This is a write-up of Android Application Security resources and tools which helps in Android Application pentesting and security research. This write up is a step to provide good quality content on different topics in Android Application Security. Content will be updated from time to time to make sure the quality of resources and latest updates related to Android Application Security.
Note : This is a compiled write up of Android Application Security resources. We are not promoting these resources in anyway and it is also possible that there would be many more great resources on Android Application Security which we might miss to add to this write up. If you know any good resources let us know by commenting below and we will add it to the write up/List.
Host device
A Windows/Linux/Mac OS device will work absolutely fine to do all the task for Android Pentesting.
Basics setup must Include :
Test Device
If you are testing on a real android physical device. It should be root to have the root privilege to access all the system files and also to install all the required tool on the device for security testing.
If you don’t have an Android rooted phone, you can use Android emulator/virtual device for testing.
Root Access :
For easier pentesting of Android application, having a root privilege on device/emulator is recommended and allows to perform many tasks. The Benefits of rooting your device for pentesting are:
Below mentioned resources can be used to get a full rooted Android device.
Rooting android devices :
Android is built on linux kernel and super user in linux is known as root. Root user can perform any operation on android device and the process of getting super user is called rooting. Rooting an Android device requires
Note : Depending on your device configurations you can select the tool with appropriate version.
For more details visit : xda-developers
Below are some tools which are often used in black box testing of Android Application
AVC UnDroid : https://undroid.av-comparatives.org/
Virustotal : https://www.virustotal.com/gui/
AppCritique : https://appcritique.boozallen.com/
AMAaas : https://amaaas.com/
Androwarn : https://github.com/maaaaz/androwarn/
ApkAnalyser : https://github.com/sonyxperiadev/ApkAnalyser
Apkinspector : https://github.com/honeynet/apkinspector/
Smali CFG generator : https://github.com/EugenioDelfa/Smali-CFGs
FlowDroid : https://blogs.uni-paderborn.de/sse/tools/flowdroid/
Amandroid : http://pag.arguslab.org/argus-saf
SmaliSCA : https://github.com/dorneanu/smalisca
SUPER : https://github.com/SUPERAndroidAnalyzer/super
CFGScanDroid : https://github.com/TACIXAT/CFGScanDroid
Maldrolyzer : https://github.com/maldroid/maldrolyzer
SPARATA : https://www.cs.washington.edu/sparta
ConDroid : https://github.com/JulianSchuette/ConDroid
DroidRA : https://github.com/serval-snt-uni-lu/DroidRA
RiskInDroid : https://github.com/ClaudiuGeorgiu/RiskInDroid
ClassyShark : https://github.com/google/android-classyshark
StaCoAn : https://github.com/AndroBugs/AndroBugs_Framework
JAADAS : https://github.com/flankerhqd/JAADAS
Quark : https://github.com/quark-engine/quark-engine
Qark : https://github.com/linkedin/qark/
AndroBugs : https://github.com/AndroBugs/AndroBugs_Framework
Nogotofail : https://github.com/google/nogotofail
Android DBI Framework : http://www.mulliner.org/blog/blosxom.cgi/security/androiddbiv02.html
MobSF : https://github.com/MobSF/Mobile-Security-Framework-MobSF
AppUse : https://appsec-labs.com/AppUse/
CobraDroid : https://thecobraden.com/projects/cobradroid/
DroidBox : https://github.com/pjlantz/droidbox
Drozer : https://github.com/FSecureLABS/drozer
Xposed : https://forum.xda-developers.com/xposed/xposed-installer-versions-changelog-t2714053
Inspeckage : https://github.com/ac-pm/Inspeckage
Android Hooker : https://github.com/AndroidHooker/hooker
ProbeDroid : https://github.com/ZSShen/ProbeDroid
DECAF : https://github.com/decaf-project/DECAF
CuckooDroid : https://github.com/idanr1986/cuckoo-droid
Mem : https://github.com/MobileForensicsResearch/mem
AuditAndroid : https://github.com/nwhusted/AuditdAndroid
Android Security Evaluation Framework : https://code.google.com/archive/p/asef/
Aurasium : https://github.com/xurubin/aurasium
Android Linux Kernel Modules : https://github.com/strazzere/android-lkms
Appie : https://manifestsecurity.com/appie/
StaDyna : https://github.com/zyrikby/StaDynA
MARA : https://github.com/xtiankisutsa/MARA_Framework
Mobexler : https://enciphers.github.io/Mobexler/
Androl4b : https://github.com/sh4hin/Androl4b
Android tamer : https://androidtamer.com/
Vezir-Project : https://github.com/oguzhantopgul/Vezir-Project
Smali/Baksmali : https://github.com/JesusFreke/smali
emacs syntax coloring for smali files : https://github.com/strazzere/Emacs-Smali
vim syntax coloring for smali files : http://codetastrophe.com/smali.vim
AndBug : https://github.com/swdunlop/AndBug
Androguard : https://github.com/androguard/androguard
Apktool : https://ibotpeaches.github.io/Apktool/
Android Framework for Exploitation : https://github.com/appknox/AFE
Bypass signature and permission checks for IPCs : http://tiny.cc/uf06fz
Android OpenDebug : https://github.com/iSECPartners/Android-OpenDebug
Dex2Jar : https://github.com/pxb1988/dex2jar
Enjarify : https://github.com/google/enjarify
Dedexer : https://github.com/google/enjarify
Fino : https://github.com/sysdream/fino
Frida : https://www.frida.re/
Indroid : https://bitbucket.org/aseemjakhar/indroid/src
IntentSniffer : https://www.nccgroup.trust/us/our-research/isec-partners-releases-sslyze/
Introspy : https://github.com/iSECPartners/Introspy-Android
Jad : https://varaneckas.com/jad/
JD-GUI : https://github.com/java-decompiler/jd-gui
CFR : http://www.benf.org/other/cfr/
Krakatau : https://github.com/Storyyeller/Krakatau
Procyon : https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler
FernFlower : https://github.com/fesh0r/fernflower
Redexer : https://github.com/plum-umd/redexer
Simplify Android deobfuscator : https://github.com/CalebFenton/simplify
Bytecode viewer : https://github.com/Konloch/bytecode-viewer
Radare2 : https://github.com/radareorg/radare2
Jadx : https://github.com/skylot/jadx
Dwarf : https://github.com/iGio90/Dwarf
Andromeda : https://github.com/secrary/Andromeda
apk-mitm : https://github.com/shroudedcode/apk-mitm
Intent Fuzzer : https://www.nccgroup.trust/us/our-research/intent-fuzzer/
Radamsa Fuzzer : https://github.com/anestisb/radamsa-android
Honggfuzz : https://github.com/google/honggfuzz
An Android port of the melkor ELF Fuzzer : https://github.com/anestisb/melkor-android
Media Fuzzing framework for Android : https://github.com/fuzzing/MFFA
Androfuzz : https://github.com/jonmetz/AndroFuzz
smalihook : http://androidcracking.blogspot.com/2011/03/original-smalihook-java-source.html
AXMLPrinter2 : https://code.google.com/archive/p/android4me/downloads
adb autocomplete : https://github.com/mbrubeck/android-completion
Dalvik opcodes : http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
mitmproxy : https://github.com/mitmproxy/mitmproxy
Android Vulnerability Test Suite : https://github.com/AndroidVTS/android-vts
AppMon : https://github.com/dpnishant/appmon
Internal Blue : https://github.com/seemoo-lab/internalblue
ExploitMe Android Labs : http://securitycompass.github.io/AndroidLabs/setup.html
GoatDroid : https://github.com/nvisium-jack-mannino/OWASP-GoatDroid-Project
Android InsecureBank : https://github.com/dineshshetty/Android-InsecureBankv2
Google play crawler (Java) : https://github.com/Akdeniz/google-play-crawler
Google play crawler (Python) : https://github.com/egirault/googleplay-api
Google play crawler (Node) : https://github.com/dweinstein/node-google-play
Aptoide downloader (Node) : https://github.com/dweinstein/node-aptoide
Appland downloader (Node) : https://github.com/dweinstein/node-appland
Apkpure : https://apkpure.com/
Hardcoded Credentials : https://hackerone.com/reports/351555
Insecure Deeplinks : https://hackerone.com/reports/401793
SQL Injection : https://hackerone.com/reports/291764
Session Theft : https://hackerone.com/reports/328486
InSecure data storage : https://hackerone.com/reports/44727
Two-factor Authentication bypass : https://hackerone.com/reports/202425
Intent Spoofing : https://hackerone.com/reports/97295
Javascript Injection : https://hackerone.com/reports/54631
Books
OWASP Mobile Security Testing Guide (OWASP MSTG)
Blogs and Articles
https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
https://developer.android.com/topic/security/best-practices
https://enciphers.github.io/Mobexler/Awesome_tools/
https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet
https://github.com/B3nac/Android-Reports-and-Resources
https://hacken.io/research/education/mobile-application-penetration-testing-methodology/
Other Android Security Resource Compilations:
Secure Coding for Android Applications
Android Application collusion demystified
Did we miss something cool? Drop it in the comment below, and we will add it to the blog post.
checkout other posts related to android security:- https://enciphers.com/xposed-framework-plugins-for-android-pentesting/
