We expect our mobile app to be secure and that is keeping it secure even when the code change. This is why we need to integrate the security testing activities in a CI.
Therefore we will use an open-source security tool focused on static analysis security testing called Mobile Security Framework. As well, a Python script that interacts with the Mobile Security Framework REST API will be used to upload an app, initiate a scan and obtain a report.
Running this repository in the CI, would allow you to find security issues earlier, and fix them before a release. Here's how it works:
Architecture
- Docker container running the Mobile Security Framework
- Docker container running our scan Python script
In order to use this repository, the following requirements must be fullfiled:
- Install Docker
- Install Docker-Compose
- Enable Docker experimental features
Get the Docker App image from Docker Hub:
docker pull overwatchheir/mobsf-ci.dockerapp:1.0.0-invoc
The easiest way to use this repository is by using docker app. Simply run:
docker app render overwatchheir/mobsf-ci.dockerapp:1.0.0 --set target_folder=<path to the folder that contains the APK> --set target_apk=<apk name> --set output_folder=<path to folder where the report will be written> | docker-compose -f - up --exit-code-from scan
To integrate this repository into your CI and perform automated security tests you have to add the Docker App image to the YAML file and run it as mentioned above.