Mobile Security Framework MobSF Versions Save

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

v3.9.7

1 month ago

v3.9.7 Beta Changelog

  • Features or Enhancements

    • iOS Dynamic Analyzer with Corellium
    • Dynamic Analysis refactoring for Android and iOS
    • Exposed iOS Dynamic Analysis REST APIs
    • Added more helper Frida Scripts for Android and iOS Dynamic Analyzer
    • Frida support improvements Injected Frida Code View, Injection, Spawn, Attach and Session
    • Corellium Reverse SSH connection support
    • Enhancements to ARC and Stack Canary Checks in Mach-O Parsing
    • Frida RPC Hooks support
    • Frida Script QA
    • Runtime Executable Tampering Detection
    • iOS Dynamic Analysis REST API Docs
    • Global Datatables Export as PDF, CSV, XLS, Copy and Print
    • Corellium custom host domain support
    • Huge improvements in Static Analysis report generation page rendering for APKs/IPAs with large amount of data by @JPSxzy8
    • Scan independent library file (.so, .dylib, Framework dylib) from APK/IPA Static Analysis Report
    • Library analysis refactored relative path helper for Django template.
    • Re-introduced RELRO checks for Android, added Dart binary check to avoid Flutter false positives.
    • Improved stripped debug symbol check for ELF and MachO using native OS tools such as nm and objdump when available.
    • Merge iOS Framework and Dylib Analysis.
    • SAST Performance improvements
    • Android API Analysis rule QA
    • Apksigner.jar fallback for signature parsing
    • Simplify MobSF scan REST API
    • Support for analysis of iOS Frameworks
    • Android SVG icon parsing improvments
    • Icon analysis refactor and support jpeg and webp icons
    • Github action QA
    • iOS merge findings from swift and objective c rules with same rule identifier. Fixes #2287
    • iOS Binary analysis, sort regex matches. Fixes #2252
    • Framework dylibs with no extensions to skip PIE checks. Fixes #2307
    • Select correct network_security config. Fixes #2049
    • Android Manifest Analysis added support for detecting task hijacking (StrandHogg 1.0 and StrandHogg 2.0) . Fixes #2124
    • Added new manifest analysis rule to warn on apps targeting older Android OS
    • Updated severity of findings
    • UI improvement for AppSec dashboard to show a loader
    • UI changes in Static Analysis to collapse large no of files in API and Code Analysis for better real estate
    • Improved certificate file analysis for android, jar, aar, and iOS
    • AppLink asset json check multithreading performance improvements
    • Code QA and ruleset improvements with ChatGPT
    • Fixes #2324 , Bug in parsing DSA Public Key parameters for fingerprint calculation.
    • AssetLink check QA
    • Remove Androguard dependency use only features required by MobSF

  • Security

    • Arbitrary file writes on Windows with apktool fixed
    • Fixed an LFI reported by @0x33c0unt
    • Fixed SSRF in AppLinks and Firebase database checks

What's Changed

New Contributors

Full Changelog: https://github.com/MobSF/Mobile-Security-Framework-MobSF/compare/v3.7.6...v3.9.7

v3.7.6

8 months ago

v3.7.6 Beta Changelog

  • Features or Enhancements
    • Docker base image update to Ubuntu 22.04
    • Dockerfile QA
    • Migrated from Pip to Poetry for dependency management
    • Migrate from setup.py to use poetry for build and publish
    • Python 3.11 support
    • Docker ADB connection improvements (host.docker.internal translation for localhost)
    • IOS Swift RulesUpdates ios_biometric_bool, ios_biometric_acl, ios_keychain_weak_acl_device_passcode, ios_keychain_weak_accessibility_value, ios_insecure_random_no_generator, ios_biometry_hardened
    • Android SCA rules update
    • Entropies scan support for strings
    • Regex Hardening: Fixes possible Regex DoS in rules and MobSF code base
    • Tox QA
    • Added poetry build test
    • Updated mobsf PyPI publishing workflow
    • Update local DBs
    • URLs/Email extraction refactor
    • Static and Dynamic Binary Analysis QA
    • Refactor Dex permissions
    • Refactor Androguard apk.APK() usage
    • Fallback certificate analysis using apksigtool
    • Use BeautifulSoup4 to prettify malformed XML
    • Detect non standard XML namespace in AndroidManifest.xml, Fixes : #2198
    • Updated android permissions list
    • Updated android permission update check script
    • Github Actions version update
    • Apktool bump
    • Bump httptools
    • Bump yara-python-dex
    • Docker image build test for PRs
    • iOS Source Report Fix
    • Removed unwanted pinned repository
    • Frida APK Patcher (WIP)
    • Fix for Recent Scans scan not completed for iOS zip
    • Fix for MachO stripped symbols false positive
    • Fix bug in IPA download
    • iOS/Android form validation fix
    • Fix missing exported components
  • Enterprise Feature Request
    • String extraction from APK, Source, AAR, JAR, SO.
    • Android strings sections to show source of strings extracted
    • Strings extraction refactor
    • Support for independent .so scan
    • Dylib analysis support
    • Dylib string extraction
    • Improved iOS Plist secret extraction
    • Support for Independent .dylib scan
    • Symbols view for dylib and so
    • Trackers support for so
    • AAR/JAR obfuscation and debug check
    • Independent Static Library(.a) ELF/MachO Analysis
    • Mac FAT binary only supported on Mac

What's Changed

New Contributors

Full Changelog: https://github.com/MobSF/Mobile-Security-Framework-MobSF/compare/v3.6.9...v3.7.6

v3.6.9

9 months ago

v3.6.9 Beta Changelog

  • Features or Enhancements
    • New Simplified and Updated Documentation https://mobsf.github.io/docs/#/
    • MobSF Dynamic Analysis support for Docker image
    • Updated Documentation to include support for Corellium ARM64 Android VMs
    • Add support for environment variables to configure MobSF
    • Android SCA extract icon from SVG
    • OFAC Sanctioned Country Check
    • Improved Android Certificate Analysis
    • Updated Android Manifest Analysis Rules
    • Enterprise Feature Request
      • Summary of Findings under each section
      • Support for independent scanning of AAR ad JAR files.

What's Changed

New Contributors

Full Changelog: https://github.com/MobSF/Mobile-Security-Framework-MobSF/compare/v3.6.0...v3.6.9

v3.6.0

1 year ago

IMPORTANT - IF YOU ARE UPDATING MOBSF

This release has database model changes. To update see: https://mobsf.github.io/docs/#/updating This release has a breaking change. Please rescan all existing scans after the update. Perform rescan from Recent Scans view.

v3.6.0 Beta Changelog

  • Features or Enhancements

    • False Positive Triaging / Suppression Triaging Support for critical Android and iOS Security Analysis features.
      • Android Binary & Source - Supports Code Analysis and Manifest Analysis
      • iOS Binary - Supports Binary Code Analysis
      • iOS Source - Supports Code Analysis
      • New REST APIs for Suppression Support
    • Android Certificate Analysis improvements
    • Remove RELRO check from android binary analysis due to false positives
    • iOS Bundle ID extraction improvements
    • Feature parity - Allow IPA downloads from reports view
    • Code QA: Reduce False positives in identified secrets
    • Check for updates from Github releases
    • M1 Mac support
    • Disabled by default feature to support hotspots in AppSec Scorecard
    • Dependency updates
    • Added CodeQL scan on MobSF python code base

  • Bug Fixes

    • Fixes #1999, #1917, #2042 #1981 #2014 #2043
    • Fixed a bug in JSON response REST API
    • iOS URL view fix
    • Code fixes to address minor security issues in thrid party libraries.
    • Handle JADX timeouts

v3.5.0

2 years ago

IMPORTANT - IF YOU ARE UPDATING MOBSF

This release has database model changes. To update see: https://mobsf.github.io/docs/#/updating This release has a breaking change. Please rescan all existing scans after the update. Perform rescan from Recent Scans view.

v3.5.0 Beta Changelog

  • Features or Enhancements

    • MobSF Application Security Scorecard for scoring mobile application security
    • Scorecard REST API
    • Published Static Analyzer online mobsf.live (Thanks to Jovan Petrovic for sponsoring the server)
    • Improved App Security Scoring Logic
    • Improved PDF Report, Reduce generation times.
    • Disable CVSSv2 by default.
    • Non blocking file upload from home screen.
    • Android and iOS SAST rule QA
    • Manifest, Certificate, Transport Security and Network Security rule QA
    • Common severity levels High, Warning, Info and Secure.

  • Bug Fixes

    • Fixes #1885
    • Replaced PWD with dedicated server

v3.4.6

2 years ago

v3.4.6 Beta Changelog

  • Features or Enhancements

    • Quark Version Update
    • New Frida Scripts from F-Secure labs
    • Manual Activity Launcher and REST API
    • Suppress warnings from third party
    • LIEF integration QA
    • Update Janus Vulnerability description
    • General Code QA
    • Improve Setup script
    • Update Dockerfile to use non-root user
    • PDF in landscape
    • Add healthcheck to dockerfile
    • Update Android API rules
    • iOS Hardcoded Secret extraction from plists
    • Add browsable activities in android diff
    • Multiplatform docker image
    • Added checks and bypass for certificate transparency
    • Updated Android Static Analysis rules
    • Improved Split APK support, now supports .apks file
    • Ability to lookup and download APK from apktada/apkpure/apkplz
    • Dynamic Analyzer: Get Runtime Application Third party dependencies
    • Persist Frida Code change in session storage
    • Show Base64 strings decoded at runtime and the called class
    • Detect Trackers from Runtime Dependencies and Network Traffic
    • Windows Binskim version pinning
    • Global Proxy Configuration for Dynamic Analyzer

  • Bug Fixes

    • Fix Django 4.0 support
    • Fix minor bugs
    • Fix dependency issues

v3.4.3

3 years ago

v3.4.3 Beta Changelog

  • Features or Enhancements

    • Android Dynamic Analysis TLS/SSL Security Tester
    • Dynamic Analysis without Static Analysis
    • Support Dynamic Analysis of third party apps in VM/AVD
    • Download and perform static analysis of third party apps from VM/AVD
    • Dynamic Analysis enhancement to preserve app config/data
    • Improved SSL Pinning Bypass script
    • Added Intent dumper auxiliary Frida script
    • Added an auxiliary method bypass template script
    • Security Hardening
    • Addressing LGTM issues and QA
    • Android Permissions Mapping update and Typo fix
    • VirusTotal Code QA
    • Refactored Logcat log viewer to show only app specific logs
    • Xposed Improvements and updates of agents
    • Updated frontend libraries for CodeMirror and EnligherJS
    • New REST API exposed for TLS/SSL tests
    • General Code QA

  • Bug Fixes

    • Fixed Windows Setup script
    • Fixed typo and incomplete description in Android permission mapping

v3.4.0

3 years ago

From 3.4.0 onwards MobSF user configuration and data is stored under <user_home_dir>/.MobSF/ . Also instead of mobsf/MobSF/settings.py, please use <user_home_dir>/.MobSF/config.py

You can now install mobsf from pypi https://pypi.org/project/mobsf/ provided you have installed all the requirements in documentation.

Install and Setup

python3 -m venv venv
source venv/bin/activate
pip install mobsf
mobsfdb # migrate database

Run

mobsf 127.0.0.1:8000 # run mobsf

v3.4.0 Beta Changelog

  • Features or Enhancements

    • Android Hardcoded Secrets False Positive Improvement
    • New Android Crypto Rule
    • Rescan Fail-Safe and Code QA
    • Auto Comment for PR and Issues
    • USE_HOME by default
    • Dynamically Display Config Location

  • Bug Fixes

    • Fixed a bug in iOS ATS plist analysis

v3.3.5

3 years ago

You can now install mobsf from pypi https://pypi.org/project/mobsf/ provided you have installed all the requirements in documentation.

Install and Setup

python3 -m venv venv
source venv/bin/activate
pip install mobsf
mobsfdb # migrate database

Run

mobsf 127.0.0.1:8000 # run mobsf

v3.3.5 Beta Changelog

  • Bug Fixes
    • Removed Android Shared Library PIE Check
    • Improved Frida Instrumentation Logic to prevent Frida bypass
    • Fixed a False positive in Android Java Random rule
    • Fixed a bug that caused multiple first time saves of the same scan
    • Fixed Dynamic Analyzer JSON Report REST API bug

v3.3.3

3 years ago

You can now install mobsf from pypi https://pypi.org/project/mobsf/ provided you have installed all the requirements in documentation.

Install and Setup

python3 -m venv venv
source venv/bin/activate
pip install mobsf
mobsfdb # migrate database

Run

mobsf 127.0.0.1:8000 # run mobsf

v3.3.3 Beta Changelog

  • Features or Enhancements

    • Android Hardcoded Secrets Improvement
    • iOS IPA binary analysis improvements
    • Improved Android Manifest Analysis
    • Improved Setup
    • Updated to APKiD that is maintained by MobSF Team
    • Static Analysis Rule QA
    • macOS BigSur support
    • Update libsast to skip large files.
    • Improved iOS plist analysis
    • Relaxed Android Source code zip requirements

  • Bug Fixes

    • Fixed a bug in Android Shared Library RELRO check
    • Fixed a bug in Windows setup that prevents detection of python version on the first run
    • Fixed a bug in Recent Scan
    • Fixed a bug in root CA naming that prevented traffic interception