A lesser known feature of the Mobile Secuirty Framework scanner MobSF from ‘https://opensecurity.in/’ is its ability to quickly scan a folder of APK files. This isn’t normally something most users would need if they were only targeting a single app but if you’re trying to assess the security of a device you might find it necessary to look at every piece of software, from the firmware to the apps loaded onto it. With many IoT devices using Android as a base OS I find that I regularly need to quickly pull and assess a series of apps quickly in a search for low hanging fruit.
After selecting your device, even your own Android phone, connect it over USB.
Ensure ADB is installed.
apt-get install adb
yum install android-tools
Install MobSF
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF
start mobsf
./run.sh
Note the rest_api_key, we’ll need it later.
Gather APKs
There are many ways to get APKs from an Android device but this one-liner has always worked well for me. It does a good job of renaming the packages from base.apk to their package name as well, which helps when you’re assessing an entire device.
for i in $(adb shell pm list packages | awk -F':' '{print $2}'); do adb pull "$(adb shell pm path $i | awk -F':' '{print $2}')"; mv base.apk $i.apk 2&> /dev/null ;done
This should give you a folder full of APKs ready for analysis, we might want to remove those that are heavily reviewed (default apks). Next we’ll turn our attention to a script provided by MobSF
Mobile-Security-Framework-MobSF/scripts/mass_static_analysis.py
https://mobsf.github.io/docs/#/extras?id=mass-static-analysis
run this tool with the -d option the location of the MobSF server, and the api key we noted earlier.
./mass_static_analysis.py -d /pathtoextracted -s 127.0.0.1:8000 -k <rest_api_key>
Review the results within MobSF…
draw the rest of the owl…
This is only a small piece of device security, but in this guide we briefly went over performing static analysis on the apps within an Android device. This approach is largely automated and a great place to start your user level static analysis.
Further learning:
https://mobile-security.gitbook.io/mobile-security-testing-guide/
https://mobsf.github.io/docs/#/extras?id=mass-static-analysis
