Awesome Android Application Security

This is a write-up of Android Application Security resources and tools which helps in Android Application pentesting and security research. This write up is a step to provide good quality content on different topics in Android Application Security. Content will be updated from time to time to make sure the quality of  resources and latest updates related to Android Application Security.

Note : This is a compiled write up of Android Application Security resources. We are not promoting these resources in anyway and it is also possible that there would be many more great resources on Android Application Security which we might miss to add to this write up. If you know any good resources let us know by commenting below and we will add it to the write up/List.

 

 Pentesting Environment

 

Host device

A Windows/Linux/Mac OS device will work absolutely fine to do all the task for Android Pentesting.

Basics setup must Include :

  1. Any one (Windows/Linux/Mac) OS machine.
  2. Wifi-Network
  3. One rooted device or any Android Emulator (like Genymotion and similar )
  4. One Interception Proxy traffic (Like Burp Suite /ZAP etc )

Test Device

 

If you are testing on a real android physical device. It should be root to have the root privilege to access all the system files and also to install all the required tool on the device for security testing.

If you don’t have an Android rooted phone, you can use Android emulator/virtual device for testing. 

 

Root Access :

 

For easier pentesting of Android application, having a root privilege on device/emulator is recommended and allows to perform many tasks. The Benefits of rooting your device for pentesting are:

  1. Root access to file system
  2. Allow to install all the security tools
  3. Debugging and analysis capabilities
  4. Access to application runtime

Below mentioned resources can be used to get a full rooted Android device.

 

Rooting android devices :

Android is built on linux kernel and super user in linux is known as root. Root user can perform any operation on android device and the process of getting super user is called rooting. Rooting an Android device requires

  1. Unlocking the boot loader
  2. Install recovery tool like TWRP and similar tool

Note : Depending on your device configurations you can select the tool with appropriate version.

For more details visit : xda-developers

 

Tools

 

Below are some tools which are often used in black box testing of Android Application

 

Analysers :

AVC UnDroid : https://undroid.av-comparatives.org/

Virustotal : https://www.virustotal.com/gui/

AppCritique : https://appcritique.boozallen.com/

AMAaas : https://amaaas.com/

 

Static Analysis Tools :

Androwarn : https://github.com/maaaaz/androwarn/

ApkAnalyser : https://github.com/sonyxperiadev/ApkAnalyser

Apkinspector : https://github.com/honeynet/apkinspector/

Smali CFG generator : https://github.com/EugenioDelfa/Smali-CFGs

FlowDroid : https://blogs.uni-paderborn.de/sse/tools/flowdroid/

Amandroid : http://pag.arguslab.org/argus-saf

SmaliSCA : https://github.com/dorneanu/smalisca

SUPER     : https://github.com/SUPERAndroidAnalyzer/super

CFGScanDroid : https://github.com/TACIXAT/CFGScanDroid

Maldrolyzer : https://github.com/maldroid/maldrolyzer

SPARATA : https://www.cs.washington.edu/sparta

ConDroid : https://github.com/JulianSchuette/ConDroid

DroidRA  : https://github.com/serval-snt-uni-lu/DroidRA

RiskInDroid : https://github.com/ClaudiuGeorgiu/RiskInDroid

ClassyShark : https://github.com/google/android-classyshark

StaCoAn : https://github.com/AndroBugs/AndroBugs_Framework

JAADAS : https://github.com/flankerhqd/JAADAS

Quark : https://github.com/quark-engine/quark-engine

 

Vulnerability Scanners :

Qark : https://github.com/linkedin/qark/

AndroBugs : https://github.com/AndroBugs/AndroBugs_Framework

Nogotofail : https://github.com/google/nogotofail

 

Dynamic Analysis Tools :

Android DBI Framework : http://www.mulliner.org/blog/blosxom.cgi/security/androiddbiv02.html

MobSF : https://github.com/MobSF/Mobile-Security-Framework-MobSF

AppUse : https://appsec-labs.com/AppUse/

CobraDroid : https://thecobraden.com/projects/cobradroid/

DroidBox : https://github.com/pjlantz/droidbox

Drozer : https://github.com/FSecureLABS/drozer

Xposed : https://forum.xda-developers.com/xposed/xposed-installer-versions-changelog-t2714053

Inspeckage : https://github.com/ac-pm/Inspeckage

Android Hooker : https://github.com/AndroidHooker/hooker

ProbeDroid : https://github.com/ZSShen/ProbeDroid

DECAF : https://github.com/decaf-project/DECAF

CuckooDroid : https://github.com/idanr1986/cuckoo-droid

Mem : https://github.com/MobileForensicsResearch/mem

AuditAndroid : https://github.com/nwhusted/AuditdAndroid

Android Security Evaluation Framework : https://code.google.com/archive/p/asef/

Aurasium : https://github.com/xurubin/aurasium

Android Linux Kernel Modules : https://github.com/strazzere/android-lkms

Appie : https://manifestsecurity.com/appie/

StaDyna : https://github.com/zyrikby/StaDynA

MARA : https://github.com/xtiankisutsa/MARA_Framework

 

Virtual Machine with tools : 

Mobexler : https://enciphers.github.io/Mobexler/

Androl4b : https://github.com/sh4hin/Androl4b

Android tamer : https://androidtamer.com/

Vezir-Project : https://github.com/oguzhantopgul/Vezir-Project

 

Reverse Engineering :

Smali/Baksmali : https://github.com/JesusFreke/smali 

emacs syntax coloring for smali files : https://github.com/strazzere/Emacs-Smali 

vim syntax coloring for smali files : http://codetastrophe.com/smali.vim

AndBug : https://github.com/swdunlop/AndBug 

Androguard : https://github.com/androguard/androguard 

Apktool : https://ibotpeaches.github.io/Apktool/ 

Android Framework for Exploitation : https://github.com/appknox/AFE 

Bypass signature and permission checks for IPCs : http://tiny.cc/uf06fz 

Android OpenDebug : https://github.com/iSECPartners/Android-OpenDebug 

Dex2Jar  : https://github.com/pxb1988/dex2jar 

Enjarify : https://github.com/google/enjarify

Dedexer : https://github.com/google/enjarify 

Fino : https://github.com/sysdream/fino 

Frida : https://www.frida.re/ 

Indroid : https://bitbucket.org/aseemjakhar/indroid/src 

IntentSniffer : https://www.nccgroup.trust/us/our-research/isec-partners-releases-sslyze/ 

Introspy : https://github.com/iSECPartners/Introspy-Android 

Jad : https://varaneckas.com/jad/ 

JD-GUI : https://github.com/java-decompiler/jd-gui 

CFR : http://www.benf.org/other/cfr/ 

Krakatau : https://github.com/Storyyeller/Krakatau 

Procyon : https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler 

FernFlower : https://github.com/fesh0r/fernflower 

Redexer : https://github.com/plum-umd/redexer 

Simplify Android deobfuscator : https://github.com/CalebFenton/simplify 

Bytecode viewer : https://github.com/Konloch/bytecode-viewer 

Radare2 : https://github.com/radareorg/radare2 

Jadx : https://github.com/skylot/jadx 

Dwarf : https://github.com/iGio90/Dwarf 

Andromeda : https://github.com/secrary/Andromeda 

apk-mitm : https://github.com/shroudedcode/apk-mitm 

 

Fuzzing Tools :

Intent Fuzzer : https://www.nccgroup.trust/us/our-research/intent-fuzzer/

Radamsa Fuzzer : https://github.com/anestisb/radamsa-android

Honggfuzz : https://github.com/google/honggfuzz

An Android port of the melkor ELF Fuzzer : https://github.com/anestisb/melkor-android

Media Fuzzing framework for Android : https://github.com/fuzzing/MFFA

Androfuzz : https://github.com/jonmetz/AndroFuzz

 

Misc Tools :

smalihook : http://androidcracking.blogspot.com/2011/03/original-smalihook-java-source.html 

AXMLPrinter2 : https://code.google.com/archive/p/android4me/downloads 

adb autocomplete : https://github.com/mbrubeck/android-completion 

Dalvik opcodes : http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html 

mitmproxy : https://github.com/mitmproxy/mitmproxy 

Android Vulnerability Test Suite : https://github.com/AndroidVTS/android-vts 

AppMon : https://github.com/dpnishant/appmon 

Internal Blue : https://github.com/seemoo-lab/internalblue 

 

Labs for practise : 

ExploitMe Android Labs : http://securitycompass.github.io/AndroidLabs/setup.html 

GoatDroid : https://github.com/nvisium-jack-mannino/OWASP-GoatDroid-Project 

Android InsecureBank : https://github.com/dineshshetty/Android-InsecureBankv2 

 

Crawlers/apk downloaders : 

Google play crawler (Java) : https://github.com/Akdeniz/google-play-crawler 

Google play crawler (Python) : https://github.com/egirault/googleplay-api 

Google play crawler (Node) : https://github.com/dweinstein/node-google-play 

Aptoide downloader (Node) : https://github.com/dweinstein/node-aptoide 

Appland downloader (Node) : https://github.com/dweinstein/node-appland 

Apkpure : https://apkpure.com/ 

 

Reports and Resources :

Hardcoded Credentials : https://hackerone.com/reports/351555

Insecure Deeplinks : https://hackerone.com/reports/401793

SQL Injection : https://hackerone.com/reports/291764

Session Theft : https://hackerone.com/reports/328486

InSecure data storage : https://hackerone.com/reports/44727

Two-factor Authentication bypass : https://hackerone.com/reports/202425

Intent Spoofing : https://hackerone.com/reports/97295

Javascript Injection : https://hackerone.com/reports/54631

 

Learning resources :

 

Books

OWASP Mobile Security Testing Guide (OWASP MSTG)

Android Hacker’s Handbook

 

Blogs and Articles

https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10

https://developer.android.com/topic/security/best-practices

https://enciphers.github.io/Mobexler/Awesome_tools/

https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet

https://github.com/B3nac/Android-Reports-and-Resources

https://hacken.io/research/education/mobile-application-penetration-testing-methodology/

 

Other Android Security Resource Compilations: 

Smartphone App Security 

Secure Coding for Android Applications  

Android Application collusion demystified

MobileApp pentest cheat sheet

Awesome -mobile-CTF

Secure Mobile Development 

 

Twitter handle to follow : 

@mobilesecurity_

@0ctac0der

@enciphers_

@OWASP_MSTG

@mobilesecurity

@NowSecureMobile

@ZIMPERIUM

Did we miss something cool? Drop it in the comment below, and we will add it to the blog post.