<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=360724884392591&amp;ev=PageView&amp;noscript=1">

Static Analysis of Android Mobile Applications — MobSF Manual

Static analysis is one of the stages of testing a mobile application. According to Hacken pentesters, the most convenient open source framework is MobSF. Based on the framework, we’ll show how the static analysis for Android applications is performed; mind that the Android application analysis doesn’t require performing any application functions.

Android_Static_Analysis 

Basic Information about MobSF  

MobSF performs static analysis of applications: Android, Apple iOS, and Windows Phone, as well as dynamic analysis which is solely for Android applications.

The Process of Testing

Step 1

After installing MobSF, run the following script to start the server (let’s use the drive D as an example).

d:

cd .\MobSF\

python .\manage.py runserver

Then go to the address http://127.0.0.1:8000 and get to the main page There are not too many functionalities here:

  • file upload

  • view previous scan reports

  • transition to API documentation

  • transition to GitHub project

1_Android_static_analysis

Step 2

After the file has been downloaded and analyzed, a page with the analysis results appears. There is a menu on the left that allows you to navigate quickly across the entire page (the result is pretty voluminous though). Here is useful information in this screenshot:

  • application hash sum;

  • Supported Android OS Versions;

  • the number and type of components (exported or not): it’s important, as exported components can lead to critical vulnerabilities;

  • the ability to view and download java- and smali-files that can be analyzed either by other tools or manually;

  • view manifest file for analysis.

2_Android_static_analysis

In fig. 3 you can see the information about the certificate used to sign the application.

3_Android_static_analysis

Step 3

We can view the description of the permissions analysis, which is described in the AndroidManifest.xml file. MobSF analyzes the permissions of the Android application, determines its status concerning criticality, and the description of permissions. Here you need to understand the architecture of the Android OS to assess its actual criticalness.

4_Android_static_analysis

The Security Analysis --> Code Analysis tab shows the analysis result of java-code by a static analyzer. It identifies potential vulnerabilities, determines their severity, and the files in which this type of vulnerability was found. These results can be considered false positive, and you need to recheck everything anyway.

5_Android_static_analysis

The next tab shows the analysis of files on the virustotal.com service. In this case, the file was not marked as infected.

6_Android_static_analysis

The URLs tab displays the list of URLs, IP addresses, and the files in which they are stored or called. This section analyzes where the Android app sends the data or where it stores the information.

 

7_Android_static_analysis

The “Strings” tab analyzes the text files that are in the res directory. When analyzing an application, these files may contain hard-to-find accounts and other sensitive data. However, we haven’t encountered such a problem.

8_Android_static_analysis

The “Components” tab displays a complete list of components (activity, service, content provider, and receives), imported libraries and files without defining the extension.

 

9_Android_static_analysis

Want to order Mobile Pentest?

Request Consultation

Step 4

Additionally, the source code can be analyzed using the VCG scanner static analyzer. VCG needs source code. The source code can be downloaded via the Download Java Code button. The file is downloaded in a zip archive.

 

10_Android_static_analysis

Next step is extracting the folder with the files from the archive.

11_Android_static_analysis

Source code scanning is performed as follows:

  1. In the “Settings” tab, select “Java” — Fig. 12.

  2. In the “File” tab, select “New Target Directory” — Fig. 13.

  3. In the “Scan” tab, select “Full scan” — Fig. 14.

 

12_Android_static_analysis

 

13_Android_static_analysis

 

14_Android_static_analysis

Step 4

After the scan is completed, the scanner issues the name of the vulnerability, its criticality, a brief description, and place in the source code.

 

15_Android_static_analysis

You can get a complete list of vulnerabilities and sort them according to their criticalness.

 

16_Android_static_analysis

Conclusion

Static analysis of the application and source code provides a basic understanding of the architecture of the Android application and the potential vectors of attacks. According to the methodology used at Hacken, any pentesting of client’s applications starts with the static analysis. In the next article, we’re going to tell you how to conduct a dynamic analysis specifically dedicated to MobSF.

How Hacken can help

No system is perfectly secure; no system is without flaws and weaknesses. If you are convinced yours is safe and sound, you just don’t know about potential vulnerabilities yet. Hacken's specialists know how to secure the future of your business.

Request Consultation 

Hub Hacken Blog about Cyber Security


We transform data into insight, empowering security professionals to protect your organization.