The fastest way to break Android apps is to stop doing everything by hand. MobSF gives you rapid static, dynamic, and malware scoring for any APK. Pair that with Drozer—still the gold standard for component abuse—and you can turn “upload APK” into a full exploit pipeline. This guide shows how to build that workflow responsibly.

Scope reminder: Only test applications you own or have written authorization to assess. Many jurisdictions treat unauthorized mobile testing as a criminal offense.

Toolchain Overview

Tool Role Notes
MobSF Static + dynamic triage Docker image (preferred) keeps dependencies tidy
adb Device/Emulator bridge Required for installing APKs and port forwarding
Drozer Runtime exploitation Needs agent APK on target device
Frida / Objection (optional) Live instrumentation Good companion once Drozer reveals attack surface

Prerequisites:

  • Python 3.11+
  • Docker Desktop (for MobSF container)
  • Android SDK Platform Tools (adb in PATH)
  • Genymotion or Android Studio emulator (API 29+ recommended)

MobSF Setup (Docker)

# Pull stable image
docker pull opensecurity/mobile-security-framework-mobsf:latest

# Run with volume for reports
docker run -it --rm \
  -p 8000:8000 \
  -v "$PWD/mobsf-data:/root/.MobSF" \
  --name mobsf \
  opensecurity/mobile-security-framework-mobsf:latest

Hit http://localhost:8000 and upload any APK. MobSF automatically performs:

  1. Signature and manifest parsing (permissions, exported comps).
  2. Code smell & hardcoded secret detection via androguard and jadx.
  3. API call tracing, network endpoints, binary protections, and tracker identification.

Automating MobSF Uploads

MobSF exposes a REST API. Generate an API key in the UI → Settings → API Key, then script uploads:

API_KEY="<your key>"
APK="app-release.apk"

# Upload
curl -F "file=@${APK}" -H "Authorization:${API_KEY}" \
  http://localhost:8000/api/v1/upload

# Scan result
SCAN_HASH=<returned hash>
curl -H "Authorization:${API_KEY}" \
  -d "scan_type=apk&hash=${SCAN_HASH}" \
  http://localhost:8000/api/v1/report_json > mobsf-report.json

Parse mobsf-report.json to feed downstream tools (e.g., list exported activities for Drozer to target).

Preparing the Device

# Start emulator (Android Studio example)
emulator -avd Pixel_6_API_33 &

# Wait for boot
adb wait-for-device
adb devices

# Install target APK
adb install -r app-release.apk

# Optional: install MobSF dynamic agent if using instrumentation
adb install -r mobsf_dynamic_*.apk

Drozer Basics

Drozer requires both a console (host) and agent (device). Install via pip:

pip install drozer

Install the Drozer agent APK (drozer-agent.apk) on the emulator, launch it, and tap Embedded Server → ON to listen on port 31415.

Forward the port and spawn a console:

adb forward tcp:31415 tcp:31415
drozer console connect

You now have an interactive shell to enumerate packages, activities, content providers, and intent filters.

Automating Drozer Enumeration

Rather than clicking through modules manually, script a session that reads MobSF output and launches Drozer commands.

#!/usr/bin/env python3
"""dz_auto.py - Feed MobSF findings into Drozer scripts."""
import json
import subprocess
import sys

REPORT = json.load(open("mobsf-report.json"))
target_pkg = REPORT["apk_details"]["package_name"]
exported = REPORT["activities"]["exported"]

COMMANDS = [
    f"run app.package.info -a {target_pkg}",
    f"run app.activity.info -a {target_pkg}",
    f"run app.broadcast.info -a {target_pkg}",
    f"run app.service.info -a {target_pkg}",
]

for activity in exported:
    COMMANDS.append(f"run app.activity.start --component {target_pkg} {activity['name']}")

proc = subprocess.Popen(["drozer", "console", "connect"], stdin=subprocess.PIPE)
proc.communicate("\n".join(COMMANDS).encode())

The script:

  1. Reads exported components flagged by MobSF.
  2. Launches each via Drozer (app.activity.start etc.).
  3. Surfaces crashes or lax permission gates automatically.

APK-Driven Exploitation Flow

  1. Drop APK into MobSF.
  2. Harvest metadata (permissions, deep links, exported comps) via API.
  3. Push APK onto emulator + start Drozer agent.
  4. Run automation script to trigger components.
  5. Capture logs with adb logcat for stack traces, hardcoded secrets, or SQL queries.
  6. Exploit: When Drozer exposes an unprotected content provider, pivot using built-in modules or custom Python scripts.

Example: Dumping Content Provider Data

drozer> run app.provider.finduri com.target.app

Package: com.target.app
  Authority: com.target.app.notes
    Path: /notes

Automate the dump:

drozer console connect <<'EOF'
run app.provider.query content://com.target.app.notes/notes --projection _id,title,body
EOF

If the provider lacks permission checks, you gain read access instantly.

Example: Exploiting Weak Broadcast Receivers

MobSF report snippet:

{
  "receivers": {
    "exported": [
      {
        "name": "com.target.app.ResetPwdReceiver",
        "permission": null
      }
    ]
  }
}

Trigger via Drozer:

drozer console connect <<'EOF'
run app.broadcast.send --action com.target.app.RESET --component com.target.app com.target.app.ResetPwdReceiver --extra string email attacker@demo
EOF

If the receiver trusts any caller, you may reset passwords or trigger hidden functionality.

Dynamic Hooks: MobSF + Drozer

MobSF’s dynamic module can instrument web traffic and SSL pinning bypass. Combine with Drozer by:

  1. Launching MobSF dynamic analysis (Proxy + Frida gadget) to capture HTTPS flows.
  2. While the proxy runs, execute Drozer actions to force the app through interesting states (login, file upload).
  3. MobSF captures the traffic; Drozer confirms which IPC endpoints triggered it.

Continuous Testing Pipeline

flowchart LR
  A[APK commit] --> B[CI job]
  B --> C[MobSF CLI]
  C --> D[Parse report]
  D --> E[adb install]
  E --> F[Drozer auto-suite]
  F --> G[Export findings]

Sample GitHub Actions snippet (pseudo):

jobs:
  android-audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Start MobSF
        run: docker run -d --name mobsf -p 8000:8000 opensecurity/mobile-security-framework-mobsf
      - name: Static scan
        run: |
          python scripts/mobsf_upload.py app-release.apk
      - name: Launch emulator
        run: scripts/start_emulator.sh
      - name: Drozer sweep
        run: python scripts/dz_auto.py
      - name: Collect logs
        run: adb logcat -d > logs.txt

Store MobSF JSON, Drozer console output, and logcat traces as CI artifacts for triage.

Hardening Tips for Dev Teams

  • Mark every activity, service, receiver, provider as exported="false" unless explicitly needed.
  • Require custom permissions for IPC entry points.
  • Validate Intent extras server-side; never trust client-supplied data.
  • Encrypt local databases; MobSF surfaces plaintext SQLite tables.
  • Enable SafetyNet / Play Integrity and root detection to raise the bar for drozer-style attacks.

References

By PlaidNox Mobile Team
Published Nov 2025