Homebrew):

```bash theme={"dark"}
brew install python@3.12 wkhtmltopdf
./setup.sh
./run.sh 127.0.0.1:8000
```

***

## Static Analysis

### Upload via Web UI

1. Open `http://localhost:8000`
2. Drag and drop the APK (or IPA/APPX) into the upload zone
3. MobSF decompiles, analyzes, and presents a full report

### Upload via REST API

```bash theme={"dark"}
# Get API key from http://localhost:8000/api_docs
API_KEY="your_api_key_here"

# Upload APK
curl -F "file=@target.apk" \
     -H "Authorization: $API_KEY" \
     http://localhost:8000/api/v1/upload

# Response contains a hash:
# {"hash": "abc123...", "file_name": "target.apk", "scan_type": "apk"}

HASH="abc123..."

# Trigger scan
curl -X POST \
     --url http://localhost:8000/api/v1/scan \
     --data "scan_type=apk&file_name=target.apk&hash=$HASH" \
     -H "Authorization: $API_KEY"

# Get JSON report
curl -X POST \
     --url http://localhost:8000/api/v1/report_json \
     --data "hash=$HASH" \
     -H "Authorization: $API_KEY" \
     -o report.json

# Download PDF report
curl -X POST \
     --url http://localhost:8000/api/v1/download_pdf \
     --data "hash=$HASH" \
     -H "Authorization: $API_KEY" \
     -o report.pdf
```

***

## What the Static Report Covers

| Section               | What it Finds                                     |
| --------------------- | ------------------------------------------------- |
| **Manifest Analysis** | Exported components, dangerous flags, permissions |
| **Code Analysis**     | Hardcoded secrets, insecure APIs, crypto issues   |
| **Binary Analysis**   | Compiler flags, NX/PIE, stack canaries            |
| **Network Security**  | Cleartext traffic, pinning config, domains        |
| **File Analysis**     | Embedded keys, certs, sensitive resource files    |
| **CVSS Scoring**      | Severity ratings per finding                      |
| **OWASP Mapping**     | Each finding mapped to MASVS category             |

***

## Dynamic Analysis: Android

Dynamic analysis requires a real device or emulator with **root access**.

### Emulator Setup (Android-x86 / AVD)

Recommended: [Genymotion](https://www.genymotion.com/) or Android Studio AVD with a **non-Google Play** image (root accessible).

```bash theme={"dark"}
# Check MobSF detects the device
adb devices
```

### Start Dynamic Analysis

1. Upload and scan the APK (static scan must run first)

2. Click **"Start Dynamic Analysis"** in the report

3. MobSF installs the app and its instrumentation agent on the device

4. Interact with the app through the emulator while MobSF captures:
   * Network traffic (HTTP/HTTPS with SSL unpinning)
   * Filesystem reads/writes
   * Logcat output
   * Screenshot timeline
   * Exported activity/service invocations

5. Click **"Stop Analysis"** → MobSF generates a dynamic report

### Dynamic Report Covers

* Decrypted HTTPS traffic (via injected proxy)
* Files created/modified during runtime
* Sensitive data leaked to logs
* Exported component interactions
* Screenshot evidence

***

## mobsfscan: CI/CD Integration

Static analysis scanner for source code, usable in pipelines without the full MobSF server.

```bash theme={"dark"}
pip install mobsfscan

# Scan source directory
mobsfscan ./android-source/

# JSON output for pipeline parsing
mobsfscan --json -o results.json ./android-source/
```

GitHub Actions example:

```yaml theme={"dark"}
- name: MobSF Static Scan
  uses: MobSF/mobsfscan@main
  with:
    args: '. --json --output results.json'
```

***

## Useful API Endpoints

| Method | Endpoint                   | Description                    |
| ------ | -------------------------- | ------------------------------ |
| `POST` | `/api/v1/upload`           | Upload APK/IPA/APPX            |
| `POST` | `/api/v1/scan`             | Trigger scan on uploaded file  |
| `POST` | `/api/v1/report_json`      | Get full JSON report           |
| `POST` | `/api/v1/download_pdf`     | Download PDF report            |
| `GET`  | `/api/v1/scans`            | List all previous scans        |
| `POST` | `/api/v1/delete_scan`      | Delete scan by hash            |
| `POST` | `/api/v1/dynamic/get_apps` | List apps for dynamic analysis |

Full API docs: `http://localhost:8000/api_docs`

***

## Online Demo

No setup needed for quick static analysis:

**[mobsf.live](https://mobsf.live)**: upload and scan directly in browser.
