Stats
Actions
Tags
Performs automated static analysis on Android APK/AAB files using MobSF to identify hard-coded secrets, insecure permissions, vulnerable components, weak encryption, and code defects. For pre-deployment security audits, pentesting, or CI/CD gates.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:performing-android-app-static-analysis-with-mobsfThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
在以下情况下使用本技能:
在以下情况下使用本技能:
不适用于 替代人工代码审查或动态分析——MobSF 静态分析只能发现基于模式的漏洞,无法捕获运行时逻辑缺陷。
docker pull opensecurity/mobile-security-framework-mobsf)或本地部署使用 Docker 启动 MobSF,确保隔离、可重现的扫描环境:
docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
从 http://localhost:8000/api_docs 的 MobSF Web 界面或启动控制台输出中获取 REST API 密钥。API 密钥用于程序化扫描。
使用 MobSF REST API 上传目标 APK:
curl -F "file=@target_app.apk" http://localhost:8000/api/v1/upload \
-H "Authorization: <API_KEY>"
响应中包含用于后续 API 调用的 hash 标识符。MobSF 会自动使用 JADX 反编译 APK,提取 AndroidManifest.xml 并对所有资源建立索引。
启动静态扫描并获取结果:
# 触发扫描
curl -X POST http://localhost:8000/api/v1/scan \
-H "Authorization: <API_KEY>" \
-d "scan_type=apk&file_name=target_app.apk&hash=<FILE_HASH>"
# 获取 JSON 报告
curl -X POST http://localhost:8000/api/v1/report_json \
-H "Authorization: <API_KEY>" \
-d "hash=<FILE_HASH>"
MobSF 静态分析覆盖以下映射到 OWASP Mobile Top 10 2024 的类别:
清单分析(M8 - 安全配置错误):
android:debuggable="true"android:allowBackup="true" 允许通过 ADB 提取数据android:networkSecurityConfig代码分析(M1 - 凭据使用不当):
网络安全(M5 - 通信不安全):
二进制分析(M7 - 二进制保护不足):
以多种格式导出发现结果用于干系人沟通:
# PDF 报告
curl -X POST http://localhost:8000/api/v1/download_pdf \
-H "Authorization: <API_KEY>" \
-d "hash=<FILE_HASH>" -o report.pdf
# JSON 格式用于程序化处理
curl -X POST http://localhost:8000/api/v1/report_json \
-H "Authorization: <API_KEY>" \
-d "hash=<FILE_HASH>" -o report.json
将 MobSF 扫描作为构建门禁添加:
# GitHub Actions 示例
- name: MobSF Static Analysis
run: |
UPLOAD=$(curl -s -F "file=@app/build/outputs/apk/release/app-release.apk" \
http://mobsf:8000/api/v1/upload -H "Authorization: $MOBSF_API_KEY")
HASH=$(echo $UPLOAD | jq -r '.hash')
curl -s -X POST http://mobsf:8000/api/v1/scan \
-H "Authorization: $MOBSF_API_KEY" \
-d "scan_type=apk&file_name=app-release.apk&hash=$HASH"
SCORE=$(curl -s -X POST http://mobsf:8000/api/v1/scorecard \
-H "Authorization: $MOBSF_API_KEY" -d "hash=$HASH" | jq '.security_score')
if [ "$SCORE" -lt 60 ]; then exit 1; fi
| 术语 | 定义 |
|---|---|
| 静态分析(Static Analysis) | 在不执行程序的情况下检查应用代码和资源;捕获结构性和基于模式的漏洞 |
| APK 反编译(APK Decompilation) | 使用 JADX 或 apktool 等工具从已编译的 Dalvik 字节码中恢复 Java/Kotlin 源代码的过程 |
| AndroidManifest.xml | 声明应用组件、权限和安全属性的配置文件;是清单分析的主要目标 |
| 证书固定(Certificate Pinning) | 将应用与特定服务器证书绑定的技术,用于防止通过流氓 CA 进行的中间人攻击 |
| ProGuard/R8 | 代码混淆和压缩工具,通过重命名类和删除未使用的代码使逆向工程更加困难 |
password 的模式,即使并未存储真实凭据。在报告前需人工分诊所有 HIGH 发现。targetSdkVersion 相匹配。checksec 对 .so 文件进行人工审查。npx claudepluginhub killvxk/cybersecurity-skills-zhPerforms automated static analysis of Android APK/AAB files using MobSF to detect hardcoded secrets, insecure permissions, vulnerable components, and weak cryptography. For pre-deployment scans, pentesting, or CI/CD security gates.
Performs automated static analysis of Android apps using MobSF to identify hardcoded secrets, insecure permissions, and code-level security flaws. Useful for APK/AAB security assessment before deployment or in CI/CD pipelines.
Performs automated static analysis of Android apps using MobSF to identify hardcoded secrets, insecure permissions, and code-level security flaws. Useful for APK/AAB security assessment before deployment or in CI/CD pipelines.