The security of mobile apps has always been a daunting task. Regardless of the measures implemented, cybercriminals are constantly trying to find new ways to compromise security. Not only users but organizations are also facing the wrath of mobile application security. In fact, 57% of all the organizations experienced a mobile phishing incident last year.
The rising security threats have certainly enhanced the necessity of mobile security testing. The most common technique used by mature businesses is to try and detect vulnerabilities early in the development cycle and mitigate them using SAST (Static Application Security Testing). And one of the commonly used tools for conducting SAST is MobSF.
While tools like MobSF have their own set of advantages and disadvantages, it is important to lay out some common parameters to assess the performance of such security testing tools. So, let's know in more detail about SAST, MobSF, and some of the differentiating features of mobile security testing tools so as to find out what are some of the best alternatives for MobSF.
What is SAST?
SAST or Static Application Security Testing is a method of security testing where source code is assessed in order to discover security vulnerabilities that are present in applications and make them susceptible to attacks.
The best thing about SAST is that it is executed very early in the SDLC (Software Development Life Cycle) and it doesn't require a functional application or code execution beforehand. It assists developers in identifying security vulnerabilities during the early stages of the development itself. As a result, issues can be resolved quickly without disrupting the development cycle or passing the threat to the subsequent stages of development before resolution.
What is MobSF?
MobSF or Mobile Security Framework is an open-source security assessment tool that is capable of performing both dynamic and static analyses. This all-in-one tool that has functionalities for Android, Windows and iOS platforms can also perform pentesting and malware analysis. MobSF supports binaries for mobile apps like APK, APPX, and IPX and also supports zipped source code. With the help of REST APIs, MobSF can be integrated with DevSecOps or CI/CD pipelines.
With this open-source SAST tool, developers can highlight vulnerabilities early during the development phase itself. Another fact about MobSF which is interesting in itself is that it is hosted in local environments so that the sensitive data doesn't interact with the cloud environment. With MobSF, mobile app test environments could be set up easily on all three major platforms, i.e. Android, iOS, and Windows.
MobSF has come up with new features and enhancement in its latest update v3.1.1 Betachangelog
Few new features are-
New test case for Network Security configuration and analyzing SSL certificates.
Genymotion cloud support.
Added multiple Frida scripts for root detection.
How to Evaluate and Deploy a SAST Solution?
An effective SAST deployment requires its transparent integration with the different development processes and support systems. When the user engagement will be high, i.e., the developers can work smoothly with the given solution, the SAST deployment is bound to result in more privacy, security, and thorough quality assurance.
Here we have outlined some of the most critical aspects which must be considered while selecting and evaluating any commercial or open-source SAST solution. So, let's take a look at some of these points:
1) Speed of Analysis
While considering any SAST solution or comparing it with some other tool, the speed of analysis must be prioritized. While the speed range varies between hundreds to thousands of lines codes assessed per second for different tools, it becomes important to give weight to the speed criteria as you wouldn't want unnecessary delays in your overall process.
Many SAST tools are known to use complicated algorithms and testing methods that use big chunks of memory and are extremely slow. And you never want to be in the situation of a memory exhaustion problem. Many people are often forced to alter their SAST configurations to focus on speed and not precision because of this limitation.
The best possible way is to focus both on speed and precision. New commercial SAST solutions are now coming up with features like parallel analysis and incremental analysis which are much faster than the conventional solutions.
The speed of your SAST tool must be measured while you are experimenting against your artificial or natural codebases. Configuration changes must be adjusted accordingly as well. The runtime can be improved significantly by turning on or off some of the rulesets. All of this becomes really important when you are trying to enforce SLAs (Service Level Agreements) or making predictions regarding the required infrastructure investment in SAST deployment.
2) Detailed Trace and Remediation Guidance
The next important thing to keep in mind while selecting a SAST tool is whether it provides a comprehensive and detailed trace of the errors and gives proper and actionable remediation guidance or not. The best way to make sure all of this is to analyze the SAST tool's defect taxonomy.
Many SAST solutions give defect traces which are missing on a lot of useful information. The most advanced tools give a thorough defect trace with the most intricate details like all the conditional branches that were used to arrive at the defect and also the values of the tracked variables. It is always better to know each and every detail instead of beating around the bush in confusion.
Very clear and actionable remediation guidance is equally important. It gives you an opportunity to consistently train them about software and information security. Mature SAST tools provide detailed guidance with external security supplements like OWASP policies to help your developers even further on the forefronts of security and defect patching.
"We believe in the expert mobile security approach and have the best of security researchers focused on mobile app security only. Appknox ensures false positives less than 1 % compared to the mobile application security industry benchmark of 5 %." - Subho Halder, CISO & Co-founder, Appknox.
3) Isolate Users or Teams
Defects can be overwhelming. Not everyone intends to know about each and every defect in the system every time they open the SAST interface. That is why it is practical to isolate the users or teams to get notified only about the defects and warnings that are coming from the trees which they are supposed to take care of.
Mapping teams to separate directories has other benefits too. You could generate insights about teams that have done well in terms of engagement levels and the rate of defects. Such insights could help you improve performance and also assist you in moving closer to your security goal.
4) Remediation and Report Generation
After the deployment of the SAST tool, it becomes necessary to find out whether the tool is working as intended or not. Most probably, it doesn't work as effectively as you wish. There are often some teams with low engagement rates or portions of code which show high false-positives.
That is why the SAST tool must be able to generate thorough reports so that you would be able to focus on all such weaknesses effectively. The best tools are those who support a large variety of report types suited to your choice. Another important thing that a SAST tool must be able to do is to let you export the raw test data so that you could conduct a detailed analysis of your own if you wanted.
Reports help you measure the adoption or user engagement rates, defect types and trends, and also the false-positive rates. If this information is used strategically, your organization can identify issues in your SAST solution and rapidly respond with corrective action. Such proactive and continual behavior is a sure sign that your organization is sticking to Agile methodology.
5) Product Roadmap Provided by the Vendor
It's better to know in advance what you are betting your money on. A mature SAST vendor is the one who will let you know about their product roadmap and how things will fare in the years to come. A poorly designed roadmap or even the absence of it shows that the vendor has no vision regarding security.
Since you are about to make a decent time and monetary investment on the tool, you must make sure that it stands true to your expectations and you can use it continuously in the years to come.
While asking for the roadmap, you must focus on the changelog for the past releases of the product. If the vendor doesn't seem proactive in providing regular customer updates or doesn't show interest in making improvements to the analysis engine or the defect finding capabilities, you must not trust their product.
Alternatives for MobSF: MobSF vs Other Tools
The list of mobile security analysis tools is endless. Based on the critical evaluation aspects, we can compare some of the commonly available mobile security testing tools with MobSF and see how they fare in comparison to one another. Here are some of the alternatives for MobSF:
MobSF vs Drozer
While Drozer can perform SAST decently, it is better known for dynamic analysis while MobSF is preferred for static analysis only. A drawback of Drozer in comparison to MobSF, however, is the analysis that it performs on apps is only in the context of the app which is installed on the same device.
MobSF also has a graphic interface that is more engaging in comparison to Drozer. Being a commercial app gives Drozer an added advantage in terms of the depth and accuracy of the analysis, which is generally not the case with MobSF.
MobSF vs Fortify
Fortify outperforms MobSF both in terms of speed of execution and also the rate of false-positives. With a detailed code analysis for maximum possible redundancies, Fortify can remove 90% of the false positives, while MobSF gives a fairly high amount of false positives. Contrary to MobSF, Fortify has the feature of on-premise availability also. Also, Fortify has a broader compliance coverage and it covers regulations like PCI DSS, DISA STIG, and OWASP top 10 which are not covered by MobSF.
MobSF vs QARK
While both QARK (Quick Android Review Kit) and MobSF are preferred for static analysis, the graphic UI of MobSF is certainly more preferred by developers than the console interface of QARK. Although QARK is also an open-source tool like MobSF, the LinkedIn dev team is constantly working on it to significantly improve it as compared to its other competitors. Also, QARK provides a more detailed vulnerability report than MobSF and also focuses more on the remediation part better.
Limitations of MobSF
MobSF has its own set of advantages, like an engaging web GUI and easy integration, but the list of MobSF drawbacks is also not a short one.
Being an open-source tool, MobSF lacks a structured product roadmap and its users can’t remain certain about the tool’s usability in the future. The framework of MobSF is still in the beta phase and it also lacks a lot of access management features. Many users also report emulator issues while working with MobSF on various operating systems. It also doesn’t support API testing, which is becoming more and more important these days.
Talking about report generation and remediation, MobSF has limited functionality on this front also. Their reports lack detailed analytics on the issues discovered and also there is very little support in terms of remediation.
"Comparing your Security investment between MobSF vs Appknox Automated Security tool, there was a reduction in security testing time by 60% when using Appknox's mobile security solution." - Harshit Agarwal, CEO & Co-founder, Appknox.
Major drawbacks while using MobSF
- Missing access management features.
- Lots of false positive - as they do regular expression search which is not accurate enough, where as Appknox uses a Data flow algorithm to figure out more specific and correct security issues.
- It is hard to run an Android emulator on MobSF
How does MobSF Compare With Appknox?
Appknox, the leading mobile security testing tool, has tons of practical advantages as compared to MobSF.
Appknox supports both SAST and DAST (Dynamic Application Security Testing) on both the leading mobile platforms, i.e., Android and iOS while MobSF doesn’t support DAST on iOS devices. Appknox also has much better compliance coverage and can be integrated into a larger number of services like JIRA, Github, Eclipse, and Android Studio. It is also available on cloud and on-premise, while MobSF can only be used with local installation or via Docker.
Appknox is also known to have much better report generation capabilities and we also provide detailed remediation support with a complimentary dashboard for CXOs focussing on all the insights gained from the test. Appknox also has the best in class rates for false-positives and false-negatives which is generally not the case with MobSF.
And with the added functionalities like API testing, UBA (User Behaviour Analysis), and two-factor authentication for added account security, Appknox surely seems to be a much more advanced and practical security testing tool than MobSF.
Similar to the rising threats in the mobile application security landscape, the number of solutions for mobile security testing is also pretty large. Moreover, because businesses are making a major security decision and investing significant resources, it becomes important to carefully select their security vendor.
We highlighted some of the most critical features which must be considered while selecting the right SAST vendor for your company. Apart from the mentioned factors, it is equally important for any security vendor to have a broad security perspective and the readiness to adapt itself to the changing threat landscape.
And of all the tools we reviewed, we can confidently say that Appknox leads the way when it comes to a trustworthy mobile security testing vendor.