MobSF supports a range of environment variable configurations to customize its behaviour and adapt to various deployment scenarios. Here is a list of supported environment variables.
MOBSF_DEBUG: Enables debug mode when set to1.MOBSF_SECRET_KEY: Configure a static django secret.MOBSF_USE_X_FORWARDED_HOST: EnablesX-Forwarded-Hostheader support when set to1.MOBSF_USE_X_FORWARDED_PORT: EnablesX-Forwarded-Portheader support when set to1.TIME_ZONE: Configure a timezone for the server, defaults toUTC.MOBSF_PLATFORM: Specify the operating environment for MobSF, such asdocker.MOBSF_HOME_DIR: Specify MobSF home directory to store analysis data, defaults to~/or$HOME.
PostgreSQL is configured only if the required environment variables are set; otherwise, MobSF defaults to using the sqlite3 database.
POSTGRES_USER: Username for the PostgreSQL database.POSTGRES_PASSWORD: Password for the PostgreSQL database.POSTGRES_PASSWORD_FILE: Path to a file containing the PostgreSQL password (docker secrets mount).POSTGRES_HOST: Hostname or IP address of the PostgreSQL server.POSTGRES_PORT: Port for connecting to the PostgreSQL server (default:5432).POSTGRES_DB: Name of the PostgreSQL database (default:mobsf).
MOBSF_ASYNC_ANALYSIS: Enables asynchronous analysis when set to1. This is used to support Async task queues with DjangoQ2.MOBSF_ASYNC_ANALYSIS_TIMEOUT: Asynchronous task timeout in minutes, defaults to 60 minutes.MOBSF_ASYNC_WORKERS: No of asynchronous scans supported at a time, default to 3 workers.MOBSF_MULTIPROCESSING: Specifies multiprocessing mode (billiard,thread,default).
MOBSF_JADX_TIMEOUT: Timeout in seconds for JADX/apktool operations (default:1000seconds).MOBSF_SAST_TIMEOUT: Timeout in seconds for static analysis (default:1000seconds).MOBSF_BINARY_ANALYSIS_TIMEOUT: Timeout in seconds for binary analysis (default:600seconds).
MOBSF_DISABLE_AUTHENTICATION: Disables authentication when set.MOBSF_RATELIMIT: Rate limit for API requests (default:7/m).MOBSF_API_ONLY: Enables REST API-only mode when set to1. The Web UI endpoints will be disabled.MOBSF_API_KEY: Set a custom static authentication key for MobSF REST APIs.MOBSF_API_KEY_FILE: Read REST API authentication key from a file (docker secrets mount).
MOBSF_PROXY_IP: IP address for the HTTPS proxy run by MobSF(httptools) (default:127.0.0.1).MOBSF_PROXY_PORT: Port for the HTTPS proxy run by MobSF(httptools) (default:1337).
MOBSF_UPSTREAM_PROXY_ENABLED: Enables upstream proxy support when set to1.MOBSF_UPSTREAM_PROXY_SSL_VERIFY: Verifies SSL for upstream proxy when set to1.MOBSF_UPSTREAM_PROXY_TYPE: Type of upstream proxy (default:http).MOBSF_UPSTREAM_PROXY_IP: IP address for the upstream proxy (default:127.0.0.1).MOBSF_UPSTREAM_PROXY_PORT: Port for the upstream proxy (default:3128).MOBSF_UPSTREAM_PROXY_USERNAME: Username for upstream proxy authentication.MOBSF_UPSTREAM_PROXY_PASSWORD: Password for upstream proxy authentication.
MOBSF_DOMAIN_MALWARE_SCAN: Enables domain malware scan, defaults to1.MOBSF_APKID_ENABLED: Enables APKiD scan, defaults to1.MOBSF_DYLIB_ANALYSIS_ENABLED: Enables dylib analysis, defaults to1.MOBSF_SO_ANALYSIS_ENABLED: Enables shared object analysis, defaults to1.MOBSF_DEX2SMALI_ENABLED: Enables dex to smali conversion for Android binaries, defaults to1.MOBSF_PERM_MAPPING_ENABLED: Enables permission to code mapping for Android scans, defaults to1.MOBSF_NIAP_ENABLED: Enables NIAP scan when set to1. This is disabled by default.MOBSF_CVSS_SCORE_ENABLED: Show CVSSV2 scores when set to1. This is disabled by default.
MOBSF_ANALYZER_IDENTIFIER: Android Debug Bridge (adb) compatible device identifier.
Use these when targeting a physical jailbroken iOS device reachable over SSH (USB port forwarding or Wi‑Fi), instead of Corellium.
MOBSF_IOS_ANALYZER_IDENTIFIERS: One or more SSH endpoints asIP:PORT, comma-separated. Example:192.168.1.100:22. Multiple devices:192.168.1.100:22,192.168.1.101:22.MOBSF_IOS_SSH_USER: SSH username (default:root).MOBSF_IOS_SSH_PASSWORD: SSH password (default:alpine).
MOBSF_CORELLIUM_API_DOMAIN: API domain for Corellium integration.MOBSF_CORELLIUM_API_KEY: API key for Corellium integration.MOBSF_CORELLIUM_PROJECT_ID: Project ID for Corellium integration (optional). `
MOBSF_FRIDA_TIMEOUT: Frida connection timeout, defaults to4seconds.MOBSF_ACTIVITY_TESTER_SLEEP: Wait defined seconds before invoking an activity, defaults to4seconds. This is used by Activity tester.MOBSF_ADB/MOBSF_ADB_BINARY: Specify the path to theadbbinary that MobSF should use for Android dynamic analysis.
MOBSF_VT_ENABLED: Enables VirusTotal integration when set to1.MOBSF_VT_API_KEY: API key for VirusTotal integration.MOBSF_VT_UPLOAD: Enables file uploads to VirusTotal when set to1. Otherwise, only hash values are sent to VirusTotal.
MOBSF_APPMONSTA_API: AppMonsta API key to fetch package details
MOBSF_IDP_METADATA_URL: Metadata URL for SAML IdP.MOBSF_IDP_ENTITY_ID: Entity ID for SAML IdP.MOBSF_IDP_SSO_URL: Single Sign-On (SSO) URL for SAML IdP.MOBSF_IDP_X509CERT: X.509 certificate for SAML IdP.MOBSF_IDP_IS_ADFS: Set ADFS as IdP when set to1.MOBSF_SP_HOST: Hostname for SAML Service Provider (SP).MOBSF_SP_ALLOW_PASSWORD: Enables password-based login for SAML SP when set to1.MOBSF_IDP_MAINTAINER_GROUP: Custom group name for Read/Write maintainers, defaults toMaintainer.MOBSF_IDP_VIEWER_GROUP: Custom group name for Read-only viewers, defaults toViewer.
MOBSF_BUNDLE_TOOL: Path to the BundleTool binary.MOBSF_JADX_BINARY: Path to the JADX binary.MOBSF_BACKSMALI_BINARY: Path to the Backsmali binary.MOBSF_VD2SVG_BINARY: Path to the VD2SVG binary.MOBSF_APKTOOL_BINARY: Path to the apktool binary.MOBSF_ADB_BINARY: Path to the ADB binary.MOBSF_AAPT2_BINARY: Path to the AAPT2 binary.MOBSF_AAPT_BINARY: Path to the AAPT binary.MOBSF_JAVA_DIRECTORY: Path to the Java directory.
MOBSF_JTOOL_BINARY: Path to the jtool binary.MOBSF_CLASSDUMP_BINARY: Path to the class-dump binary.MOBSF_CLASSDUMP_SWIFT_BINARY: Path to the class-dump-swift binary.
EFR_01: Enables a custom enterprise feature request when set to1.