SAST Support for iOS & Android via MobSF Analyzer
Problem to solve
Add SAST support for mobile application scanning including:
2020.09.30 Update: An analyzer has been contributed to us which is intended to be the starting port for this effort.
- Review code and ensure it meets our integration guidelines
- Migrate code to the Secure Analyzers repo
- Extend the SAST.gitlab-ci.yml vendored template to include the analyzer
- Write new unit tests
- Update QA projects
User experience goal
- Integrate MobSF as an official SAST analyzer
Relevant Black Hat Presentation
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis of mobile applications. MobSF support mobile app binaries (APK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented tests.
Permissions and Security
- Scanner will be available to all plan types as a Core analyzer
- Add new rows to the supported languages for SAST doc section