A collection of android security related resources.
ACADEMIC / RESEARCH / PUBLICATIONS / BOOKS
EXPLOITS / VULNERABILITIES / BUGS
Mobile Malware Sandbox
Appknox – not free
IBM Security AppScan Mobile Analyzer – not free
Fireeye- max 60MB 15/day
Fraunhofer App-ray – not free
AppCritique – Upload your Android APKs and receive comprehensive free security assessments.
Mobile app insight
Static Analysis Tools
Androwarn – detect and warn the user about potential malicious behaviours developped by an Android application.
Droid Intent Data Flow Analysis for Information Leakage
Several tools from PSU
Smali CFG generator
Android Decompiler – not free
PSCout – A tool that extracts the permission specification from the Android OS source code using static analysis
SmaliSCA – Smali Static Code Analysis
CFGScanDroid – Scans and compares CFG against CFG of malicious applications
Madrolyzer – extracts actionable data like C&C, phone number etc.
SPARTA – verifies (proves) that an app satisfies an information-flow security policy; built on the Checker Framework
ConDroid – Performs a combination of symoblic + concrete execution of the app
App Vulnerability Scanners
QARK – QARK by LinkedIn is for app developers to scan app for security issues
Devknox – Autocorrect security issues as if it was spell check from your IDE
JAADAS – Joint intraprocedure and interprocedure program analysis tool to find vulnerabilities in Android apps, built on Soot and Scala
Dynamic Analysis Tools
Android DBI frameowork
Androl4b- A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis
Android Malware Analysis Toolkit – (linux distro) Earlier it use to be an online analyzer
Mobile-Security-Framework MobSF – Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static, dynamic analysis and web API testing.
AppUse – custom build for pentesting
Cobradroid – custom image for malware analysis
ViaLab Community Edition
Xposed – equivalent of doing Stub based code injection but without any modifications to the binary
Inspeckage – Android Package Inspector – dynamic analysis with api hooks, start unexported activities and more. (Xposed Module)
Android Hooker – Dynamic Java code instrumentation (requires the Substrate Framework)
ProbeDroid – Dynamic Java code instrumentation
Android Tamer – Virtual / Live Platform for Android Security Professionals
DECAF – Dynamic Executable Code Analysis Framework based on QEMU (DroidScope is now an extension to DECAF)
CuckooDroid – Android extension for Cuckoo sandbox
Mem – Memory analysis of Android (root required)
Crowdroid – unable to find the actual tool
AuditdAndroid – android port of auditd, not under active development anymore
Android Security Evaluation Framework – not under active development anymore
Android Reverse Engineering – ARE (android reverse engineering) not under active development anymore
Aurasium – Practical security policy enforcement for Android apps via bytecode rewriting and in-place reference monitor.
Android Linux Kernel modules
Appie – Appie is a software package that has been pre-configured to function as an Android Pentesting Environment.It is completely portable and can be carried on USB stick or smartphone.This is a one stop answer for all the tools needed in Android Application Security Assessment and an awesome alternative to existing virtual machines.
StaDynA – a system supporting security app analysis in the presence of dynamic code update features (dynamic class loading and reflection). This tool combines static and dynamic analysis of Android applications in order to reveal the hidden/updated behavior and extend static analysis results with this information.
DroidAnalytics – incomplete
Vezir Project – Virtual Machine for Mobile Application Pentesting and Mobile Malware Analysis
MARA – Mobile Application Reverse engineering and Analysis Framework
NowSecure Lab Automated – Enterprise tool for mobile app security testing both Android and iOS mobile apps. Lab Automated features dynamic and static analysis on real devices in the cloud to return results in minutes.
Taintdroid – requires AOSP compilation
Smali/Baksmali – apk decompilation
emacs syntax coloring for smali files
vim syntax coloring for smali files
Androguard – powerful, integrates well with other tools
Apktool – really useful for compilation/decompilation (uses smali)
Android Framework for Exploitation
Bypass signature and permission checks for IPCs
Android OpenDebug – make any application on device debuggable (using cydia substrate).
Dare – .dex to .class converter
Dex2Jar – dex to jar converter
Enjarify – dex to jar converter from Google
Indroid – thread injection kit
Jad – Java decompiler
JD-GUI – Java decompiler
CFR – Java decompiler
Krakatau – Java decompiler
Procyon – Java decompiler
FernFlower – Java decompiler
Redexer – apk manipulation
Simplify Android deobfuscator
An Android port of the melkor ELF fuzzer
Media Fuzzing Framework for Android
App Repackaging Detectors
FSquaDRA – a tool for detection of repackaged Android applications based on app resources hash comparison.
Google play crawler (Java)
Google play crawler (Python)
Google play crawler (Node) – get app details and download apps from official Google Play Store.
Aptoide downloader (Node) – download apps from Aptoide third-party Android market
Appland downloader (Node) – download apps from Appland third-party Android market
AXMLPrinter2 – to convert binary XML files to human-readable XML files
Opcodes table for quick reference
ExploitMe Android Labs – for practice
GoatDroid – for practice
Android Vulnerability Test Suite – android-vts scans a device for set of vulnerabilities
ACADEMIC / RESEARCH / PUBLICATIONS / BOOKS
Android security related presentations
A good collection of static analysis papers
SEI CERT Android Secure Coding Standard
OWASP Mobile Security Testing Guide Manual
Android Reverse Engineering 101 by Daniele Altomare
EXPLOITS / VULNERABILITIES / BUGS
Android Security Bulletins
Android’s reported security vulnerabilities
Android Devices Security Patch Status
AOSP – Issue tracker
OWASP Mobile Top 10 2016
Exploit Database – click search
Vulnerability Google Doc
Google Android Security Team’s Classifications for Potentially Harmful Applications (Malware)
androguard – Database Android Malwares wiki
Android Malware Github repo
Android Malware Genome Project – contains 1260 malware samples categorized into 49 different malware families, free for research purpose.
Contagio Mobile Malware Mini Dump
VirusTotal Malware Intelligence Service – powered by VirusTotal, not free
Android Security Reward Program
How to report
Android – reporting security issues
Other Awesome Lists
Other amazingly awesome lists can be found in the awesome-awesomeness list.
Your contributions are always welcome!
Support us with a monthly donation and help us continue our activities. [Become a backer]
Become a sponsor and get your logo on our README on Github with a link to your site. [Become a sponsor]
from WordPress http://ift.tt/2v7JAwA
from Blogger http://ift.tt/2uKq4Ee
via IFTTT ( 1 ) #Sad. By the Qur’an containing #reminder… ( 2 ) But those who disbelieve are in pride and dissension. ( 3 ) How many a generation have We destroyed before them, and they [then] called out; but it was not a time for escape. ( 4 ) And they wonder that there has come to them a warner from among themselves. And the disbelievers say, “This is a magician and a liar. ( 5 ) Has he made the gods [only] one #God? Indeed, this is a curious thing.” ( 6 ) And the eminent among them went forth, [saying], “Continue, and be patient over [the defense of] your gods. Indeed, this is a thing intended. ( 7 ) We have not heard of this in the latest religion. This is not but a fabrication. ( 8 ) Has the message been revealed to him out of [all of] us?” Rather, they are in doubt about My message. Rather, they have not yet tasted My punishment. ( 9 ) Or do they have the depositories of the mercy of your Lord, the Exalted in Might, the Bestower? ( 10 ) Or is theirs the dominion of the heavens and the earth and what is between them? Then let them ascend through [any] ways of access. ( 11 ) [They are but] soldiers [who will be] defeated there among the companies [of disbelievers]. ( 12 ) The people of Noah denied before them, and [the tribe of] ‘Aad and Pharaoh, the owner of stakes, ( 13 ) And [the tribe of] Thamud and the people of Lot and the companions of the thicket. Those are the companies. ( 14 ) Each of them denied the messengers, so My penalty was justified. ( 15 ) And these [disbelievers] await not but one blast [of the Horn]; for it there will be no delay. ( 16 ) And they say, “Our Lord, hasten for us our share [of the punishment] before the Day of Account”
from WordPress http://ift.tt/2h9jEvs
via Blogger http://ift.tt/2eVuq7M