Hi everyone, Welcome to pentestguy. In this post, we are going to focus on how to set up and run mobsf automation in the ci/cd pipeline. We are using the Azure platform to run the mobsf automation and there creating a simple pipeline.
What is MobSF-Automation?
In the development process of any mobile application, there is a continuous process, where every time new code gets deployed and released. However, it will be a bit time-consuming to perform the testing manually every time. That’s the reason I came up with this simple automation. MobSF-Automation is a simple Python-based tool written to automate the mobsf(mobile security framework) ideal for the CI/CD pipeline.
As it’s just an automation script, need to run the MobSF(Mobile Security Framework) by using the below command.
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
Please follow the below steps, to run Mobsf-Automation on your system (computer/laptop) locally.
Clone to the repository and build your docker image
git clone https://github.com/pentestguy/MobSF-Automation.git
docker build -t mobsf-automation .
Run it locally using the command given below
docker run --rm -v ${PWD}:/apk -v ${PWD}/output:/output mobsf-automation /apk/your_app.apk --api-key YOUR_API_KEY --api-url YOUR_API_URL
You can also use the pre-built image using the below command. Please check the docker page – link
docker run --rm -v ${PWD}:/apk -v ${PWD}/output:/output p3nt3stguy/mobsf-automation:latest /apk/your_app.apk --api-key YOUR_API_KEY --api-url YOUR_API_URL
Follow the below steps to configure mobsf-automation in the pipeline.
In your, it might be more steps like build and test but here I kept it simple I added DivaApplication.apk in the repository and ran the tool via the default location.
Add the below tasks for the newly created pipeline yaml file or add it to the existing file.
trigger:
- main
pool:
name: Self-hosted
steps:
- task: Docker@2
displayName: 'Run MOBSF-Automation'
inputs:
command: 'run'
arguments: '--rm -v $(System.DefaultWorkingDirectory):/apk -v $(System.DefaultWorkingDirectory)/output:/output p3nt3stguy/mobsf-automation:latest /apk/DivaApplication.apk --api-key $(apikey) --api-url $(url)'
- task: PublishPipelineArtifact@1
displayName: 'Publish output artifacts'
inputs:
targetPath: '$(System.DefaultWorkingDirectory)/output'
artifactName: 'MobSF-Reports'Make sure to add the variables that provide an argument to the mobsf-automation docker task. Values of the variables will vary according to the MobSF instance.
Configure the pipeline and verify MobSF instance accessibility from the agent
Check the published artifacts and you can find the mobsf results.
That’s all about this post. Please share this post with your co-workers and friends if you found it helpful. Please provide valuable comments and let us know if you have any suggestions. Now you can also collaborate with us please check our collaboration page, thank you!
