Package: Invicti AppSec Enterprise (on-premise, on-demand)
MobSF SAST
Invicti AppSec supports MobSF SAST (Mobile Security Framework) as a SAST (Static Application Security Testing) scanner. This guide explains how to activate and configure the MobSF SAST integration.
MobSF is an automated, all-in-one mobile application pen-testing, malware analysis, and security assessment framework. It supports Android, iOS, and Windows mobile applications.
Prerequisites
Before starting the integration, ensure you have the following information from your MobSF instance:
| Field | Description | Required |
|---|---|---|
| Api Key | REST API key from your MobSF instance | Yes |
| URL | Your MobSF instance URL (e.g., https://mobsf.your-company.com) | Yes |
| Insecure | Skip SSL certificate verification (not recommended for production) | No |
Get an Api Key (on MobSF Side)
- Start your MobSF instance.
- The REST API key is displayed in the console output when MobSF starts.
- Alternatively, navigate to your MobSF instance URL and check the API Docs section (usually at
/api_docs). - The API key is also available in the MobSF configuration file.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the SAST Tab
On the Integrations page, you will see the Scanners section with multiple tabs. Click on the SAST tab (it is selected by default).
Step 3: Find and Activate MobSF SAST
Scroll through the list of SAST scanners to find MobSF SAST.
- If MobSF SAST is not activated, you will see an "Activate" button. Click it to enable the integration.
- If MobSF SAST is already activated, you will see a toggle switch in the ON position and a "Deactivate" button, along with a gear icon for configuration.
MobSF SAST supports the Language agnostic category, covering Android, iOS, and Windows mobile applications.
Step 4: Configure Connection Settings
Click on the gear icon on the MobSF SAST card to open the configuration panel. Fill in the required fields:
| Field | Description | Required |
|---|---|---|
| Api Key | REST API key from your MobSF instance | Yes |
| URL | Your MobSF instance URL (e.g., https://mobsf.your-company.com) | Yes |
| Insecure | Enable this checkbox only if your MobSF instance uses a self-signed SSL certificate | No |
Step 5: Test the Connection
Click the Test Connection button at the bottom of the configuration panel to verify that the provided credentials and URL are correct.
- If the connection is successful, the integration is ready to use.
- If the connection fails, verify your Api Key and URL values.
- For existing integrations, you can use the Retest Connection button at the top of the panel.
Step 6: Advanced Settings (Optional)
Click on Advanced Settings to expand additional options:
| Setting | Description | Default |
|---|---|---|
| Allow team leads to scan this instance | Permits team leads to trigger scans using this MobSF instance | Off |
| Allow team leads to create new instances | Permits team leads to create additional MobSF instances | Off |
After modifying advanced settings, click Save Advanced Settings to apply changes.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the SAST tab under Scanners |
| 3 | Find MobSF SAST and click Activate (if not already active) |
| 4 | Click the gear icon and fill in Api Key and URL |
| 5 | Click Test Connection to verify |
| 6 | (Optional) Configure Advanced Settings for team lead permissions |
Create a Scan
After activating and configuring MobSF SAST, you can create scans from your project's scanner settings.
Navigate to Project Scanners
- Go to your Project page.
- Click on the Settings tab.
- Select Scanners from the left sidebar.
Add MobSF SAST Scanner
- In the scanner type dropdown, select SAST.
- In the scanner dropdown, search for and select MobSF SAST.
- Click the Add button to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Select the environment for the scan (optional) | No |
| Branch | Specify the branch to scan | No |
| Meta Data | Additional metadata for the scan (optional) | No |
| Scan Tag | Tag to identify the scan (optional) | No |
| Fork Default Branch | Enable to fork the default branch before scanning | No |
Scheduler
- Now: Run the scan immediately after saving.
- Custom Date: Schedule the scan for a specific date and time.
Webhook (Optional)
Enable webhook to trigger scans via actions taken on your application lifecycle management tool:
- Check the Trigger scans via actions checkbox.
- Select the Platform (e.g., GitHub, GitLab, Bitbucket).
- Click Generate to create a Secret Key for webhook authentication.
KDT Command
You can also trigger MobSF SAST scans from your CI/CD pipeline using KDT:
kdt scan -p <project_name> -t mobsfsast -b <branch_name>
Click Save to create the scan configuration.
Troubleshooting
Connection Fails
- Invalid API Key: Verify the API key matches the one shown in MobSF's REST API documentation page.
- Incorrect URL: Ensure the URL includes the correct protocol and port (e.g.,
http://localhost:8000for local or your server URL). - MobSF Not Running: Verify that the MobSF server is running and accessible from the Invicti AppSec instance.
- Network/Firewall: Ensure the Invicti AppSec instance can reach the MobSF server. Check firewall rules and network connectivity.
Scan Issues
- Scan Not Starting: Verify the MobSF server has sufficient resources (CPU, memory) to process the scan.
- Unsupported File Type: Ensure the uploaded file is a supported format (APK, IPA, or source code archive).
Best Practices
- Secure MobSF Instance: Use HTTPS and strong authentication for the MobSF server, especially in production environments.
- Dedicated MobSF Server: Use a dedicated MobSF instance for the Invicti AppSec integration to avoid conflicts with other users.
- Regular Updates: Keep MobSF updated to the latest version for improved detection capabilities and security fixes.
- Resource Planning: Ensure the MobSF server has adequate resources for concurrent scan requests.
Limitations
- Self-Hosted Only: MobSF requires a self-hosted server. There is no cloud-hosted MobSF service.
- Mobile Focus: MobSF SAST is designed for mobile application analysis (Android and iOS).
- Network Dependency: The Invicti AppSec instance must have direct network access to the MobSF server.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center