Android Application Security
This is a write-up of Android Application Security resources and tools which helps in Android Application pentesting and security research. This write up is a step to provide good quality content on different topics in Android Application Security. Content will be updated from time to time to make sure the quality of resources and latest updates related to Android Application Security.
Note : This is a compiled write up of Android Application Security resources. We are not promoting these resources in anyway and it is also possible that there would be many more great resources on Android Application Security which we might miss to add to this write up. If you know any good resources let us know by commenting below and we will add it to the write up/List.
Pentesting Environment
Host device
A Windows/Linux/Mac OS device will work absolutely fine to do all the task for Android Pentesting.
Basics setup must Include :
- Any one (Windows/Linux/Mac) OS machine.
- Wifi-Network
- One rooted device or any Android Emulator (like Genymotion and similar )
- One Interception Proxy traffic (Like Burp Suite /ZAP etc )
Test Device
If you are testing on a real android physical device. It should be root to have the root privilege to access all the system files and also to install all the required tool on the device for security testing.
If you don’t have an Android rooted phone, you can use Android emulator/virtual device for testing.
Root Access :
For easier pentesting of Android application, having a root privilege on device/emulator is recommended and allows to perform many tasks. The Benefits of rooting your device for pentesting are:
- Root access to file system
- Allow to install all the security tools
- Debugging and analysis capabilities
- Access to application runtime
Below mentioned resources can be used to get a full rooted Android device.
Rooting android devices :
Android is built on linux kernel and super user in linux is known as root. Root user can perform any operation on android device and the process of getting super user is called rooting. Rooting an Android device requires
- Unlocking the boot loader
- Install recovery tool like TWRP and similar tool
Note : Depending on your device configurations you can select the tool with appropriate version.
For more details visit : xda-developers
Tools
Below are some tools which are often used in black box testing of Android Application
Analysers :
AVC UnDroid : https://undroid.av-comparatives.org/
Virustotal : https://www.virustotal.com/gui/
AppCritique : https://appcritique.boozallen.com/
AMAaas : https://amaaas.com/
Static Analysis Tools :
Androwarn : https://github.com/maaaaz/androwarn/
ApkAnalyser : https://github.com/sonyxperiadev/ApkAnalyser
Apkinspector : https://github.com/honeynet/apkinspector/
Smali CFG generator : https://github.com/EugenioDelfa/Smali-CFGs
FlowDroid : https://blogs.uni-paderborn.de/sse/tools/flowdroid/
Amandroid : http://pag.arguslab.org/argus-saf
SmaliSCA : https://github.com/dorneanu/smalisca
SUPER : https://github.com/SUPERAndroidAnalyzer/super
CFGScanDroid : https://github.com/TACIXAT/CFGScanDroid
Maldrolyzer : https://github.com/maldroid/maldrolyzer
SPARATA : https://www.cs.washington.edu/sparta
ConDroid : https://github.com/JulianSchuette/ConDroid
DroidRA : https://github.com/serval-snt-uni-lu/DroidRA
RiskInDroid : https://github.com/ClaudiuGeorgiu/RiskInDroid
ClassyShark : https://github.com/google/android-classyshark
StaCoAn : https://github.com/AndroBugs/AndroBugs_Framework
JAADAS : https://github.com/flankerhqd/JAADAS
Quark : https://github.com/quark-engine/quark-engine
Vulnerability Scanners :
Qark : https://github.com/linkedin/qark/
AndroBugs : https://github.com/AndroBugs/AndroBugs_Framework
Nogotofail : https://github.com/google/nogotofail
Dynamic Analysis Tools :
Android DBI Framework : http://www.mulliner.org/blog/blosxom.cgi/security/androiddbiv02.html
MobSF : https://github.com/MobSF/Mobile-Security-Framework-MobSF
AppUse : https://appsec-labs.com/AppUse/
CobraDroid : https://thecobraden.com/projects/cobradroid/
DroidBox : https://github.com/pjlantz/droidbox
Drozer : https://github.com/FSecureLABS/drozer
Xposed : https://forum.xda-developers.com/xposed/xposed-installer-versions-changelog-t2714053
Inspeckage : https://github.com/ac-pm/Inspeckage
Android Hooker : https://github.com/AndroidHooker/hooker
ProbeDroid : https://github.com/ZSShen/ProbeDroid
DECAF : https://github.com/decaf-project/DECAF
CuckooDroid : https://github.com/idanr1986/cuckoo-droid
Mem : https://github.com/MobileForensicsResearch/mem
AuditAndroid : https://github.com/nwhusted/AuditdAndroid
Android Security Evaluation Framework : https://code.google.com/archive/p/asef/
Aurasium : https://github.com/xurubin/aurasium
Android Linux Kernel Modules : https://github.com/strazzere/android-lkms
Appie : https://manifestsecurity.com/appie/
StaDyna : https://github.com/zyrikby/StaDynA
MARA : https://github.com/xtiankisutsa/MARA_Framework
Virtual Machine with tools :
Mobexler : https://enciphers.github.io/Mobexler/
Androl4b : https://github.com/sh4hin/Androl4b
Android tamer : https://androidtamer.com/
Vezir-Project : https://github.com/oguzhantopgul/Vezir-Project
Reverse Engineering :
Smali/Baksmali : https://github.com/JesusFreke/smali
emacs syntax coloring for smali files : https://github.com/strazzere/Emacs-Smali
vim syntax coloring for smali files : http://codetastrophe.com/smali.vim
AndBug : https://github.com/swdunlop/AndBug
Androguard : https://github.com/androguard/androguard
Apktool : https://ibotpeaches.github.io/Apktool/
Android Framework for Exploitation : https://github.com/appknox/AFE
Bypass signature and permission checks for IPCs : http://tiny.cc/uf06fz
Android OpenDebug : https://github.com/iSECPartners/Android-OpenDebug
Dex2Jar : https://github.com/pxb1988/dex2jar
Enjarify : https://github.com/google/enjarify
Dedexer : https://github.com/google/enjarify
Fino : https://github.com/sysdream/fino
Frida : https://www.frida.re/
Indroid : https://bitbucket.org/aseemjakhar/indroid/src
IntentSniffer : https://www.nccgroup.trust/us/our-research/isec-partners-releases-sslyze/
Introspy : https://github.com/iSECPartners/Introspy-Android
Jad : https://varaneckas.com/jad/
JD-GUI : https://github.com/java-decompiler/jd-gui
CFR : http://www.benf.org/other/cfr/
Krakatau : https://github.com/Storyyeller/Krakatau
Procyon : https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler
FernFlower : https://github.com/fesh0r/fernflower
Redexer : https://github.com/plum-umd/redexer
Simplify Android deobfuscator : https://github.com/CalebFenton/simplify
Bytecode viewer : https://github.com/Konloch/bytecode-viewer
Radare2 : https://github.com/radareorg/radare2
Jadx : https://github.com/skylot/jadx
Dwarf : https://github.com/iGio90/Dwarf
Andromeda : https://github.com/secrary/Andromeda
apk-mitm : https://github.com/shroudedcode/apk-mitm
Fuzzing Tools :
Intent Fuzzer : https://www.nccgroup.trust/us/our-research/intent-fuzzer/
Radamsa Fuzzer : https://github.com/anestisb/radamsa-android
Honggfuzz : https://github.com/google/honggfuzz
An Android port of the melkor ELF Fuzzer : https://github.com/anestisb/melkor-android
Media Fuzzing framework for Android : https://github.com/fuzzing/MFFA
Androfuzz : https://github.com/jonmetz/AndroFuzz
Misc Tools :
smalihook : http://androidcracking.blogspot.com/2011/03/original-smalihook-java-source.html
AXMLPrinter2 : https://code.google.com/archive/p/android4me/downloads
adb autocomplete : https://github.com/mbrubeck/android-completion
Dalvik opcodes : http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
mitmproxy : https://github.com/mitmproxy/mitmproxy
Android Vulnerability Test Suite : https://github.com/AndroidVTS/android-vts
AppMon : https://github.com/dpnishant/appmon
Internal Blue : https://github.com/seemoo-lab/internalblue
Labs for practise :
ExploitMe Android Labs : http://securitycompass.github.io/AndroidLabs/setup.html
GoatDroid : https://github.com/nvisium-jack-mannino/OWASP-GoatDroid-Project
Android InsecureBank : https://github.com/dineshshetty/Android-InsecureBankv2
Crawlers/apk downloaders :
Google play crawler (Java) : https://github.com/Akdeniz/google-play-crawler
Google play crawler (Python) : https://github.com/egirault/googleplay-api
Google play crawler (Node) : https://github.com/dweinstein/node-google-play
Aptoide downloader (Node) : https://github.com/dweinstein/node-aptoide
Appland downloader (Node) : https://github.com/dweinstein/node-appland
Apkpure : https://apkpure.com/
Reports and Resources :
Hardcoded Credentials : https://hackerone.com/reports/351555
Insecure Deeplinks : https://hackerone.com/reports/401793
SQL Injection : https://hackerone.com/reports/291764
Session Theft : https://hackerone.com/reports/328486
InSecure data storage : https://hackerone.com/reports/44727
Two-factor Authentication bypass : https://hackerone.com/reports/202425
Intent Spoofing : https://hackerone.com/reports/97295
Javascript Injection : https://hackerone.com/reports/54631
Learning resources :
Books
OWASP Mobile Security Testing Guide (OWASP MSTG)
Blogs and Articles
https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
https://developer.android.com/topic/security/best-practices
https://enciphers.github.io/Mobexler/Awesome_tools/
https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet
https://github.com/B3nac/Android-Reports-and-Resources
https://hacken.io/research/education/mobile-application-penetration-testing-methodology/
Other Android Security Resource Compilations:
Secure Coding for Android Applications
Android Application collusion demystified
Twitter handle to follow :
Did we miss something cool? Drop it in the comment below, and we will add it to the blog post.
checkout other posts related to android security:- https://enciphers.com/xposed-framework-plugins-for-android-pentesting/