Hello everyone! Welcome to pentestguy. In this article we are going to focus on how to setup mobsfscan in azure devops. What does it mean? As we know MobSF is one of the most popular tool use for android app pentesting. and MobSF have a child tool named as mobsfscan which is a static analysis tool that help to find the insecure code patterns in Android and iOS source code. Here we are going to setup the mobsfscan in azure devops build pipeline which helps to find insecure code patterns. For this demonstration I am using InsecureBankv2 repository.
What is Android-InsecureBankv2?
It’s vulnerable android application which is really helpful for security enthusiasts and developers to learn about android securities.
Clone repository into azure devops or use your own repository/project you are going to implement this test. After that create azure-pipeline.yml file and add the below code into it. In your case might be some more tasks are there, In this case we are only focusing on implementation of mobsfscan and report generation.
trigger:
- none
pr:
- none
pool:
name: Self-hosted
jobs:
- job: Publish
displayName: 'Publish Job'
pool:
name: Self-hosted
steps:
- task: PublishBuildArtifacts@1
inputs:
pathtoPublish: 'InsecureBankv2/app/src/'
artifactName: 'InsecureBankv2'
- task: DownloadBuildArtifacts@0
inputs:
buildType: 'current'
downloadType: 'single'
artifactName: 'InsecureBankv2'
downloadPath: '$(System.ArtifactsDirectory)'
- script: |
# Assuming you have a script to install MobSF dependencies
# and run the mobsfscan command
mobsfscan --no-fail --html -o $(System.ArtifactsDirectory)/report.html $(System.ArtifactsDirectory)/InsecureBankv2/
displayName: 'Run MobSF Scan'
- publish: $(System.ArtifactsDirectory)/report.html
artifact: MobSFScanReport
displayName: 'Publish MobSF Scan Report'
In the above example pool – self hosted which is private ubuntu host and make sure to install m obsfscan on the pool agent where the tasks are going to be execute. Also make sure to provide src path to the mobsfscan which is given in the above code.
To install mosbsfscan use the command given below:
pip3 install mobsfscan
Create new pipeline and choose the repository, run it and check whether it’s executed successfully or not.
Check for the artifacts and download the report which is in html format.
Added the sample report here for reference – https://gist.github.com/3aa43c6dadd215b2ddc2326b40f372be.git Save it and open in the browser for proper view.
If you found this post helpful then please share it with your co-workers and friends. Please provide your valuable comment and let us know if there is any suggestion. Now you can also collab with us please check our collaboration page, thank you!
