HackingLab定制版Mobile Safe Framework
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
APITester
DynamicAnalyzer
LICENSES
MalwareAnalyzer
MobSF
StaticAnalyzer
static
templates
.checkignore
.gitignore
LICENSE
README.md
clean.sh
manage.py
mass_static_analysis.py
mobsfy.py
requirements.txt

README.md

Mobile-Security-Framework (HackingLab 定制版 MobSF)

Version: v0.9.2 beta

功能介简介:

  • 1.支持安卓APK静态分析,动态分析 (动态分析可使用MobileSafeFramework官方提供的VirtualBox虚拟机也可以使用用户自己的手机进行测试,需要开启USB调试并安装响应的测试软件)
  • 2.支持IOS应用静态分析(需要使用MacOS)

功能介绍[官方]:

  • MobSF是一款智能的,集多种功能于一体的移动App(安卓/IOS)测试工具框架.他支持安卓/IOS应用和ZIP格式的源码包
  • 静态分析: 静态分析可以查看源代码,检测不安全的权限/配置,检测代码中不安全的ssl管理(如重写,绕过等),弱的加密算法,代码混淆,导入权限,硬编码密钥,不恰当的危险的API使用,敏感信息泄露,不安全的文件存储等.
  • 动态分析: 动态分析是在虚拟机中/或配置好的设备中运行APP并进行安全检测.对应用进行更深层的检测,包括网络抓包,解密HTTPS流量,应用dump,日志,错误,崩溃,调试信息,调用栈,应用资源,属性,数据库等.在这个框架中,你也可以自行定制自己的测试规则.最后会生成一份快速简洁的测试报告.以后我们也会拓展该框架,使得其能够支持其他的移动平台,如Tizen,WindowsPhone等.

界面截图:

系统首页界面 index

进行静态分析 static

apk动态分析过程会自动测试多个安全项目,并自动进行屏幕截图. 不仅包括Activities相关测试,还能够自动对网络流量进行分析,并保存由APP发出的HTTP/HTTPS请求.

HackingLab XsecLab Team

Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.

support License platform python Code Issues

Documentation

Presentation Slides

Video Course

What's New?

Queries

Screenshots

###Static Analysis - Android APK

android-static-analysis-apk android-static-analysis-apk2

###Static Analysis - iOS IPA

ios-static-analysis-ipa

###Dynamic Analysis - Android APK

android-dynamic-analysis android-dynamic-report android-dynamic-report2 android-dynamic-expact

###Web API Fuzzer

api-fuzzer-start-scan api-fuzzer-start-report

##Credits

  • Bharadwaj Machiraju (@tunnelshade_) - For writing pyWebProxy from scratch
  • MindMac - For writing Android Blue Pill
  • Thomas Abraham - For JS Hacks on UI.
  • Anto Joseph (@antojosep007) - For the help with SuperSU.
  • Tim Brown (@timb_machine) - For the iOS Binary Analysis Ruleset.
  • Abhinav Sejpal (@Abhinav_Sejpal) - For poking me with bugs and feature requests.
  • Anant Srivastava (@anantshri) - For Activity Tester Idea
  • Amrutha VC (@amruthavc) - For the new MobSF logo