Hello. Hi everyone. Good morning or good afternoon or good evening. So wherever you are. Yeah. Thanks for joining for my session on mobile application security assessment automation. So in the con 42 DevOps 2025 conference. So today we are trying to learn a little bit about how we can automate the mobile security assessments using the MobSF and Jenkins. But this talk mainly talk about like, if you have the MobSF and this tool, so how we can automate that and try to help the organizations to speed up the mobile testing process. So without further ado, let's get started. So myself, like Shesha Nandreddy Kandula, so you can call me Shesha. I have like 15 years of experience in application security. Mostly I worked on web applications and mobile application security related tasks like testing and engineering or like a threat modeling or whatever we call. So, and a brief agenda about today talk is like, mostly we look into the why, what is the need of mobile application security? So, what, why it got, Why it got the importance? So then we look a little bit into the, what did the mobile OS obtain? Then we'll try to see like, what is SAST and DAST methodologies. After that, we look into the MabaSurf, which we try to use it for the automation purposes. And then let's see, a little bit about the Jenkins as well. Okay. Without further ado. So let's get started. So introduction. So, so introductions to mobile applications. Like if you see, like if you forgot about the security, so what about the mobile applications? If you see nowadays in the last maybe four to five years, at least the number of applications. that are installed on any user device is increase, increasing, drastically. And there may be users may have 20 applications. But nowadays, usually users will have 80 to 90, even sometimes more than 100, hundreds of applications related to the banking, trading, social media or Gmail or whatever. So even related to the, their activity, physical activities, A lot of applications are there. So, but if you see in a month, among those maybe 80 to 90 applications, users may use like 50%. And if you see in a quarter, at least I don't think so. They use all the application in one quarter also. So, if the users are keeping auto updates or to apply any security patches related to the, these applications, that would be great. But if you're not, they're not updating their app. So. have any security issues. So that's also a concern for us. So on top of that, if by mistake, if the user has installed some gaming app and he forgot and due to that, if he got any malware into that, so that's also very dangerous to the other genuine, genuine banking or like other trading applications. So that's the main reason. We need to look into the mobile application security as well, because since the usage has been increased on top of that, users also expecting a lot of features which are there in the web applications should come to the mobile applications also from day one. Because if you see like if a customer is implementing one feature, Few years back, I like maybe like five to seven years back usually first they will try to do that into the web application if that is success then only they will come on to the mobile applications, but nowadays it's not like that they have to Push the code or like push the feature for all the clients like clients means the web application mobile application whether it's Android iOS So because of that competition or like user demand And, like mobile applications also started, developing or like releasing the, updates every, month. So because of that, so to assess the mobile applications very quickly, it's not easy task. So that's the reason there is a need for the automation of this assessment as well, at least to find out the low hanging fruits, much ahead. So let's see like, before going for that, so let's see like, what are the mobile application related risks? So if you see in regular web application, most of the code stays in the server side, but when it comes to the mobile application, the code, at least not everything, at least a little bit related to the logic will coming back to the mobile application. So, because if, if you are doing some kind of a, mobile logic, So then there are chances like, like, someone can get back to like get into the app and try to look into the source code and try to, find the issues. So then that's also a risk. So that's the reason we need to concentrate on the mobile application as well. And the open web application security project. So what they have done is like, they try to look into the different applications. They try to find the, top 10 risk or vulnerabilities related to the mobile application in several applications. They try to listed them, list them down and try to educate the developers and the security needs as well. So this is the list that is for 2024, every three to four years they will publish. Luckily we got in the last year. So if you see among them. Improper credential uses, so maybe that's also one issue because maybe we may be using the credentials, but we may not be using the biometric authentication and other security related measures and even inadequate supply chain security because since the, the package or like the binary size is increasing for the mobile applications. If I remember earlier, it was a 30, 40 MB. Nowadays, few applications has like 300 MB, 400 MB files as well. So obviously, it's not that binaries or like that apps may have the originally written code, but this definitely there is a lot of Dependencies are there in the bundled into the mobile application. So if you're using any libraries, if you have any security issues. So obviously we need to take care of that in that as well. So that's also, that's also, that's the reason it came into the M two. Yeah. Even insecure authentication authorization, if you see like insecure communication, so that are all, even if you can see with the cryptography related and even insecure data stories also coming into the picture. So these are the, few issues, which we observed, in last few years, like two, three years. So that's the reason it came into the top ten. If our application is not vulnerable to these kind of issues, yep, definitely we are good for that, at least. So let's see, like, what are the different, issues. methodologies we can use it to test it before going to secure it at least. So one is like a SAST another one is like kind of a DAST methodology. So SAST methodology is like we can use the source code and try to analyze the source code or binary and We'll try to find the issues related to the mobile app, mobile applications and DAST is like, you can run the app, like maybe logging to the application or making some calls or touching the few features to see like how the application is interacting with the server and try to see like is how it is storing the files, whether it's storing in the local storage or like, or else it's storing in the external device. means external SD card, something like that. So those kinds of issues we can find it in the DAST. But since it is not about the mobile OS top 10, so let's go back and jump onto the MobSF, MobSF open source. Since it is an open source tool, it's always good to get started using that. So let's see like what is MobSF and what kind of features it will provide to us. So if you go to the web page, MobSF, So it's since it is an open source, it has, you can go there and download it. If you want to build it on your own machine, there are steps it steps there. But nowadays, at least most of the people will use the Docker. since it is easy to spin up the machine and because already required softwares and everything Will be there in the docker image. It's easy to spin up and test it easily or else Earlier days we had to download the source code and if you are using different python or different versions of the java always we struggle with the Installation itself. So that's another benefit when you have the mobisf live also like if we if you are okay to You upload your file onto the some server. You can try play around with that and try to install the tools. Okay. Install the, instead of installing, you can use that. So let's see. So as we send a quick installation, so I have the . Yep. Terminal as well. Since it is ready. So, let's see. So here, I have already pulled the image. Since I already pulled the image. It'll be pretty much quick. It'll say like, at least it says like, stand. What is it saying? Like, it image is up to date. So no, it won't pull it. But if you're doing it the first time, it may take like a minute or two. and pull the image and try to build it. Since we already done that step, so try to run it locally to see what kind of scans we can do it. So yeah, so you can see like everything looks green. I think we are good. Yeah. Let's go back to the browser. So in the browser, so this is the one page. So I have already run a few scans. Recent scans. So this is the UI. So I think he didn't remember any scans. Let's see. yeah, let's take, AndroCode app and just click on it. Upload it. So it did upload it. So actually it won't take. And you can observe everything in that terminal, what's going on. So you can see like, This is Android apk and it's generating hashes, extracting the apk. And it parsing it and trying to analyze it, saving to the database. Everything it is doing. And let's go back to the browser. Yep. if we go back to the browser, see, you can see the report which is generated by the mobSF. So here we can see like one activity is exported and there are several, you can see the manifest explorer as well and try to go through like what kind of issues it is reporting. And there is just like execute voice command. I can go there and try to see what exactly this app is doing, starting an activity or like set a read clip data. So like this, it will give the, report or like, the UI. If you want the report, you can, take the report. If you want to print it, you can do that. There is a option for static, starting the dynamic analysis by using the Marvel stuff as well. But for that, we need to set it up the real device emulator and configure it. So you can give a try if you want. I didn't keep that for today talk. And let's go back to the a PS, which are the pretty much important one for, to talk to, automate the assessments. You see that there usually we, if you are this a p came maybe a little bit different for you. I'll change it later. I'll delete it, since it is recording. But at least to see what exactly MOB SF can help us is like. There are several, functionalities. You can make a Carl call. To upload a file like whether it's IP or APK file and you can scan it to get a scan for that file. And maybe you can look for the scorecard or else you can download the report and you can do that. So there are several things which we can try to automate using the different APIs. If you go back to the first one, upload a upload file, upload file API. So in this, what exactly we are trying to do is like we just. you can just make a API call or like maybe kind of a curl call by sending your APK file to the, if it is hosting somewhere, so you need to provide that URL and providing the authorization with this API key. So once you send it, it will go to, it will come to the server and try to automate that. So that's what exactly we are going to do that. Since we got little bit understanding of what is the mobisrf and what exactly we can do with those APIs. we'll go back to the how we can do that using the Jenkins. So what is the power of mobisrf? Because since as I shown like it has a static analysis, it will extract the files. And, And since it can extract the files and source code and we can, do the static analysis. But in the dynamic analysis also we can do similar kind of activities, but I didn't keep that for now, okay. And so we talked about the API support and API. So let's go back to the Jenkins. what exactly the Jenkins can help us. Okay. So if you see here in our terminal, so I already downloaded a version of Jenkins file. You can download it from the Jenkins website and based on your requirement, if you maybe it gives some error. So I just kept this flag to avoid that error. So I'm just click on enter. So you can see like it is starting up. And let's go to the browser and to see whether we can access that. Yes, I think so. Sign in. Yep. So let's see like what exactly, I already configured a, a build. Like pipeline job, what people will call. So it got failed, I think. what should be the reason? Okay, so let's do one thing. Let's go back to these, build and try to understand what's exactly going on. And if you go to the configure. Yeah. This is the, scan file and yep. This is a typical Jenkins pipeline. So what exactly I'm just trying to store the mobisurf api key into the credentials and mobisurf url is this one. This is the environment I'm setting up. But anyway, it is going to trigger the midnight. That's fine. So, but first what we are trying to do is like download the, apk or ip file because that's the reason I think it got failed. I didn't start my server in the other tab. Let's go back there and try to start this server. So maybe it's try to, yep, here actually it should be started. So I think that's the reason it gave that error. Yep, apply here. And maybe we'll, we'll start later. So let's look into the, this configuration first. So first what we are trying to do is here, you can play around with that because if, if you were a PK or IPA file storing somewhere in the server, you can, make your logic according to that and try to download that file, to the, workspace, Jenkins workspace and try to ensure the scan once you have downloaded that file. So if you see here, we have downloaded that. And then starting the Mabasef scan as we have seen. So first we are uploading a file, what this file will do. Like once we uploaded that we get the hash value, some hash value. So let's go back here. So if you see here, yep, here, you will get a hash value in the response to differentiate between the different, Files which we are trying to scan and suppose if you are doing a APK file IP a file or one app And then a second app third app. So just a hash file so we try to use some logic to get back that hash and that hash we are going to use it in the Next command to initiate the scan. So if you see here, we are using that hash value and trying to initiate the scan So with that we run the scan Once the scan is run so we can get back this core card Scorecard like how much we are good or not. And if you want to download your report, you can initiate one more call to download that report. The report is downloaded. So let's go back and apply this one. Hopefully this time it will run it if it is wrong, if it is failing for some other reasons. So, I'll try to show the previous successful scans. Let me see here. Yeah, now it is success. That's cool. Let's go back to the console. So what, what exactly our script has done? So it went to the some, just, just to echo. It went to this location and it's down, file is downloaded. Once the file is downloaded, we are initiating a, I mean, first we are uploading it to, To the MobSF. Once the uploading is done, we got the hash value. That hash value we attach to the scan and send it to the MobSF again. So once that is done, so we are getting the, scorecard. And after that, We're downloading the report as well. So if you see here, download, the PDF report is downloaded. I try to send it to the, email, but, due to some configurations, the email is didn't work out for today anyway, if you want, you can give it a try to send the, email as well by confi, confirming the kin accordingly. So this is a way how we can automate the mobile security assessments by using the Jenkins and, So that this is, high level how if you want to do that, so that, if you want the script, I have attached that into the slides as well. Let's go back to the slides. Yeah. These are like Jenkins. If, if once you have, start the Jenkins for the first time with the var file, What will happen is like it will ask to set up admin password and all those stuff. Once that is done, you can go back to your systems. If you want to keep any secrets, you can keep that. Or else you can start creating the Jenkins apps. So we have automated this. So what's the need for, automation first of all? So, because yeah, it will be efficient. Obviously we can't, test all the applications if your organization has multiple apps. There is a need for the automation and, and even for the scalability purposes. And above that, if we can find the issues a little bit early, that's going to be helpful. So, and yep. And early detection and mitigation is the one. The main reason why we are trying that so what is the integrating mobisoft with the genkin pipeline So what we are trying to do is here like pipeline configure the genkis to automatically trigger a mobisoft scans whenever the new build is generating or like Uploaded in in some location. So then security scan execution. That's what we have seen in the job and if you have any policies to fail the Jenkins job or like, the build, you can do that. And if you want any reports on sending the automated notifications to the, specific emails, we can do that. So this is the job what, I have shown just now. So what is the benefits of? So I think we have seen the high level benefits. And what is the key takeaways? And the key takeaways is like automating the security assessment, which is going to be helpful. We'll try to do the DevSecOps here. And these are the different stages. So I think that's it for today. If you have any questions, you can reach out to me in LinkedIn or anywhere else. Yeah. Thank you. Thanks again for your time today. for coming to my talk. Have a nice day and great rest of the year.