MobSF for penetration testers
MobSF is a free and OpenSource security scanner for mobile application.
First, this talk will introduce MobSF and its different features. Then, the talk will present how MobSF can be used during a penetration test or a red team.
After presenting how to setup the tool for penetration testing, different use cases will be presented, regarding two different points of view:
- a security review of a mobile application (or an SDK), in this case, the mobile application or the specific SDK is the target.
- an assessment where the mobile application is not directly the target, in this case, the mobile application is used for recon (and more).
- a quick use case of usage for every penetration tester who don't want to dig into complex android methods
These use cases will also point MobSF limits and how to handle them by using the API and homemade scripts. For some cases, a comparison with other tools (such as apkleaks) will be done.
At last, a quick review of how bug report and feature requests are handled by the MobSF team.