Deploying Mobile Security Framework on Kubernetes

MobSF is a security analysis tool for all-in-one mobile applications (Android, iOS etc). It has got extensive support from open source community and it is well known among security engineers and the developers since it features with CI/CD or DevSecOps pipeline.

Why MobSF?

As a growing business, Halodoc is actively developing features to make lives of the people easier with the best security protection. To maintain the industry level security with such big ongoing feature development we accommodated MobSF as a frontend side security analysis tool, which will be triggered automatically through the pipeline code on every development build and the complete analysed report will be shared out to the tech team developers.

What are the features MobSF tool has got ?

Curious.? Check out our previous blog on mobsf.

Problems faced at the beginning while migrating to k8s

  • As per official mobsf documentation there is no predefined Helm chart. More details about this issue can be found here.
  • REST API key was getting changed on every restart.

How to deploy mobSF on Kubernetes?

  1. Pull the required image version from dockerhub.

  2. Push this image to private AWS ECR, since docker hub has put rate limit on pulling the images. For more details checkout this link.

  3. Create new helm chart with helm create mobsf command.

  4. Provide the image details which is pushed to private ECR.

    Screenshot-2022-03-11-at-8.53.46-AM

  1. Good going so far! But we should not be deploying the container with root user. Isn't it? Well, that is handled by docker image and the non-root user will be running with the user id and group id as 9901. Make sure you add it to the pod security context.

    Screenshot-2022-03-11-at-8.59.13-AM

  1. Okay great! Now we've our image at the k8s level. Wait! What about the report persistence? Yes, we need additional volumes. If not it will be destroyed once our pod get restarted.

  2. Let's add some volumes to our MobSF containers. But where? We followed the code structure and noticed that all the scan related data is being written to /home/mobsf/.MobSF directory.

  3. Let's create EFS volume in AWS and apply this manifest to add efs storage class in k8s cluster.

  1. Fine! let's create Persistent Volume Claim (PVC) in the same namespace first.

  2. Now mount the volume to persist the reports and dependent details under the path /home/mobsf/.MobSF. Follow the steps here to attach this created volume to your pod.

  3. Now we are ready with all the required resources and configuration.

  4. Do run helm install <service-name> <path-to-helm-chart-dir> command to apply the yaml files to k8s cluster.

  5. Now create ingress component as per the requirement.

  6. Sample ingress yaml attached here. Set the DNS name as per your convention in host section.

  1. You can set the DNS name for the host.

  2. Awesome! Now we are ready with our URL to access the UI of mobsf.

Integrating with the shared library

  1. MobSF provides REST API support for all the operations required. Once the build is ready we can upload the build file and get the scan result for the same.

  2. Here are the API's supported by MobSF for the static analysis.

  3. API documentations will be available at {your-domain-name}/api_docs.

  4. We reformed freestyle development jobs to shared library pipeline in kubernetes based jenkins.

  5. For more details on integrating with jenkins visit here.

What happens to the growing data size?

  1. We faced disk full issue after some days post we deployed this tool in k8s.

  2. Main reason for the disk getting full frequently was due to the build size of the app and decompiled source code.

  3. So to handle our usecase, we decided not to keep this info more than 2 days.

  4. How to implement this? Well, scheduled cron job comes for the rescue.

  5. We created a cron job which runs at every day midnight to clean up the uploads directory present in the mounted volume in the path /home/mobsf/.MobSF.

Conclusion

  • Moving to k8s platform helps us utilise the resource more efficiently and also ensuring that the service will be having much more reliability as compared to running the services directly on bare metal.
  • Also, streamlining the process to scan the builds at development cycle itself ensures that the application will be shipped to end users without any security vulnerabilities.
  • Although MobSF has got some limitations to deploy the application in k8s, investing some time in moving the service to k8s will be worth the investment for deploying a Mobile Security framework such as MobSF in your environment.

Join us

Scalability, reliability, and maintainability are the three pillars that govern what we build at Halodoc Tech. We are actively looking for engineers at all levels and if solving hard problems with challenging requirements is your forte, please reach out to us with your resumé at careers.india@halodoc.com.

About Halodoc

Halodoc is the number 1 all around Healthcare application in Indonesia. Our mission is to simplify and bring quality healthcare across Indonesia, from Sabang to Merauke. We connect 20,000+ doctors with patients in need through our Tele-consultation service. We partner with 4000+ pharmacies in 100+ cities to bring medicine to your doorstep. We've also partnered with Indonesia's largest lab provider to provide lab home services, and to top it off we have recently launched a premium appointment service that partners with 500+ hospitals that allow patients to book a doctor appointment inside our application. We are extremely fortunate to be trusted by our investors, such as the Bill & Melinda Gates Foundation, Singtel, UOB Ventures, Allianz, GoJek, Astra, Temasek and many more. We recently closed our Series C round and In total have raised around USD$180 million for our mission. Our team works tirelessly to make sure that we create the best healthcare solution personalised for all of our patient's needs, and are continuously on a path to simplify healthcare for Indonesia.