As you can see, the interface is a simple Python-based web page. All of the analysis is performed under the hood on app upload stage. Then the framework will generate a results web page that you can see in the above screenshot. It contains all the information about the analysed application split into categories. The categories are based on the areas in which the app was analysed. As you can see, the main menu also contains the Download Report and Start Dynamic Analysis buttons. The first one will generate a report in the form of a PDF file. It will contain all of the results that are displayed on the web page. Start Dynamic Analysis will launch a web page that contains an emulator.
Unfortunately, the emulator still has some issues and is hard to run. I hope that this feature will soon be fixed - the future looks very promising.
It is also worth mentioning that the main dashboard contains links to the API documentation and to the history web page. The history page contains a list of the recent scans and their results. Recent scans can be easily explored thanks to the included search engine.
- Easy to install - based on a Docker container;
- Easy to integrate with existing CI/CD stack using the integrated API;
- Extensive graphic interface;
- Complex and multilayer analysis with app decompilation;
- Ready to analyse security on multiple mobile platforms - Android, iOS, and even Windows;
- Can perform manual tests directly on analysed app using built-in emulator/symulator.
- Can compare analysis results thanks to the historical results stored by the framework;
- Can generate and download reports in PDF;
- Can emulate system events, manage system processes or analyse files on the device using the integrated emulator;
- Is constantly developed;
- Based on well-tested tools like apktool and Dex2jar;
- Can generate results in JSON.
- Missing access management features;
- The framework is still in beta;
- It is hard to run Android the emulator.
Certainly, MobSF is a very powerful and complex tool. Additionally, as the only one of the tools discussed, MobSF has an extensive graphical interface, which makes it more user friendly. Thanks to these aspects the tool is a perfect fit for fast analysis of mobile apps or regression tests. Moreover, thanks to the easy installation and integrated Web API, the tool can also be incorporated into your current CI/CD stack. In my opinion, it is a great tool that will perfectly fit into many existing processes thanks to its flexibility. I hope that the tool will continue to be developed and improved.
After conducting our reviews of several tools suggested by OWASP, we decided to choose two tools: QARK and MobSF. In our opinion they are the best in terms of functionality. Both of them are also compliant with our secondary goal - they are easy to integrate with existing stacks. Due these aspects, we will conduct a test implementation of both tools in our team. The tests will allow us to collect more information about which of them is more suitable for our needs. After tests, we will select one tool and publish a short case study about our conclusions.