DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’» is a community of 963,274 amazing developers

We're a place where coders share, stay up-to-date and grow their careers.

Create account Log in
Cover image for Run your security static analysis tests for Android apps on the cloud with MobSF and AWS
Moataz Nabil for AWS Community Builders

Posted on • Originally published at blog.bitrise.io

Run your security static analysis tests for Android apps on the cloud with MobSF and AWS

This article walks you through the steps of setting up the MobSF Scan tool on an AWS EC2 machine with Docker to be able to run your static analysis tests for Android apps easily.

As part of Droidcon Berlin this year, I spoke about DevSecOps for Android and how security testing can be injected into the CI/CD pipeline and Mobile DevOps.

In the presentation, I mentioned different automated security testing tools that we can use with Android.One of these tools is MobSF β€” it’s an open-source static analysis tool that can find insecure code patterns in your Android and iOS source code supports Java, Kotlin, Swift, and Objective C.

There is a live version of the tool and you can upload your APK and scan it β€” but what if you need to have your own version installed on your own server or machine?

Because of that, in this article, I will demonstrate how to run the MobSF Docker container on an AWS EC2 machine and use the API to upload the Android APK to the server to start the scanning process.

Sounds interesting? Let’s get started.

The prerequisites
This demo is required the following prerequisites:

Now let’s build our solution.

1- Login to the AWS management console and select the EC2 service.

1

2- Click on Instance to launch a new Amazon Linux instance and make sure that’s under the free tier category.

2

3- Then select the instance type, key pair, and security group and make sure that you allow the HTTP or HTTPS to be able to access the machine from the browser beside the SSH.

3
4- Click Launch the instance and wait to tell it becomes ready to access.

4

5

5- You have a machine with public IP and also you can assign a domain name to it if you want.

6- Now the VM is ready and you can access it by clicking on the connect button. You can choose between different clients but I’m using the default one in this demo which is the EC2 Instance Connect.

6

7- We are inside the machine now and we can start using the shell to run the commands for instance: sudo yum update to install the updates

8- Now we need to install the Docker to be able to download and run the MobSF Docker container by the following command:

sudo yum install docker

9- Add group membership for the default ec2-user so you can run all Docker commands without using the sudo command:

sudo usermod -a -G docker ec2-user

id ec2-user

newgrp docker
Enter fullscreen mode Exit fullscreen mode

10- Enable Docker service at AMI boot time:

sudo systemctl start docker.service
11- Get the Docker service status on your AMI instance, run:

sudo systemctl status docker.service

12- See the Docker version:

docker version

7

13- In the MobSF documentation, you can find how to install the Prebuilt Docker image by the following command:

docker pull opensecurity/mobile-security-framework-mobsf

docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
Enter fullscreen mode Exit fullscreen mode

Now Docker will start to pull the image and build the container and it will be linked to port 8000.

Because of that, we need to update our security group for this instance to add this port to be able to access it by editing the Inbound rules.

8

14- Now you can try to access the VM via the browser and the result should be like the following image:

9

Congratulations, you have successfully installed the MobSF tool on your machine.

Now you can upload the APK manually if you want to scan them or you can use the MobSF API from Mobile CI/CD platform such as Bitrise to upload the APK after you build the application then send it to the MobSF server that hosted on AWS machine.

Happy testing!

Top comments (0)

Take a look at this:

Settings

Go to your customization settings to nudge your home feed to show content more relevant to your developer experience level. πŸ›