Static Analysis of iOS IPA/Source Code Using MobSF — Penetration/Pen Testing
Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. MobSF can be used for a variety of use cases such as mobile application security, penetration testing, malware analysis, and privacy analysis. The Static Analyzer supports popular mobile app binaries like APK, IPA, APPX and source code. Meanwhile, the Dynamic Analyzer supports both Android and iOS applications and offers a platform for interactive instrumented testing, runtime data and network traffic analysis. MobSF seamlessly integrates with your DevSecOps or CI/CD pipeline, facilitated by REST APIs and CLI tools, enhancing your security workflow with ease.
Ref — https://github.com/MobSF/Mobile-Security-Framework-MobSF
This tutorial covers MobSF installation on macOS systems.
Step 1: Download the MobSF installer on the system
Open terminal and choose any location and hit below command -
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.gitStep 2: Change the directory by using the cd command
cd Mobile-Security-Framework-MobSFStep 3: Run
./setup.shIf Got Error like -
[ERROR] MobSF dependencies require Python 3.10/3.11. You have Python version 3.9.6 or python3 points to Python 3.9.6.
Update/install relevant version of Python from — https://www.python.org/downloads/macos/
Quit terminal and Open again. Now Check Python version
python3 — version
If version match as per above error requirement. Again execute step 3.
Step 4: After successful installation. Shoot below command to run MobSF.
./run.sh 127.0.0.1:8000Now, you can access MobSF by browsing http://localhost:8000/ like below screenshot -
Now you can upload your IPA file or source code zipped file for static analysis.
The tool will give you a report containing all possible vulnerabilities found in the vulnerable application. Security Analyst needs to verify all vulnerabilities provided by the tool and identify false positives.
MobSF is a versatile tool and helps in the early start of the analysis of mobile applications.
