performing-android-app-static-analysis-with-mobsf
Performs automated static analysis of Android applications using Mobile Security Framework (MobSF) to identify hardcoded secrets, insecure permissions, vulnerable components, weak cryptography, and code-level security flaws without executing the application. Use when assessing Android APK/AAB files for security vulnerabilities before deployment, during penetration testing, or as part of CI/CD security gates. Activates for requests involving Android static analysis, MobSF scanning, APK security assessment, or mobile application code review.
What this skill does
# Performing Android App Static Analysis with MobSF
## When to Use
Use this skill when:
- Conducting security assessment of Android APK or AAB files before production release
- Integrating automated mobile security scanning into CI/CD pipelines
- Performing initial triage of Android applications during penetration testing engagements
- Reviewing third-party Android applications for supply chain security risks
**Do not use** this skill as a replacement for manual code review or dynamic analysis -- MobSF static analysis catches pattern-based vulnerabilities but misses runtime logic flaws.
## Prerequisites
- MobSF v4.x installed via Docker (`docker pull opensecurity/mobile-security-framework-mobsf`) or local setup
- Target Android APK, AAB, or source code ZIP
- Python 3.10+ for MobSF REST API integration
- JADX decompiler (bundled with MobSF) for Java/Kotlin source recovery
- Network access to MobSF web interface (default: http://localhost:8000)
## Workflow
### Step 1: Deploy MobSF and Obtain API Key
Launch MobSF using Docker for isolated, reproducible scanning:
```bash
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
```
Retrieve the REST API key from the MobSF web interface at `http://localhost:8000/api_docs` or from the startup console output. The API key enables programmatic scanning.
### Step 2: Upload APK for Static Analysis
Upload the target APK using the MobSF REST API:
```bash
curl -F "file=@target_app.apk" http://localhost:8000/api/v1/upload \
-H "Authorization: <API_KEY>"
```
Response includes the `hash` identifier used for subsequent API calls. MobSF automatically decompiles the APK using JADX, extracts the AndroidManifest.xml, and indexes all resources.
### Step 3: Trigger and Retrieve Static Scan Results
Initiate the static scan and retrieve results:
```bash
# Trigger scan
curl -X POST http://localhost:8000/api/v1/scan \
-H "Authorization: <API_KEY>" \
-d "scan_type=apk&file_name=target_app.apk&hash=<FILE_HASH>"
# Retrieve JSON report
curl -X POST http://localhost:8000/api/v1/report_json \
-H "Authorization: <API_KEY>" \
-d "hash=<FILE_HASH>"
```
### Step 4: Analyze Critical Findings
MobSF static analysis covers these categories mapped to OWASP Mobile Top 10 2024:
**Manifest Analysis (M8 - Security Misconfiguration)**:
- Exported activities, services, receivers, and content providers without permission guards
- `android:debuggable="true"` left enabled
- `android:allowBackup="true"` enabling data extraction via ADB
- Missing `android:networkSecurityConfig` for certificate pinning
**Code Analysis (M1 - Improper Credential Usage)**:
- Hardcoded API keys, passwords, and tokens in Java/Kotlin source
- Insecure SharedPreferences usage for storing sensitive data
- Weak or broken cryptographic implementations (ECB mode, static IV, hardcoded keys)
**Network Security (M5 - Insecure Communication)**:
- Missing certificate pinning configuration
- Custom TrustManagers that accept all certificates
- Cleartext HTTP traffic allowed without exception domains
**Binary Analysis (M7 - Insufficient Binary Protections)**:
- Missing ProGuard/R8 obfuscation
- Native library vulnerabilities (stack canaries, NX bit, PIE)
- Debugger detection absence
### Step 5: Generate and Export Reports
Export findings in multiple formats for stakeholder communication:
```bash
# PDF report
curl -X POST http://localhost:8000/api/v1/download_pdf \
-H "Authorization: <API_KEY>" \
-d "hash=<FILE_HASH>" -o report.pdf
# JSON for programmatic processing
curl -X POST http://localhost:8000/api/v1/report_json \
-H "Authorization: <API_KEY>" \
-d "hash=<FILE_HASH>" -o report.json
```
### Step 6: Integrate into CI/CD Pipeline
Add MobSF scanning as a build gate:
```yaml
# GitHub Actions example
- name: MobSF Static Analysis
run: |
UPLOAD=$(curl -s -F "file=@app/build/outputs/apk/release/app-release.apk" \
http://mobsf:8000/api/v1/upload -H "Authorization: $MOBSF_API_KEY")
HASH=$(echo $UPLOAD | jq -r '.hash')
curl -s -X POST http://mobsf:8000/api/v1/scan \
-H "Authorization: $MOBSF_API_KEY" \
-d "scan_type=apk&file_name=app-release.apk&hash=$HASH"
SCORE=$(curl -s -X POST http://mobsf:8000/api/v1/scorecard \
-H "Authorization: $MOBSF_API_KEY" -d "hash=$HASH" | jq '.security_score')
if [ "$SCORE" -lt 60 ]; then exit 1; fi
```
## Key Concepts
| Term | Definition |
|------|-----------|
| **Static Analysis** | Examination of application code and resources without executing the program; catches structural and pattern-based vulnerabilities |
| **APK Decompilation** | Process of recovering Java/Kotlin source from compiled Dalvik bytecode using tools like JADX or apktool |
| **AndroidManifest.xml** | Configuration file declaring app components, permissions, and security attributes; primary target for manifest analysis |
| **Certificate Pinning** | Technique binding an app to specific server certificates to prevent man-in-the-middle attacks via rogue CAs |
| **ProGuard/R8** | Code obfuscation and shrinking tools that make reverse engineering more difficult by renaming classes and removing unused code |
## Tools & Systems
- **MobSF**: Automated mobile security analysis framework supporting static and dynamic analysis of Android/iOS apps
- **JADX**: Dex-to-Java decompiler for recovering readable source code from Android APK files
- **apktool**: Tool for reverse engineering Android APK files, decoding resources to near-original form
- **Android Lint**: Google's static analysis tool for Android-specific code quality and security issues
- **Semgrep**: Pattern-based static analysis engine with mobile-specific rule packs for custom vulnerability detection
## Common Pitfalls
- **Ignoring false positives**: MobSF flags patterns like `password` in variable names even when not storing actual credentials. Triage all HIGH findings manually before reporting.
- **Missing obfuscated code**: Static analysis accuracy drops significantly against obfuscated apps. Supplement with dynamic analysis for apps using DexGuard or custom packers.
- **Outdated MobSF rules**: Security rules evolve with Android API levels. Ensure MobSF is updated to match the target app's `targetSdkVersion`.
- **Skipping native code analysis**: MobSF analyzes Java/Kotlin but has limited coverage of native C/C++ libraries. Use `checksec` and manual review for `.so` files.
Related in Cloud & DevOps
appbuilder-action-scaffolder
IncludedCreate, implement, deploy, and debug Adobe Runtime actions with consistent layout, validation, and error handling. Use this skill whenever the user needs to add actions to an App Builder project, understand action structure (params, response format, web/raw actions), configure actions in the manifest, use App Builder SDKs (State, Files, Events, database), deploy and invoke actions via CLI, debug action issues, or implement patterns such as webhook receivers, custom event providers, journaling consumers, large payload redirects, action sequence pipelines, and Asset Compute workers. Also trigger when users mention serverless functions in Adobe context, action logging, IMS authentication for actions, or cron-style scheduled actions.
orchestrating-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. Use this skill when the user needs a multi-step Data Cloud pipeline, cross-phase troubleshooting, or data space and data kit management. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase sf data360 workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching phase-specific skill), the task is STDM/session tracing/parquet telemetry (use observing-agentforce), standard CRM SOQL (use querying-soql), or Apex implementation (use generating-apex).
github-project-automation
IncludedAutomate GitHub repository setup with CI/CD workflows, issue templates, Dependabot, and CodeQL security scanning. Includes 12 production-tested workflows and prevents 18 errors: YAML syntax, action pinning, and configuration. Use when: setting up GitHub Actions CI/CD, creating issue/PR templates, enabling Dependabot or CodeQL scanning, deploying to Cloudflare Workers, implementing matrix testing, or troubleshooting YAML indentation, action version pinning, secrets syntax, runner versions, or CodeQL configuration. Keywords: github actions, github workflow, ci/cd, issue templates, pull request templates, dependabot, codeql, security scanning, yaml syntax, github automation, repository setup, workflow templates, github actions matrix, secrets management, branch protection, codeowners, github projects, continuous integration, continuous deployment, workflow syntax error, action version pinning, runner version, github context, yaml indentation error
sf-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase `sf data360` workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching sf-datacloud-* skill), the task is STDM/session tracing/parquet telemetry (use sf-ai-agentforce-observability), standard CRM SOQL (use sf-soql), or Apex implementation (use sf-apex).
fabric-cli
IncludedUse this skill for Fabric.so CLI workflows with the `fabric` terminal command: diagnose/install/login, search or browse a Fabric library, save notes/links/files, create folders, ask the Fabric AI assistant, manage tasks/workspaces, generate shell completion, check subscription usage, produce JSON output, and use Fabric as persistent agent memory. Do not use for Microsoft Fabric/Azure/Power BI `fab`, Daniel Miessler's Fabric framework, Python Fabric SSH, Fabric.js, or textile/fashion fabric.
lark
IncludedLark/Feishu CLI skills: lark-cli operations for docs, markdown, sheets, base, calendar, im, mail, task, okr, drive, wiki, slides, whiteboard, apps, approval, attendance, contact, vc, minutes, event. Use when the user needs to operate Lark/Feishu resources via lark-cli, send messages, manage documents, spreadsheets, calendars, tasks, OKRs, deploy web pages, or any Feishu/Lark workspace operations.