Awesome Android Application Security

November 26, 2019

Android Application Security

This is a write-up of Android Application Security resources and tools which helps in Android Application pentesting and security research. This write up is a step to provide good quality content on different topics in Android Application Security. Content will be updated from time to time to make sure the quality of  resources and latest updates related to Android Application Security.

Note : This is a compiled write up of Android Application Security resources. We are not promoting these resources in anyway and it is also possible that there would be many more great resources on Android Application Security which we might miss to add to this write up. If you know any good resources let us know by commenting below and we will add it to the write up/List.

Pentesting Environment

Host device

A Windows/Linux/Mac OS device will work absolutely fine to do all the task for Android Pentesting.

Basics setup must Include :

  1. Any one (Windows/Linux/Mac) OS machine.
  2. Wifi-Network
  3. One rooted device or any Android Emulator (like Genymotion and similar )
  4. One Interception Proxy traffic (Like Burp Suite /ZAP etc )

Test Device

If you are testing on a real android physical device. It should be root to have the root privilege to access all the system files and also to install all the required tool on the device for security testing.

If you don’t have an Android rooted phone, you can use Android emulator/virtual device for testing.

Root Access :

For easier pentesting of Android application, having a root privilege on device/emulator is recommended and allows to perform many tasks. The Benefits of rooting your device for pentesting are:

  1. Root access to file system
  2. Allow to install all the security tools
  3. Debugging and analysis capabilities
  4. Access to application runtime

Below mentioned resources can be used to get a full rooted Android device.

Rooting android devices :

Android is built on linux kernel and super user in linux is known as root. Root user can perform any operation on android device and the process of getting super user is called rooting. Rooting an Android device requires

  1. Unlocking the boot loader
  2. Install recovery tool like TWRP and similar tool

Note : Depending on your device configurations you can select the tool with appropriate version.

For more details visit : xda-developers

Tools

Below are some tools which are often used in black box testing of Android Application

Analysers :

AVC UnDroid : https://undroid.av-comparatives.org/

Virustotal : https://www.virustotal.com/gui/

AppCritique : https://appcritique.boozallen.com/

AMAaas : https://amaaas.com/

Static Analysis Tools :

Androwarn : https://github.com/maaaaz/androwarn/

ApkAnalyser : https://github.com/sonyxperiadev/ApkAnalyser

Apkinspector : https://github.com/honeynet/apkinspector/

Smali CFG generator : https://github.com/EugenioDelfa/Smali-CFGs

FlowDroid : https://blogs.uni-paderborn.de/sse/tools/flowdroid/

Amandroid : http://pag.arguslab.org/argus-saf

SmaliSCA : https://github.com/dorneanu/smalisca

SUPER     : https://github.com/SUPERAndroidAnalyzer/super

CFGScanDroid : https://github.com/TACIXAT/CFGScanDroid

Maldrolyzer : https://github.com/maldroid/maldrolyzer

SPARATA : https://www.cs.washington.edu/sparta

ConDroid : https://github.com/JulianSchuette/ConDroid

DroidRA  : https://github.com/serval-snt-uni-lu/DroidRA

RiskInDroid : https://github.com/ClaudiuGeorgiu/RiskInDroid

ClassyShark : https://github.com/google/android-classyshark

StaCoAn : https://github.com/AndroBugs/AndroBugs_Framework

JAADAS : https://github.com/flankerhqd/JAADAS

Quark : https://github.com/quark-engine/quark-engine

Vulnerability Scanners :

Qark : https://github.com/linkedin/qark/

AndroBugs : https://github.com/AndroBugs/AndroBugs_Framework

Nogotofail : https://github.com/google/nogotofail

Dynamic Analysis Tools :

Android DBI Framework : http://www.mulliner.org/blog/blosxom.cgi/security/androiddbiv02.html

MobSF : https://github.com/MobSF/Mobile-Security-Framework-MobSF

AppUse : https://appsec-labs.com/AppUse/

CobraDroid : https://thecobraden.com/projects/cobradroid/

DroidBox : https://github.com/pjlantz/droidbox

Drozer : https://github.com/FSecureLABS/drozer

Xposed : https://forum.xda-developers.com/xposed/xposed-installer-versions-changelog-t2714053

Inspeckage : https://github.com/ac-pm/Inspeckage

Android Hooker : https://github.com/AndroidHooker/hooker

ProbeDroid : https://github.com/ZSShen/ProbeDroid

DECAF : https://github.com/decaf-project/DECAF

CuckooDroid : https://github.com/idanr1986/cuckoo-droid

Mem : https://github.com/MobileForensicsResearch/mem

AuditAndroid : https://github.com/nwhusted/AuditdAndroid

Android Security Evaluation Framework : https://code.google.com/archive/p/asef/

Aurasium : https://github.com/xurubin/aurasium

Android Linux Kernel Modules : https://github.com/strazzere/android-lkms

Appie : https://manifestsecurity.com/appie/

StaDyna : https://github.com/zyrikby/StaDynA

MARA : https://github.com/xtiankisutsa/MARA_Framework

Virtual Machine with tools :

Mobexler : https://enciphers.github.io/Mobexler/

Androl4b : https://github.com/sh4hin/Androl4b

Android tamer : https://androidtamer.com/

Vezir-Project : https://github.com/oguzhantopgul/Vezir-Project

Reverse Engineering :

Smali/Baksmali : https://github.com/JesusFreke/smali

emacs syntax coloring for smali files : https://github.com/strazzere/Emacs-Smali

vim syntax coloring for smali files : http://codetastrophe.com/smali.vim

AndBug : https://github.com/swdunlop/AndBug

Androguard : https://github.com/androguard/androguard

Apktool : https://ibotpeaches.github.io/Apktool/

Android Framework for Exploitation : https://github.com/appknox/AFE

Bypass signature and permission checks for IPCs : http://tiny.cc/uf06fz 

Android OpenDebug : https://github.com/iSECPartners/Android-OpenDebug

Dex2Jar  : https://github.com/pxb1988/dex2jar

Enjarify : https://github.com/google/enjarify

Dedexer : https://github.com/google/enjarify

Fino : https://github.com/sysdream/fino

Frida : https://www.frida.re/

Indroid : https://bitbucket.org/aseemjakhar/indroid/src

IntentSniffer : https://www.nccgroup.trust/us/our-research/isec-partners-releases-sslyze/

Introspy : https://github.com/iSECPartners/Introspy-Android

Jad : https://varaneckas.com/jad/

JD-GUI : https://github.com/java-decompiler/jd-gui

CFR : http://www.benf.org/other/cfr/

Krakatau : https://github.com/Storyyeller/Krakatau

Procyon : https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler

FernFlower : https://github.com/fesh0r/fernflower

Redexer : https://github.com/plum-umd/redexer

Simplify Android deobfuscator : https://github.com/CalebFenton/simplify

Bytecode viewer : https://github.com/Konloch/bytecode-viewer

Radare2 : https://github.com/radareorg/radare2

Jadx : https://github.com/skylot/jadx

Dwarf : https://github.com/iGio90/Dwarf

Andromeda : https://github.com/secrary/Andromeda

apk-mitm : https://github.com/shroudedcode/apk-mitm

Fuzzing Tools :

Intent Fuzzer : https://www.nccgroup.trust/us/our-research/intent-fuzzer/

Radamsa Fuzzer : https://github.com/anestisb/radamsa-android

Honggfuzz : https://github.com/google/honggfuzz

An Android port of the melkor ELF Fuzzer : https://github.com/anestisb/melkor-android

Media Fuzzing framework for Android : https://github.com/fuzzing/MFFA

Androfuzz : https://github.com/jonmetz/AndroFuzz

Misc Tools :

smalihook : http://androidcracking.blogspot.com/2011/03/original-smalihook-java-source.html

AXMLPrinter2 : https://code.google.com/archive/p/android4me/downloads

adb autocomplete : https://github.com/mbrubeck/android-completion

Dalvik opcodes : http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html

mitmproxy : https://github.com/mitmproxy/mitmproxy

Android Vulnerability Test Suite : https://github.com/AndroidVTS/android-vts

AppMon : https://github.com/dpnishant/appmon

Internal Blue : https://github.com/seemoo-lab/internalblue

Labs for practise :

ExploitMe Android Labs : http://securitycompass.github.io/AndroidLabs/setup.html

GoatDroid : https://github.com/nvisium-jack-mannino/OWASP-GoatDroid-Project

Android InsecureBank : https://github.com/dineshshetty/Android-InsecureBankv2

Crawlers/apk downloaders :

Google play crawler (Java) : https://github.com/Akdeniz/google-play-crawler

Google play crawler (Python) : https://github.com/egirault/googleplay-api

Google play crawler (Node) : https://github.com/dweinstein/node-google-play

Aptoide downloader (Node) : https://github.com/dweinstein/node-aptoide

Appland downloader (Node) : https://github.com/dweinstein/node-appland

Apkpure : https://apkpure.com/

Reports and Resources :

Hardcoded Credentials : https://hackerone.com/reports/351555

Insecure Deeplinks : https://hackerone.com/reports/401793

SQL Injection : https://hackerone.com/reports/291764

Session Theft : https://hackerone.com/reports/328486

InSecure data storage : https://hackerone.com/reports/44727

Two-factor Authentication bypass : https://hackerone.com/reports/202425

Intent Spoofing : https://hackerone.com/reports/97295

Javascript Injection : https://hackerone.com/reports/54631

Learning resources :

Books

OWASP Mobile Security Testing Guide (OWASP MSTG)

Android Hacker’s Handbook

Blogs and Articles

https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10

https://developer.android.com/topic/security/best-practices

https://enciphers.github.io/Mobexler/Awesome_tools/

https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet

https://github.com/B3nac/Android-Reports-and-Resources

https://hacken.io/research/education/mobile-application-penetration-testing-methodology/

Other Android Security Resource Compilations:

Smartphone App Security

Secure Coding for Android Applications  

Android Application collusion demystified

MobileApp pentest cheat sheet

Awesome -mobile-CTF

Secure Mobile Development

Twitter handle to follow :

@mobilesecurity_

@0ctac0der

@enciphers_

@OWASP_MSTG

@mobilesecurity

@NowSecureMobile

@ZIMPERIUM

Did we miss something cool? Drop it in the comment below, and we will add it to the blog post.

checkout other posts related to android security:- https://enciphers.com/xposed-framework-plugins-for-android-pentesting/