MobSF (Mobile Security Framework) performs static analysis to evaluate the security of mobile applications without executing them. Static analysis in MobSF entails examining the app’s source code, decompiled code, or binary for security vulnerabilities, privacy issues, and best practices violations. Below are the types of testing it covers during static analysis:

1. Code Review and Analysis

  • Source Code Analysis: If source code is available, MobSF inspects it for insecure coding practices, such as:
    • Hardcoded credentials or sensitive data.
    • Weak cryptographic implementations.
    • Insecure use of APIs.
  • Decompiled Code Analysis: For APK (Android) or IPA (iOS) files, it decompiles the binary to analyze the code for vulnerabilities.

2. Manifest and Configuration Analysis

  • Examines Android AndroidManifest.xml or iOS configuration files (e.g., Info.plist) for misconfigurations such as:
    • Overly permissive permissions.
    • Exported activities, services, or receivers.
    • Insecure settings like debuggable mode enabled.
    • Weak or missing intents filtering.

3. API Key and Secrets Detection

  • Identifies hardcoded API keys, tokens, or credentials in the code or resources.

4. Insecure Permissions Testing

  • Checks the app’s requested permissions against its functionality to detect unnecessary or over-privileged permissions.

5. Cryptographic Analysis

  • Evaluates the use of cryptographic functions for:
    • Weak algorithms (e.g., MD5, SHA-1).
    • Improper key management or key sizes.
    • Hardcoded cryptographic keys.

6. Third-Party Library and Dependency Analysis

  • Identifies third-party libraries used in the app and checks for:
    • Known vulnerabilities (using CVE databases or similar).
    • Obsolete or deprecated libraries.

7. Data Leakage and Privacy Issues

  • Detects insecure data handling, such as:
    • Logging sensitive information.
    • Storing sensitive data in insecure locations (e.g., shared preferences, external storage).
    • Exposed databases or files.

8. Malware Analysis

  • Scans the app for patterns or signatures of malicious behavior, such as:
    • Embedded malicious payloads.
    • Suspicious behavior or functions.

9. Certificate and Network Security

  • Reviews the app’s SSL/TLS configuration for:
    • Certificate pinning implementation.
    • Use of self-signed or invalid certificates.
  • Flags insecure HTTP communication or hardcoded endpoints.

10. Resource Analysis

  • Inspects resources (e.g., images, strings, layouts) for:
    • Sensitive data leakage.
    • Hidden functionality or backdoors.
  • Checks for unnecessary large files or binary blobs.

11. Obfuscation and Code Protection

  • Evaluates the level of obfuscation to determine how well the app is protected against reverse engineering.
  • Identifies the absence of code obfuscation (e.g., ProGuard or R8).

12. Static Binary Analysis

  • For binary files, it examines:
    • Structure of the app’s package.
    • File permissions and integrity.
    • Embedded or extracted executables for potential threats.

13. SMALI Code Analysis (Android)

  • For Android apps, MobSF analyzes the decompiled SMALI code for:
    • Vulnerabilities at the bytecode level.
    • Hidden or unauthorized functionality.

14. GDPR and Compliance Checks

  • Reviews privacy and data handling practices to identify potential violations of compliance standards like GDPR.