This article walks you through the steps of setting up the MobSF Scan tool on an AWS EC2 machine with Docker to be able to run your static analysis tests for Android apps easily.
As part of Droidcon Berlin this year, I spoke about DevSecOps for Android and how security testing can be injected into the CI/CD pipeline and Mobile DevOps.
In the presentation, I mentioned different automated security testing tools that we can use with Android.One of these tools is MobSF — it’s an open-source static analysis tool that can find insecure code patterns in your Android and iOS source code supports Java, Kotlin, Swift, and Objective C.
There is a live version of the tool and you can upload your APK and scan it — but what if you need to have your own version installed on your own server or machine?
Because of that, in this article, I will demonstrate how to run the MobSF Docker container on an AWS EC2 machine and use the API to upload the Android APK to the server to start the scanning process.
Sounds interesting? Let’s get started.
This demo is required the following prerequisites:
- [A free AWS account (https://portal.aws.amazon.com/billing/signup)
- A free GitHub account
- An Android application, you can fork the Insecure Shop app from GitHub and use it as a demo if you don’t have an Android app.
Now let’s build our solution.
1- Login to the AWS management console and select the EC2 service.
2- Click on Instance to launch a new Amazon Linux instance and make sure that’s under the free tier category.
3- Then select the instance type, key pair, and security group and make sure that you allow the HTTP or HTTPS to be able to access the machine from the browser beside the SSH.
5- You have a machine with public IP and also you can assign a domain name to it if you want.
6- Now the VM is ready and you can access it by clicking on the connect button. You can choose between different clients but I’m using the default one in this demo which is the EC2 Instance Connect.
7- We are inside the machine now and we can start using the shell to run the commands for instance: sudo yum update to install the updates
8- Now we need to install the Docker to be able to download and run the MobSF Docker container by the following command:
sudo yum install docker
9- Add group membership for the default ec2-user so you can run all Docker commands without using the sudo command:
sudo usermod -a -G docker ec2-user id ec2-user newgrp docker
10- Enable Docker service at AMI boot time:
sudo systemctl start docker.service
11- Get the Docker service status on your AMI instance, run:
sudo systemctl status docker.service
12- See the Docker version:
13- In the MobSF documentation, you can find how to install the Prebuilt Docker image by the following command:
docker pull opensecurity/mobile-security-framework-mobsf docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
Now Docker will start to pull the image and build the container and it will be linked to port 8000.
Because of that, we need to update our security group for this instance to add this port to be able to access it by editing the Inbound rules.
14- Now you can try to access the VM via the browser and the result should be like the following image:
Congratulations, you have successfully installed the MobSF tool on your machine.
Now you can upload the APK manually if you want to scan them or you can use the MobSF API from Mobile CI/CD platform such as Bitrise to upload the APK after you build the application then send it to the MobSF server that hosted on AWS machine.