To secure your mobile code, you need SAST and SCA integrated into your CI/CD or pre-commit hooks — using open-source tools you can wire up yourself.
See also: Security Post-it #6 – JS & TypeScript and Security Post-it #7 – Golang.
What are SAST and SCA?
Static Application Security Testing (SAST) identifies vulnerabilities in source code before deployment — hard-coded passwords, unvalidated input, SQL injection, etc. Software Composition Analysis (SCA) scans third-party libraries and dependencies against databases of known vulnerabilities.
SAST should run both synchronously (blocking CI/CD) and asynchronously (real-time alerting). SCA must be asynchronous — running only on push misses vulnerable dependencies in dormant repos. Dead repositories are full of vulnerable dependencies. Consider Renovabot to auto-create fix PRs.
SAST — MobSF / mobsfscan
The best SAST tool for Android (Java, Kotlin) and iOS (Objective-C, Swift) is MobSF. It offers two modes: a full web UI for scanning compiled apps (code, manifest, ATS analysis), and a lightweight CLI version mobsfscan for code analysis only.
Install
# MobSF web UI (Docker) $ docker run --rm -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest # mobsfscan (CLI) $ pip install mobsfscanAudit with MobSF
Open http://localhost:8080/ and upload your code or compiled app. The web UI performs code analysis, manifest analysis (Android), and ATS analysis (iOS).
Audit with mobsfscan
First, create a config file at /tmp/mobsfscan.yml:
Human-readable output
$ mobsfscan __CODE_DIRECTORY__ -c /tmp/mobsfscan.ymlJSON output
$ mobsfscan __CODE_DIRECTORY__ -c /tmp/mobsfscan.yml --json -o /tmp/mobsfscan.json $ cat /tmp/mobsfscan.json | jq .resultsExample
Using the WordPress Android and WordPress iOS repositories as examples:
$ git clone https://github.com/wordpress-mobile/WordPress-Android.git /tmp/WordPress-Android $ git clone https://github.com/wordpress-mobile/WordPress-iOS.git /tmp/WordPress-iOS $ mobsfscan /tmp/WordPress-Android -c /tmp/mobsfscan.yml $ mobsfscan /tmp/WordPress-iOS -c /tmp/mobsfscan.ymlCI Integration
SCA — depscan
Depscan by AppThreat audits project dependencies for known vulnerabilities. It works well for Android projects — iOS is not yet supported.
Install
# Global install $ npm install -g @appthreat/cdxgen $ pip install appthreat-depscanAudit
$ depscan --src __CODE_DIRECTORY__ $ depscan --src __CODE_DIRECTORY__ -o /tmp/depscan.json $ cat /tmp/depscan-kotlin.json | jq . $ cat /tmp/depscan-java.json | jq .Example
$ depscan --src /tmp/WordPress-Android Dependency Scan Results (nodejs) ╔════════════════╤═══════════╤═══════════════════════╤═════════╤═════════════╤══════════╤═══════╗ ║ Id │ Package │ Insights │ Version │ Fix Version │ Severity │ Score ║ ╟────────────────┼───────────┼───────────────────────┼─────────┼─────────────┼──────────┼───────╢ ║ CVE-2021-3803 │ nth-check │ ℹ Indirect dependency │ <2.0.1 │ 2.0.1 │ HIGH │ 7.5 ║ ╟────────────────┼───────────┼───────────────────────┼─────────┼─────────────┼──────────┼───────╢ ║ CVE-2022-40215 │ tabs │ 🎯 Direct usage │ <=3.7.1 │ │ MEDIUM │ 5.4 ║ ╟────────────────┼───────────┼───────────────────────┼─────────┼─────────────┼──────────┼───────╢ ║ CVE-2022-33154 │ schema │ ℹ Indirect dependency │ <1.13.1 │ 1.13.1 │ MEDIUM │ 5.4 ║ ╚════════════════╧═══════════╧═══════════════════════╧═════════╧═════════════╧══════════╧═══════╝CI Integration
Depscan documentation: Integration with CI environments — supports GitHub Actions. Also see the ShiftLeft project.
Conclusion
You don't need expensive scanners. With MobSF/mobsfscan and depscan wired into your pre-commit hooks, CI/CD, and as async jobs, you'll have full visibility into your mobile app security posture.
At Tandem Technology, we help you improve your development practices during workshops to harden your code repositories.