MobSF

Mobile Security Framework (MobSF) is an open-source, automated mobile application security testing tool with 20.3k GitHub stars and 3.6k forks.

GitHub: MobSF/Mobile-Security-Framework-MobSF | Latest Release: v4.4.5 (January 2026)

It performs static and dynamic analysis of Android, iOS, and Windows mobile applications.

MobSF is widely used by security researchers, penetration testers, and development teams who need a self-hosted mobile security solution without licensing costs.

What is MobSF?

MobSF is an all-in-one mobile application pen-testing, malware analysis, and security assessment framework.

Originally created as a research project, it has grown into one of the most popular open-source mobile security tools available.

The framework can analyze Android APK, AAB, iOS IPA, and Windows APPX files.

The tool runs as a web application that provides an intuitive interface for uploading and analyzing mobile apps.

Behind the scenes, it uses a combination of static analysis techniques, dynamic instrumentation, and pattern matching to identify security vulnerabilities.

Results are presented in a web dashboard and can be exported as PDF reports.

MobSF is bundled with several security-focused Linux distributions including BlackArch, Pentoo, and Android Tamer.

It is also available as a Docker image for easy deployment.

Key Features

Static Analysis

MobSF performs comprehensive static analysis on mobile application binaries.

For Android apps, it decompiles the APK to analyze Java/Kotlin source code, manifest files, and embedded resources.

For iOS apps, it analyzes the binary structure, Info.plist, and any embedded frameworks.

Static analysis checks include:

• Hardcoded credentials and API keys
• Insecure data storage patterns
• Weak cryptographic implementations
• Dangerous permission requests
• Exported components without protection
• SSL/TLS configuration issues

Dynamic Analysis

Dynamic analysis executes the application in a controlled environment to observe runtime behavior.

MobSF uses Frida for instrumentation, allowing it to hook into application functions and monitor activities such as:

• Network traffic and API calls
• File system operations
• Cryptographic function usage
• Sensitive data handling
• Runtime permission checks

Dynamic analysis requires additional setup with an emulator or physical device.

Malware Analysis

MobSF includes malware detection capabilities that identify known malicious patterns, suspicious behaviors, and indicators of compromise.

This makes it useful for analyzing potentially malicious applications submitted by users or downloaded from third-party sources.

REST API

The REST API enables integration with CI/CD pipelines and other security tools.

All functionality available through the web interface can be accessed programmatically.

Installation

Docker Installation (Recommended)

The simplest way to run MobSF is using Docker:

# Pull the latest image
docker pull opensecurity/mobile-security-framework-mobsf:latest

# Run MobSF
docker run -it --rm \
  -p 8000:8000 \
  opensecurity/mobile-security-framework-mobsf:latest

Access the web interface at http://localhost:8000.

Manual Installation

For development or customization, install from source:

# Clone repository
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF

# Create virtual environment
python3 -m venv venv
source venv/bin/activate

# Install dependencies
pip install -r requirements.txt

# Run setup
./setup.sh

# Start MobSF
./run.sh

Dynamic Analysis Setup

Dynamic analysis requires additional configuration:

# For Android dynamic analysis, start an emulator
emulator -avd Pixel_4_API_30 -writable-system

# Install Frida server on the device
adb push frida-server /data/local/tmp/
adb shell chmod 755 /data/local/tmp/frida-server
adb shell /data/local/tmp/frida-server &

Integration

GitHub Actions

name: MobSF Security Scan

on:
  push:
    branches: [main]

jobs:
  mobsf-scan:
    runs-on: ubuntu-latest
    services:
      mobsf:
        image: opensecurity/mobile-security-framework-mobsf:latest
        ports:
          - 8000:8000

    steps:
      - uses: actions/checkout@v4

      - name: Build APK
        run: ./gradlew assembleDebug

      - name: Wait for MobSF
        run: |
          until curl -s http://localhost:8000 > /dev/null; do
            sleep 2
          done

      - name: Upload and Scan
        run: |
          # Upload APK
          HASH=$(curl -F "file=@app/build/outputs/apk/debug/app-debug.apk" \
            http://localhost:8000/api/v1/upload \
            -H "Authorization: ${{ secrets.MOBSF_API_KEY }}" | jq -r '.hash')

          # Start scan
          curl -X POST http://localhost:8000/api/v1/scan \
            -H "Authorization: ${{ secrets.MOBSF_API_KEY }}" \
            -d "hash=$HASH"

          # Get JSON report
          curl -X POST http://localhost:8000/api/v1/report_json \
            -H "Authorization: ${{ secrets.MOBSF_API_KEY }}" \
            -d "hash=$HASH" > mobsf-report.json

      - name: Upload Report
        uses: actions/upload-artifact@v4
        with:
          name: mobsf-report
          path: mobsf-report.json

GitLab CI

mobsf-scan:
  image: docker:latest
  services:
    - docker:dind
  variables:
    DOCKER_HOST: tcp://docker:2375
  script:
    - docker run -d -p 8000:8000 --name mobsf opensecurity/mobile-security-framework-mobsf:latest
    - sleep 30
    - |
      HASH=$(curl -F "[email protected]" \
        http://docker:8000/api/v1/upload \
        -H "Authorization: ${MOBSF_API_KEY}" | jq -r '.hash')
      curl -X POST http://docker:8000/api/v1/scan \
        -H "Authorization: ${MOBSF_API_KEY}" \
        -d "hash=$HASH"
  artifacts:
    paths:
      - mobsf-report.json

REST API Examples

# Get API key (first run)
curl http://localhost:8000/api/v1/api_key

# Upload application
curl -F "[email protected]" \
  -H "Authorization: YOUR_API_KEY" \
  http://localhost:8000/api/v1/upload

# Trigger static scan
curl -X POST \
  -H "Authorization: YOUR_API_KEY" \
  -d "hash=FILE_HASH" \
  http://localhost:8000/api/v1/scan

# Download PDF report
curl -X POST \
  -H "Authorization: YOUR_API_KEY" \
  -d "hash=FILE_HASH" \
  http://localhost:8000/api/v1/download_pdf \
  -o report.pdf

# Get JSON report for parsing
curl -X POST \
  -H "Authorization: YOUR_API_KEY" \
  -d "hash=FILE_HASH" \
  http://localhost:8000/api/v1/report_json

Configuration

MobSF can be configured through environment variables or the settings file:

# MobSF/settings.py

# Database configuration
DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.sqlite3',
        'NAME': os.path.join(BASE_DIR, 'db.sqlite3'),
    }
}

# Proxy settings for dynamic analysis
PROXY_IP = '0.0.0.0'
PROXY_PORT = 1337

# VirtualBox settings for iOS analysis
VBOX_PATH = '/usr/bin/VBoxManage'

When to Use MobSF

MobSF is an excellent choice for teams that want a free, self-hosted mobile security testing solution.

Consider MobSF when:

• Budget constraints prevent using commercial tools
• You need full control over your security testing infrastructure
• Privacy requirements mandate on-premises analysis
• You want to integrate mobile security into existing open-source workflows
• Penetration testers need a comprehensive analysis environment

MobSF works well as a first-line defense in CI/CD pipelines, catching common vulnerabilities before they reach production.

For organizations requiring guaranteed SLAs, vendor support, or advanced features like continuous monitoring, commercial alternatives may be more appropriate.

The tool is actively maintained with regular updates adding new vulnerability checks and framework support.

Community contributions have made it one of the most feature-complete open-source options available.