Mobile-Security-Framework is a powerful automated tool which can perform penetration test for (Android/iOS/Windows). It can perform static, dynamic analysis and malware analysis for the above mobile applications. MobSF can also provide dynamic runtime testing with a powerful security scanner CapFuzz.
Difficulty of dynamic analysis
During the static analysis of some APK, we find the difficulty on performing dynamic analysis as the vm image is android 4.4 version, which a lot of APK cannot run properly. Below is an example which require sdk 19(android 4.4) as a minimum version, but most of the feature cannot work properly in the app. I need a way to run the apps upper than 4.4 but also work with MobSF.
Solution: Genymotion Android Emulator
To make this thing work I try a lot of emulator. Genymotion is the easiest way to solve this problem as it provides different rooted android vbox image. Genymotion is an android emulator which provide fast, memory efficient vm with Android OS. It also include Google Play Services which bring lot of convenience to Android developer to do all their device testing. It also provide stable network and fixed a log of bugs on AndroidOS. Genymotion default can choose a list of anroid image with rooted settings.
How to use Genymotion with MobSF
Theoretically it can act like the official MobSF vbox image. According to the documentation of MobSF Configuring Dynamic Analyzer, there have 4 ways to configure. This time I will use method 3 which require DEVICE_IP and DEVICE_ADB_PORT to configure. I use android 5.1 version in this article.
In the settings VirtualBox tab, the path of genymotion vbox image is show and i can add it in my virtualbox Manager.
In Virtual Manager settings, click network adaptor and I find that it is using vboxnet2. I also get the proxy ip from vboxnet2 for intercept traffic. Right click the image and show in finder make me access the image folder.
Now start the image from VirtualBox Manager then you get the DEVICE_IP. Shutdown and use genymotion to start it again.
We need to enable Developer options to enable usb debugging and enable unknown source from security.
We are ready to mobsf the vm.
Clone MobSF from github and navigate to Mobile-Security-Framework-MobSF/scripts/,run python mobsfy.py and choose DEVICE, >=5 then MobSF will install all tools on the vm. Install the Framework and reboot the image. Manually restart the vm when it asks you to reboot.
After reboot open Xposed Installer then enable all modules. Restart the emulator again. The finally step is go to Mobile-Security-Framework-MobSF/MobSF/, edit settings.py, set ANDROID_DYNAMIC_ANALYZER = "MobSF_REAL_DEVICE", input DEVICE_IP and DEVICE_ADB_PORT. Also set PROXY_IP you find before and Proxy Port is 1337. You are ready to run Dynamic analyzer
How to keep run the same image
The benefit of Official image is that every time it will restore before running the vm. We cannot run it automatically, but we can take SNAPSHOT after we finish the above settings. Every time we want to perform new test, we manually restore the image.
Side note: how to transfer files between Android VM and the host
Sometimes we want to transfer the files from Android for further investigation, we can achieve it by mounting a shared drive.
For the Device created in GenyMotion, there is an image from VirtualBox. So in VirtualBox, we choose the VM (in our case, a Samsung Galaxy image), click settings, choose “Shared Folders”, then add the path of your shared folder in the Host.
In the VM, we can copy the files and transfer to the host
MobSF is a very useful tools to perform penetration test for mobile application. Combine with Genymotion emulator we can do penetration test for the latest android version APK. You can also use snapshot to control the image and reuse it for every new apps.
Did you enjoy this post? Want to find out more about us? Contact us