extras.md

Extra Features

REST API

MobSF offers REST APIs, and you can view the latest API documentation directly within the app at the /api_docs route.

---

CI/CD

For CI/CD you can take advantage of MobSF REST API

MobSF CI/CD pipeline integration

• MobSF - Bitrise - iOS Security Analysis with MobSF | Run your security static analysis tests on the cloud with MobSF, AWS, and Bitrise
• MobSF - OWASP Glue - How To: (Continuously) Hacking Your App
• MobSF - Jenkins - Achieving DevSecOps: Mobile App Security Integration Using Jenkins and MobSF
• MobSF - Gitlab CI Running MobSF SAST using Gitlab CI Service | GitLab CI template for MobSF
• mobsfscan SAST CI/CD - mobsfscan

---

Mass Static Analysis

• Run MobSF server. ./run.sh or run.bat
• Obtain the REST API key from console.
• Run mass_static_analysis.py

pip install requests
python mass_static_analysis.py
usage: mass_static_analysis.py [-h] [-d DIRECTORY] [-s IPPORT] [-k APIKEY]
                               [-r RESCAN]

optional arguments:
  -h, --help            show this help message and exit
  -d DIRECTORY, --directory DIRECTORY
                        Path to the directory that contains mobile app
                        binary/zipped source code
  -s IPPORT, --ipport IPPORT
                        IP address and Port number of a running MobSF Server.
                        (ex: 127.0.0.1:8000)
  -k APIKEY, --apikey APIKEY
                        MobSF REST API Key
  -r RESCAN, --rescan RESCAN
                        Run a fresh scan. Value can be 1 or 0 (Default: 0)

Example:

python mass_static_analysis.py -s 127.0.0.1:8000  -k <rest_api_key> -d /home/files/

---

VirusTotal Scan

VirusTotal Scan is disabled by default. You need to add your VirusTotal API Key before enabling it.

• Get VirusTotal API Key here
• Access your API Key from https://www.virustotal.com/en/user/[username]/apikey/.
• Set the environment variable MOBSF_VT_ENABLED=1 and MOBSF_VT_API_KEY=<your-api-key> before running MobSF.
• You can enable binary uploads to VirusTotal by setting the environment variable MOBSF_VT_UPLOAD=1. This option is disabled by default.

---

AppMonsta Play Store Info

We use AppMonsta API to fetch details from Google Play Store as a fail safe to our primary implementation. It is disabled by default. To enable it, you need AppMonsta API Key.

• Get AppMonsta API Key from: AppMonsta API Key
• Set the environment variable MOBSF_APPMONSTA_API=<appmonsta-api-key> before running MobSF.

---

Using Postgres DB instead of SQLite

By default, MobSF uses SQLite as its database. However, you can switch to a PostgreSQL backend if needed.

To configure PostgreSQL, set the following environment variables before starting MobSF:

POSTGRES_USER=postgres
POSTGRES_PASSWORD=password
POSTGRES_DB=mobsf
POSTGRES_HOST=postgres
POSTGRES_PORT=5432

Apply Migrations

poetry run python manage.py makemigrations 
poetry run python manage.py makemigrations StaticAnalyzer
poetry run python manage.py migrate
poetry run python manage.py create_roles

You can now restart the MobSF server, and PostgreSQL will be successfully configured as the database.

You can also take a look at the docker compose template that use Postgres and Nginx with MobSF here