MobSF/mobsfscan

GitHub: MobSF/mobsfscan

一款基于语义模式的静态分析工具，专为检测 Android 与 iOS 源码中的不安全代码模式而设计。

Stars: 750 | Forks: 123

# mobsfscan **mobsfscan** 是一个静态分析工具，能够在 Android 和 iOS 源代码中查找不安全的代码模式。支持 Java、Kotlin、Android XML、Swift 和 Objective C 代码。mobsfscan 使用 [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) 静态分析规则，并由 [semgrep](https://github.com/returntocorp/semgrep) 和 [libsast](https://github.com/ajinabraham/libsast) 模式匹配器提供支持。用 ![Love](https://cloud.githubusercontent.com/assets/4301109/16754758/82e3a63c-4813-11e6-9430-6015d98aeaab.png) 印度制作 [![Tweet](https://img.shields.io/twitter/url?url=https://github.com/MobSF/mobsfscan)](https://twitter.com/intent/tweet/?text=mobsfscan%20is%20a%20static%20analysis%20tool%20that%20can%20find%20insecure%20code%20patterns%20in%20your%20Android%20and%20iOS%20source%20code.%20Supports%20Java,%20Kotlin,%20Swift,%20and%20Objective%20C%20Code.%20by%20%40ajinabraham%20%40OpenSecurity_IN&url=https://github.com/MobSF/mobsfscan) [![PyPI version](https://badge.fury.io/py/mobsfscan.svg)](https://badge.fury.io/py/mobsfscan) [![License](https://img.shields.io/:license-lgpl3.0+-blue.svg)](https://www.gnu.org/licenses/lgpl-3.0.en.html) [![python](https://img.shields.io/badge/python-3.7+-blue.svg)](https://www.python.org/downloads/) [![platform](https://img.shields.io/badge/platform-osx%2Flinux-green.svg)](https://github.com/MobSF/mobsfscan/) [![Build](https://static.pigsec.cn/wp-content/uploads/repos/2026/04/e4ff725d04220816.svg)](https://github.com/MobSF/mobsfscan/actions?query=workflow%3ABuild) ## 安装 `pip install mobsfscan` 需要 Python 3.7+ ## 命令行选项 ``` $ mobsfscan usage: mobsfscan [-h] [--json] [--sarif] [--sonarqube] [--html] [--type {android,ios,auto}] [-o OUTPUT] [-c CONFIG] [-mp {default,billiard,thread}] [-w] [--no-fail] [-v] [path ...] positional arguments: path Path can be file(s) or directories with source code options: -h, --help show this help message and exit --json set output format as JSON --sarif set output format as SARIF 2.1.0 --sonarqube set output format compatible with SonarQube --html set output format as HTML --type {android,ios,auto} optional: force android or ios rules explicitly -o OUTPUT, --output OUTPUT output filename to save the result -c CONFIG, --config CONFIG location to .mobsf config file -mp {default,billiard,thread}, --multiprocessing {default,billiard,thread} optional: specify multiprocessing strategy -w, --exit-warning non zero exit code on warning --no-fail force zero exit code, takes precedence over --exit-warning -v, --version show mobsfscan version ``` ## 示例用法 ``` $ mobsfscan tests/assets/src/ - Pattern Match ████████████████████████████████████████████████████████████ 3 - Semantic Grep ██████ 37 mobsfscan: v0.3.0 | Ajin Abraham | opensecurity.in ╒══════════════╤════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╕ │ RULE ID │ android_webview_ignore_ssl │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ DESCRIPTION │ Insecure WebView Implementation. WebView ignores SSL Certificate errors and accept any SSL Certificate. This application is vulnerable to MITM attacks │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ TYPE │ RegexAnd │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ PATTERN │ ['onReceivedSslError\$WebView', '\\.proceed\\(\$;'] │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ SEVERITY │ ERROR │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ INPUTCASE │ exact │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ CVSS │ 7.4 │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ CWE │ CWE-295 Improper Certificate Validation │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ OWASP-MOBILE │ M3: Insecure Communication │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ MASVS │ MSTG-NETWORK-3 │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ REF │ https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ FILES │ ╒════════════════╤═════════════════════════════════════════════════════════════════════════════════════════════╕ │ │ │ │ File │ ../test_files/android_src/app/src/main/java/opensecurity/webviewignoressl/MainActivity.java │ │ │ │ ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤ │ │ │ │ Match Position │ 1480 - 1491 │ │ │ │ ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤ │ │ │ │ Line Number(s) │ 50 │ │ │ │ ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤ │ │ │ │ Match String │ .proceed(); │ │ │ │ ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤ │ │ │ │ File │ ../test_files/android_src/app/src/main/java/opensecurity/webviewignoressl/MainActivity.java │ │ │ │ ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤ │ │ │ │ Match Position │ 1331 - 1357 │ │ │ │ ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤ │ │ │ │ Line Number(s) │ 46 │ │ │ │ ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤ │ │ │ │ Match String │ onReceivedSslError(WebView │ │ │ │ ╘════════════════╧═════════════════════════════════════════════════════════════════════════════════════════════╛ │ ╘══════════════╧════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╛ ``` ## Python API ``` >>> from mobsfscan.mobsfscan import MobSFScan >>> src = 'tests/assets/src/java/java_vuln.java' >>> scanner = MobSFScan([src], json=True) >>> scanner.scan() { 'results': { 'android_logging': { 'files': [{ 'file_path': 'tests/assets/src/java/java_vuln.java', 'match_position': (13, 73), 'match_lines': (19, 19), 'match_string': ' Log.d("htbridge", "getAllRecords(): " + records.toString());' }], 'metadata': { 'cwe': 'CWE-532 Insertion of Sensitive Information into Log File', 'owasp-mobile': 'M1: Improper Platform Usage', 'masvs': 'MSTG-STORAGE-3', 'reference': 'https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs', 'description': 'The App logs information. Please ensure that sensitive information is never logged.', 'severity': 'INFO' } }, 'android_certificate_pinning': { 'metadata': { 'cwe': 'CWE-295 Improper Certificate Validation', 'owasp-mobile': 'M3: Insecure Communication', 'masvs': 'MSTG-NETWORK-4', 'reference': 'https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4', 'description': 'This App does not use TLS/SSL certificate or public key pinning to detect or prevent MITM attacks in secure communication channel.', 'severity': 'INFO' } }, 'android_root_detection': { 'metadata': { 'cwe': 'CWE-919 - Weaknesses in Mobile Applications', 'owasp-mobile': 'M8: Code Tampering', 'masvs': 'MSTG-RESILIENCE-1', 'reference': 'https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1', 'description': 'This App does not have root detection capabilities. Running a sensitive application on a rooted device questions the device integrity and affects users data.', 'severity': 'INFO' } }, 'android_prevent_screenshot': { 'metadata': { 'cwe': 'CWE-200 Information Exposure', 'owasp-mobile': 'M2: Insecure Data Storage', 'masvs': 'MSTG-STORAGE-9', 'reference': 'https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#finding-sensitive-information-in-auto-generated-screenshots-mstg-storage-9', 'description': 'This App does not have capabilities to prevent against Screenshots from Recent Task History/ Now On Tap etc.', 'severity': 'INFO' } }, 'android_safetynet_api': { 'metadata': { 'cwe': 'CWE-353 Missing Support for Integrity Check', 'owasp-mobile': 'M8: Code Tampering', 'masvs': 'MSTG-RESILIENCE-1', 'reference': 'https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1', 'description': "This App does not uses SafetyNet Attestation API that provides cryptographically-signed attestation, assessing the device's integrity. This check helps to ensure that the servers are interacting with the genuine app running on a genuine Android device. ", 'severity': 'INFO' } }, 'android_detect_tapjacking': { 'metadata': { 'cwe': 'CWE-200 Information Exposure', 'owasp-mobile': 'M1: Improper Platform Usage', 'masvs': 'MSTG-PLATFORM-9', 'reference': 'https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-for-overlay-attacks-mstg-platform-9', 'description': "This app does not has capabilities to prevent tapjacking attacks. An attacker can hijack the user's taps and tricks him into performing some critical operations that he did not intend to.", 'severity': 'INFO' } } }, 'errors': [] } ``` ## 配置 mobsfscan 源代码目录根目录下的 `.mobsf` 文件允许你配置 mobsfscan。你也可以使用 `--config` 参数指定自定义的 `.mobsf` 文件。 ``` --- - ignore-filenames: - skip.java ignore-paths: - __MACOSX - skip_dir ignore-rules: - android_kotlin_logging - android_safetynet_api - android_prevent_screenshot - android_detect_tapjacking - android_certificate_pinning - android_root_detection - android_certificate_transparency severity-filter: - WARNING - ERROR ``` ## 抑制检测结果你可以通过在触发检测结果的源代码行添加注释 `// mobsf-ignore: rule_id1, rule_id2` 来抑制检测结果。示例： ``` String password = "strong password"; // mobsf-ignore: hardcoded_password ``` ## CI/CD 集成你可以在 CI/CD 或 DevSecOps 流水线中启用 mobsfscan。 #### GitHub Action 将以下内容添加到 `.github/workflows/mobsfscan.yml` 文件中。 ``` name: mobsfscan on: push: branches: [ master, main ] pull_request: branches: [ master, main ] jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4.2.2 - uses: actions/setup-python@v5.3.0 with: python-version: '3.12' - name: mobsfscan uses: MobSF/mobsfscan@main with: args: '. --json' ``` 示例：[pivaa 使用 mobsfscan GitHub Action](https://github.com/MobSF/pivaa/actions/workflows/mobsfscan.yml) #### GitHub Code Scanning 集成将以下内容添加到 `.github/workflows/mobsfscan_sarif.yml` 文件中。 ``` name: mobsfscan sarif on: push: branches: [ master, main ] pull_request: branches: [ master, main ] jobs: mobsfscan: runs-on: ubuntu-latest name: mobsfscan code scanning steps: - name: Checkout the code uses: actions/checkout@v4.2.2 - uses: actions/setup-python@v5.3.0 with: python-version: '3.12' - name: mobsfscan uses: MobSF/mobsfscan@main with: args: '. --sarif --output results.sarif || true' - name: Upload mobsfscan report uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif ``` ![mobsfscan github code scanning](https://static.pigsec.cn/wp-content/uploads/repos/2026/04/ce8e87a395220820.png) #### GitLab CI/CD 将以下内容添加到 `.gitlab-ci.yml` 文件中。 ``` stages: - test mobsfscan: image: python before_script: - pip3 install --upgrade mobsfscan script: - mobsfscan . ``` 示例： #### Travis CI 将以下内容添加到 `.travis.yml` 文件中。 ``` language: python install: - pip3 install --upgrade mobsfscan script: - mobsfscan . ``` #### Circle CI 将以下内容添加到 `.circleci/config.yaml` 文件中 ``` version: 2.1 jobs: mobsfscan: docker: - image: cimg/python:3.9.6 steps: - checkout - run: name: Install mobsfscan command: pip install --upgrade mobsfscan - run: name: mobsfscan check command: mobsfscan . ``` #### Bitrise 将以下内容添加到 `bitrise.yml` 文件中 ``` security_audit: steps: - activate-ssh-key@4: run_if: '{{getenv "SSH_RSA_PRIVATE_KEY" | ne ""}}' - git-clone@8.4: {} - mobsfscan@1: {} - deploy-to-bitrise-io@2: {} ``` ## Docker ### 从 [DockerHub](https://hub.docker.com/r/opensecurity/mobsfscan) 获取预构建镜像 ``` docker pull opensecurity/mobsfscan docker run -v /path-to-source-dir:/src opensecurity/mobsfscan /src ``` ### 本地构建 ``` docker build -t mobsfscan . docker run -v /path-to-source-dir:/src mobsfscan /src ```

标签：Android XML, Android安全, iOS安全, Kotlin, Libsast, MobSF, Objective-C, OSS安全, Semgrep, SQL查询, Swift, Windows日志分析, WordPress安全扫描, XML 请求, 云安全监控, 云资产清单, 代码安全, 代码审查, 安全开发, 源代码审计, 漏洞枚举, 目录枚举, 移动安全, 结构化查询, 自动化安全, 逆向工具, 逆向工程, 静态分析, 静态测试