Skip to content
Learni
View all tutorials
Sécurité Mobile

How to Analyze Mobile Security with MobSF in 2026

18 minEXPERT
DockerAPISécurité mobileMobSF
Lire en français

Introduction

MobSF (Mobile Security Framework) is the leading open source tool for mobile application security analysis. In 2026, it combines static analysis, dynamic analysis, and OWASP MASVS vulnerability detection. This tutorial walks you through advanced installation, complete report automation, API integration, and optimized Docker configurations. Whether you are a pentester, mobile developer, or security professional, you will obtain immediately actionable results.

Prerequisites

  • Docker 24+ and Docker Compose v2
  • Python 3.11+ (for automation scripts)
  • A machine with at least 8 GB RAM
  • Test APK/IPA files
  • Basic knowledge of mobile security and YAML

Optimized Docker Installation

docker-compose.yml
version: '3.8'
services:
  mobsf:
    image: opensecurity/mobile-security-framework-mobsf:latest
    container_name: mobsf
    ports:
      - "8000:8000"
    environment:
      - MOBSF_ANALYZER_TIMEOUT=3600
      - MOBSF_WORKERS=4
    volumes:
      - ./uploads:/home/mobsf/.MobSF/uploads
      - ./reports:/home/mobsf/.MobSF/reports
    restart: unless-stopped

This docker-compose file deploys MobSF with timeouts and workers suited for heavy analyses. The volumes preserve uploads and reports across restarts.

Launch and Verification

start-mobsf.sh
#!/bin/bash
set -e
docker-compose up -d
sleep 15
echo "MobSF accessible sur http://localhost:8000"
curl -s http://localhost:8000 | grep -q "MobSF" && echo "Interface OK" || echo "Erreur de démarrage"

The script starts MobSF in the background and verifies that the web interface responds correctly before proceeding.

Static Analysis via CLI

analyze-apk.sh
#!/bin/bash
APK_PATH=$1
HASH=$(docker exec mobsf python /home/mobsf/Mobile-Security-Framework-MobSF/manage.py runscript analyze_apk --script-args "$APK_PATH" | grep -oP 'hash:\K\w+')
echo "Analyse terminée. Hash: $HASH"

This script performs a complete static analysis of an APK and retrieves the unique scan hash for subsequent steps.

Advanced Configuration

mobsf-config.json
{
  "static_analysis": {
    "enable_string_analysis": true,
    "max_string_length": 500,
    "detect_secrets": true
  },
  "dynamic_analysis": {
    "frida_timeout": 120,
    "network_capture": true
  },
  "report": {
    "format": ["pdf", "json"],
    "include_screenshots": true
  }
}

JSON configuration file that enables deep string analysis, secret detection, and multi-format report generation.

API Automation

mobsf_api.py
import requests
import time

BASE_URL = "http://localhost:8000/api/v1"
API_KEY = "your_api_key_here"

def upload_and_scan(file_path):
    with open(file_path, 'rb') as f:
        files = {'file': f}
        headers = {'Authorization': API_KEY}
        r = requests.post(f"{BASE_URL}/upload", files=files, headers=headers)
        data = r.json()
        scan_hash = data['hash']
    # Wait for analysis to finish
    time.sleep(30)
    return scan_hash

Complete Python script that uploads a file, triggers analysis, and retrieves the hash. Ready to integrate into a CI/CD pipeline.

Best Practices

  • Always run MobSF in an isolated environment (Docker)
  • Configure timeouts suitable for large applications
  • Automate JSON report retrieval for integration into SIEM tools
  • Update the Docker image every two weeks
  • Regularly back up the reports folder

Common Errors to Avoid

  • Forgetting to increase the Docker memory limit (OOM error)
  • Running dynamic analyses without Frida enabled
  • Ignoring false positives from third-party libraries
  • Failing to clean up old uploads (disk saturation)

Further Reading

Discover our advanced training on mobile security and test automation: https://learni-group.com/formations. You will learn how to integrate MobSF into complete DevSecOps pipelines.