MobSF

Mobile Security Framework (MobSF) is an open-source, automated security testing platform purpose-built for mobile applications. It supports Android (APK, AAB, source), iOS (IPA, source), and Windows (APPX) binaries, providing both static analysis (SAST) and dynamic analysis (DAST) from a single web-based interface. Originally created by security researcher Ajin Abraham and now affiliated with the OWASP project, MobSF has become the most widely used open-source mobile application security tool, with over 17,000 GitHub stars.

The static analysis engine decompiles application binaries, extracts manifests and metadata, and performs automated code review against a comprehensive rule set. For Android, this includes analysis of AndroidManifest.xml permissions, exported components, intent filters, WebView configurations, and Java/Kotlin source code patterns. For iOS, MobSF analyses Info.plist entitlements, App Transport Security settings, and Objective-C/Swift code patterns. Across both platforms, the scanner detects hardcoded credentials, insecure cryptographic implementations, certificate pinning bypasses, insecure data storage, and dangerous API usage.

Dynamic analysis instruments the running application on an emulator or physical device, capturing network traffic (including TLS-intercepted HTTPS), file system activity, log output, and runtime API calls. This reveals behaviours invisible to static analysis — such as data exfiltration, analytics tracking, and server-side communication patterns. Findings are mapped to the OWASP Mobile Top 10 and MASVS (Mobile Application Security Verification Standard) categories, producing structured reports suitable for compliance assessments and penetration test deliverables. The REST API enables full automation, allowing security teams to integrate MobSF into CI/CD pipelines for continuous mobile app security testing.