Mobile application security is no longer optional—it’s essential. Whether you’re an Android, iOS, or Windows mobile developer, integrating automated security assessments into your CI/CD pipeline can drastically improve your app’s resilience against attacks. Enter MobSF (Mobile Security Framework)—an all-in-one toolkit for performing static and dynamic analysis of mobile apps.
In this guide, we’ll walk through setting up MobSF using Docker on macOS with Colima and demonstrate how to conduct both static and dynamic analysis.
๐ What is MobSF?
Mobile Security Framework (MobSF) is an open-source, automated mobile application pentesting, malware analysis, and security assessment tool. It supports:
Static & dynamic analysis
Mobile binaries: .apk, .ipa, .appx, .xapk
Source code (zipped)
REST APIs for CI/CD or DevSecOps integration
Whether you’re running tests during development or before release, MobSF provides valuable insights into the security posture of your app.
๐ Prerequisites
Before starting, ensure the following tools are installed on your macOS system:
Colima – Docker Desktop alternative for macOS
Docker
Installation Commands:
๐งช Running MobSF with Docker
Once Colima and Docker are set up, launch MobSF using the following command:
๐ Accessing the MobSF Dashboard
After launching MobSF, the terminal logs will include a line like:
Copy this URL into your browser to open the MobSF dashboard.
Uploading an App:
Simply drag and drop your APK/IPA file into the dashboard to begin static analysis.
๐งพ Static Analysis
Once uploaded, MobSF automatically scans the app and generates a security report. Monitor the Docker logs to verify successful completion or identify potential issues during analysis.
Sample Reports:
AppSec Scorecard for Prod Build (v2.9.8)
Full Static Analysis Report
✅ These reports help developers and security teams identify code-level vulnerabilities, permission misuses, and more.
๐ Dynamic Analysis
MobSF’s dynamic analysis enables runtime behavior assessment, allowing you to detect malicious operations or insecure runtime behaviors.
๐ง Requirements:
Emulator without Google Play Store
API level ≤ 28 (Android 9)
Step 1: Start Emulator
Navigate to your SDK tools directory and run:
cd ~/Library/Android/sdk/tools
./emulator -avd Pixel_5_API_28 -writable-system -no-snapshot
To list available AVDs:
emulator -list-avds
Step 2: Launch MobSF with Emulator Identifier
Find your emulator’s ID using:
adb devices
Then start MobSF with the emulator bound:
docker run -e MOBSF_ANALYZER_IDENTIFIER="emulator-5554" -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
Step 3: Start Dynamic Analysis
In the MobSF UI:
Go to Dynamic Analyzer
Click Start Dynamic Analysis
MobSF will initiate an interactive test session connected to your emulator.
✅ Final Thoughts
MobSF is a powerful and developer-friendly framework for mobile app security. With minimal setup, it provides:
Actionable security insights
Seamless CI/CD integration
Both static and dynamic testing capabilities
By integrating MobSF into your development lifecycle, you ensure your mobile applications are secure, compliant, and robust.
