Mobile Security Framework (MobSF) is an open-source, automated mobile security testing tool built by Ajin Abraham and 104 contributors. It handles static analysis, dynamic analysis, and malware detection for Android, iOS, and Windows mobile applications.
GitHub: MobSF/Mobile-Security-Framework-MobSF | Stars: 20.3k | Latest Release: v4.4.5 (January 2026) | License: GPL-3.0
The project started in 2015 and has been featured at Black Hat Arsenal (Asia 2015, Asia 2018, Europe 2023). It ships as a web application — upload a binary, and MobSF decompiles it, runs security checks, and presents findings in a dashboard. Results can be exported as PDF reports or pulled through the REST API.
MobSF is bundled with security-focused Linux distributions including BlackArch and Pentoo. A hosted demo is available at mobsf.live.
Key Features
| Feature | Details |
|---|---|
| Static Analysis | Decompiles and analyzes APK, AAB, IPA, APPX binaries and source code |
| Dynamic Analysis | Runtime testing with Frida instrumentation for Android and iOS |
| Malware Analysis | Pattern matching for known malicious behaviors and indicators of compromise |
| REST API | Full API access for uploading, scanning, and retrieving reports programmatically |
| Web Dashboard | Browser-based interface for uploading apps and reviewing findings |
| PDF Reports | Exportable security assessment reports |
| OWASP Mapping | Findings mapped to OWASP MASVS and MASTG standards |
| Network Analysis | Captures and analyzes network traffic during dynamic testing |
| mobsfscan | Separate CLI tool for source code scanning in CI/CD pipelines |
| Docker Support | One-command deployment via Docker |
Static Analysis
MobSF’s static analyzer works on compiled binaries — no source code access needed.
For Android, it decompiles APK files to inspect Java/Kotlin code, AndroidManifest.xml, and embedded resources. For iOS, it analyzes the binary structure, Info.plist, and bundled frameworks.
Checks include:
- Hardcoded credentials and API keys
- Insecure data storage patterns
- Weak cryptographic implementations
- Dangerous permission requests
- Exported components without proper protection
- SSL/TLS configuration problems
- Code signing and obfuscation analysis
Dynamic Analysis
Dynamic analysis executes the application in a controlled environment. MobSF uses Frida for runtime instrumentation, hooking into application functions to observe:
- Network traffic and API calls
- File system read/write operations
- Cryptographic function usage
- Sensitive data handling at runtime
- Runtime permission checks
Dynamic analysis requires an emulator or physical device. For Android, you’ll need an Android emulator with a writable system image. iOS dynamic analysis requires a jailbroken device or corellium setup.
REST API
Every feature in the web interface is available through the REST API. This makes it possible to build automated scanning workflows and feed results into other tools.
Getting Started
Install via Docker — Pull and run the official image. Default login is mobsf/mobsf.
docker pull opensecurity/mobile-security-framework-mobsf:latest
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
http://localhost:8000 in your browser. You’ll see the upload interface.Manual Installation
For development or customization, install from source (requires Python 3.12+):
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
./setup.sh
./run.sh
CI/CD Integration
GitHub Actions with mobsfscan
name: Mobile Security Scan
on: [push]
jobs:
mobsfscan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: mobsfscan
uses: MobSF/mobsfscan@main
with:
args: '. --sarif --output results.sarif'
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
GitHub Actions with Full MobSF Server
For binary analysis in CI/CD, run the full MobSF Docker container:
name: MobSF Binary Scan
on:
push:
branches: [main]
jobs:
mobsf-scan:
runs-on: ubuntu-latest
services:
mobsf:
image: opensecurity/mobile-security-framework-mobsf:latest
ports:
- 8000:8000
steps:
- uses: actions/checkout@v4
- name: Build APK
run: ./gradlew assembleDebug
- name: Wait for MobSF
run: |
until curl -s http://localhost:8000 > /dev/null; do
sleep 2
done
- name: Upload and Scan
run: |
HASH=$(curl -F "file=@app/build/outputs/apk/debug/app-debug.apk" \
http://localhost:8000/api/v1/upload \
-H "Authorization: ${{ secrets.MOBSF_API_KEY }}" | jq -r '.hash')
curl -X POST http://localhost:8000/api/v1/scan \
-H "Authorization: ${{ secrets.MOBSF_API_KEY }}" \
-d "hash=$HASH"
curl -X POST http://localhost:8000/api/v1/report_json \
-H "Authorization: ${{ secrets.MOBSF_API_KEY }}" \
-d "hash=$HASH" > mobsf-report.json
- uses: actions/upload-artifact@v4
with:
name: mobsf-report
path: mobsf-report.json
When to Use MobSF
MobSF is a strong choice when you need a free, self-hosted mobile security testing setup. It’s particularly useful for:
- Penetration testers who need a single tool covering static and dynamic analysis
- Teams with limited budgets that can’t justify commercial tool licensing
- Privacy-sensitive organizations that need on-premises analysis (nothing leaves your network)
- CI/CD pipelines where you want automated security checks using mobsfscan or the REST API
- Malware analysts examining suspicious apps from third-party sources
For teams that need vendor support, SLAs, or managed cloud scanning, commercial alternatives like NowSecure or Oversecured may be a better fit.
