Mobile Security Framework — automated static + dynamic analysis for Android (APK), iOS (IPA), and Windows mobile apps.
Installation
Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.
Docker (recommended)
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
Source
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF && cd Mobile-* && ./setup.sh && ./run.sh
Pre-requisites
Java 11+, Python 3.9+, JD-GUI for source viewing
Core commands
The handful of invocations you’ll actually run on 90% of engagements:
Upload APK via Web UI
http://localhost:8000 → Upload
Static scan + report
Auto-runs after upload; click "Generate Report" → PDF
Dynamic analysis (Android)
Connect emulator → "Start Dynamic Analysis"
API mode (CI integration)
curl -F "[email protected]" -H "Authorization: TOKEN" http://localhost:8000/api/v1/upload
CLI scanning
docker exec mobsf python manage.py mobsf_scan /apks/app.apk
Performance optimisation
What separates a junior who runs the default invocation from a practitioner who knows the knobs:
- Static scan: 2-5 minutes per APK on default settings. Disable VirusTotal (settings.py) to save 30s.
- Dynamic analysis requires Genymotion/Android emulator on the same network — NOT inside Docker (USB/HW issues).
- For batch scanning: API mode + Python script. Web UI doesn’t handle 10+ concurrent scans.
- Resource: 4GB RAM minimum, 8GB recommended. Static analysis JVM is the memory hog.
- Whitelist your code-signed apps to avoid false positives on every Indian RBI-required hardening (Promon, Appdome).
Common pitfalls
Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.
- Default report includes EVERYTHING — manually filter false-positives before sending to client.
- iOS dynamic analysis requires jailbroken device + Frida (
iproxyplumbing). Nothing in MobSF works without that. - Default API token must be changed in
settings.py; default is exposed to internet on careless deployments. - Reports include actual decoded source — treat output as confidential, store encrypted.
Modern alternatives in 2026
The ecosystem moves fast. These are tools you should at least be aware of:
- QARK (LinkedIn, abandoned) — static only, free.
- NowSecure / Veracode — commercial.
- apkleaks — fast secret-scan only.
India context and engagement notes
MobSF is mandatory in DPDP-mode mobile-app reviews — auditors expect to see the static-scan PDF. For Indian e-commerce / fintech apps, expect to manually verify ~20 of MobSF’s 200 findings; the rest are RASP/SDK noise.
⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.