RʎVERSY

Why Reversy?

#In the beginning...

In January 2015, Ajin Abraham released his Open Source tool MobSF on GitHub. The idea behind the tool is to enable security researchers to easily scan Android and iOS apps for vulnerabilities or other suspicious behaviors. MobSF wraps a large variety of both static and dynamic analysis tools to make life easier for researchers.

#Reality Sets In

Due to the way it is built, MobSF has several shortcomings in terms of functionality.

  • MobSF never synthesizes or summarizes data based on the outputs of the tools that it runs. For example, MobSF doesn't state whether an app is built with React Native, Flutter, etc.
  • For the most part, MobSF does not analyze any of the individual files included in the app bundle. For example, it does not make it easy to extract or analyze assets like machine learning models, image files, audio files, animations, etc.
  • MobSF does not target any use cases besides security researchers. It is very difficult to effectively use MobSF in CI pipelines for quality assurance.

Additionally, MobSF has some crippling usability issues due to the fact that it is using Python on the backend and a templated-out frontend.

  • Large apps (e.g. TikTok) will cause the browser to crash, rendering MobSF ununsable.
  • Scans are often painfully slow since results from each section are not streamed in as they become available.
  • Searching results on the web page is difficult because there are often extremely long hexadecimal strings that show up in search results.

#Enter Reversy

The initial goal of the Reversy project is to reach feature parity with MobSF for the static analysis of iOS and Android apps. This is done using a "plugin" where plugins independently extract useful information about the app being analyzed. After feature parity is reached, all additional functionality will be sold under the "Pro" license to help support the development of the project.

Non-goals of the Reversy project include dynamic analysis of app. Dynamic analysis does not appear to be a widely used feature of MobSF, probably because it requires paid third-party emulation software to work.