2017, July 29

#July 28, 2017 at 11:55PM



A collection of android security related resources.


Online Analyzers

Visual Threat
Mobile Malware Sandbox
MobiSec Eacus
Appknox โ€“ not free
IBM Security AppScan Mobile Analyzer โ€“ not free
AVC UnDroid
Fireeye- max 60MB 15/day
habo 10/day
Virustotal-max 128MB
Fraunhofer App-ray โ€“ not free
AppCritique โ€“ Upload your Android APKs and receive comprehensive free security assessments.
Mobile app insight
Android Sandbox
Static Analysis Tools

Androwarn โ€“ detect and warn the user about potential malicious behaviours developped by an Android application.
Droid Intent Data Flow Analysis for Information Leakage
Several tools from PSU
Smali CFG generator
Android Decompiler โ€“ not free
PSCout โ€“ A tool that extracts the permission specification from the Android OS source code using static analysis
SmaliSCA โ€“ Smali Static Code Analysis
CFGScanDroid โ€“ Scans and compares CFG against CFG of malicious applications
Madrolyzer โ€“ extracts actionable data like C&C, phone number etc.
SPARTA โ€“ verifies (proves) that an app satisfies an information-flow security policy; built on the Checker Framework
ConDroid โ€“ Performs a combination of symoblic + concrete execution of the app
App Vulnerability Scanners

QARK โ€“ QARK by LinkedIn is for app developers to scan app for security issues
Devknox โ€“ Autocorrect security issues as if it was spell check from your IDE
JAADAS โ€“ Joint intraprocedure and interprocedure program analysis tool to find vulnerabilities in Android apps, built on Soot and Scala
Dynamic Analysis Tools

Android DBI frameowork
Androl4b- A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis
Android Malware Analysis Toolkit โ€“ (linux distro) Earlier it use to be an online analyzer
Mobile-Security-Framework MobSF โ€“ Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static, dynamic analysis and web API testing.
AppUse โ€“ custom build for pentesting
Cobradroid โ€“ custom image for malware analysis
ViaLab Community Edition
Xposed โ€“ equivalent of doing Stub based code injection but without any modifications to the binary
Inspeckage โ€“ Android Package Inspector โ€“ dynamic analysis with api hooks, start unexported activities and more. (Xposed Module)
Android Hooker โ€“ Dynamic Java code instrumentation (requires the Substrate Framework)
ProbeDroid โ€“ Dynamic Java code instrumentation
Android Tamer โ€“ Virtual / Live Platform for Android Security Professionals
DECAF โ€“ Dynamic Executable Code Analysis Framework based on QEMU (DroidScope is now an extension to DECAF)
CuckooDroid โ€“ Android extension for Cuckoo sandbox
Mem โ€“ Memory analysis of Android (root required)
Crowdroid โ€“ unable to find the actual tool
AuditdAndroid โ€“ android port of auditd, not under active development anymore
Android Security Evaluation Framework โ€“ not under active development anymore
Android Reverse Engineering โ€“ ARE (android reverse engineering) not under active development anymore
Aurasium โ€“ Practical security policy enforcement for Android apps via bytecode rewriting and in-place reference monitor.
Android Linux Kernel modules
Appie โ€“ Appie is a software package that has been pre-configured to function as an Android Pentesting Environment.It is completely portable and can be carried on USB stick or smartphone.This is a one stop answer for all the tools needed in Android Application Security Assessment and an awesome alternative to existing virtual machines.
StaDynA โ€“ a system supporting security app analysis in the presence of dynamic code update features (dynamic class loading and reflection). This tool combines static and dynamic analysis of Android applications in order to reveal the hidden/updated behavior and extend static analysis results with this information.
DroidAnalytics โ€“ incomplete
Vezir Project โ€“ Virtual Machine for Mobile Application Pentesting and Mobile Malware Analysis
MARA โ€“ Mobile Application Reverse engineering and Analysis Framework
NowSecure Lab Automated โ€“ Enterprise tool for mobile app security testing both Android and iOS mobile apps. Lab Automated features dynamic and static analysis on real devices in the cloud to return results in minutes.
Taintdroid โ€“ requires AOSP compilation
Reverse Engineering

Smali/Baksmali โ€“ apk decompilation
emacs syntax coloring for smali files
vim syntax coloring for smali files
Androguard โ€“ powerful, integrates well with other tools
Apktool โ€“ really useful for compilation/decompilation (uses smali)
Android Framework for Exploitation
Bypass signature and permission checks for IPCs
Android OpenDebug โ€“ make any application on device debuggable (using cydia substrate).
Dare โ€“ .dex to .class converter
Dex2Jar โ€“ dex to jar converter
Enjarify โ€“ dex to jar converter from Google
Frida โ€“ inject javascript to explore applications and a GUI tool for it
Indroid โ€“ thread injection kit
Jad โ€“ Java decompiler
JD-GUI โ€“ Java decompiler
CFR โ€“ Java decompiler
Krakatau โ€“ Java decompiler
Procyon โ€“ Java decompiler
FernFlower โ€“ Java decompiler
Redexer โ€“ apk manipulation
Smali viewer
ZjDroid, fork/mirror
Simplify Android deobfuscator
Bytecode viewer
Fuzz Testing

Radamsa Fuzzer
An Android port of the melkor ELF fuzzer
Media Fuzzing Framework for Android
App Repackaging Detectors

FSquaDRA โ€“ a tool for detection of repackaged Android applications based on app resources hash comparison.
Market Crawlers

Google play crawler (Java)
Google play crawler (Python)
Google play crawler (Node) โ€“ get app details and download apps from official Google Play Store.
Aptoide downloader (Node) โ€“ download apps from Aptoide third-party Android market
Appland downloader (Node) โ€“ download apps from Appland third-party Android market
Misc Tools

AXMLPrinter2 โ€“ to convert binary XML files to human-readable XML files
adb autocomplete
Dalvik opcodes
Opcodes table for quick reference
ExploitMe Android Labs โ€“ for practice
GoatDroid โ€“ for practice
Android Vulnerability Test Suite โ€“ android-vts scans a device for set of vulnerabilities

Research Papers

Exploit Database
Android security related presentations
A good collection of static analysis papers

SEI CERT Android Secure Coding Standard

OWASP Mobile Security Testing Guide Manual
Android Reverse Engineering 101 by Daniele Altomare


Android Security Bulletins
Androidโ€™s reported security vulnerabilities
Android Devices Security Patch Status
AOSP โ€“ Issue tracker
OWASP Mobile Top 10 2016
Exploit Database โ€“ click search
Vulnerability Google Doc
Google Android Security Teamโ€™s Classifications for Potentially Harmful Applications (Malware)

androguard โ€“ Database Android Malwares wiki
Android Malware Github repo
Android Malware Genome Project โ€“ contains 1260 malware samples categorized into 49 different malware families, free for research purpose.
Contagio Mobile Malware Mini Dump
VirusTotal Malware Intelligence Service โ€“ powered by VirusTotal, not free
Bounty Programs

Android Security Reward Program
How to report

Android โ€“ reporting security issues
Other Awesome Lists

Other amazingly awesome lists can be found in the awesome-awesomeness list.


Your contributions are always welcome!


Support us with a monthly donation and help us continue our activities. [Become a backer]


Become a sponsor and get your logo on our README on Github with a link to your site. [Become a sponsor]

via http://ift.tt/2tKA7YM

from WordPress http://ift.tt/2v7JAwA

via Blogger http://ift.tt/2uKq4Ee

2017, July 29

#SM SEASON (FT-Sir General & Fedy) *PLUS SNIPPET* by Dee Davis 8 on #SoundCloud


Smart Contracts for Dummies
If you still donโ€™t get what the heck a Smart Contract isโ€ฆ

Ok, you know a bit about Bitcoin (see: Explain Bitcoin Like Iโ€™m Five). Youโ€™ve been seeing the blockchain on the news.
But whatโ€™s this new Ethereum thing? Apparently itโ€™s this new crypto-currency you can use to build โ€œsmart contractsโ€. Sounds impressive. So, uhโ€ฆ what are they again? (Spoiler: Theyโ€™re not that smart. And theyโ€™re not really contracts!)
Instead of a one line definition, letโ€™s try to get an intuition. First, weโ€™ll revisit the blockchain and the word โ€œtrustโ€. Then, weโ€™ll talk about the word โ€œcontractโ€. Understanding both words is the secret.
Part I: What we mean by โ€œTrust(less)โ€
Most of the time, when we think Bitcoin (or Ethereum), we have a mental image of, wellโ€ฆcoins.
Arenโ€™t these crypto-currencies after all? Isnโ€™t that the whole point? In our minds we see objectsโ€Šโ€”โ€Šdigital gold, or silver (or tulips for the skeptics). Things we pass around.
Because these images are easy to understand, we forget a bit about that thing thatโ€™s underneath it all. So, I say we start thinking about this in a different way.
Digital Stone

Ugh, really? Digital rocks?
Actually, rocks are pretty useful.
We have this idiom in the english language that goes something like this: โ€œset it in stone.โ€
โ€œIโ€™ve reviewed the contract Bob. Looks good. Letโ€™s set this in stone!โ€
โ€œDonโ€™t get too excited Alice, nothingโ€™s in stone yet.โ€
โ€œThis is God. Iโ€™ve written my 10 commandments on these two stone tablets. You know. Just in case yaโ€™ll start getting any funny ideas.โ€
This metaphor continues to have meaning in a modern world because in the physical (ancient) world, stone had some interesting properties:
When you carve something on stone there is a physical finality and permanence to it. You canโ€™t make changes just like that.
If you try to โ€œeraseโ€ something later on, itโ€™ll be obvious. Any changes you make to it are quite transparent and tamper proof (provable).
These rules apply equally to all. Stone is neutral. It obeys the laws of physics, not men. It doesnโ€™t care if youโ€™re a powerful king or a peasantโ€Šโ€”โ€Šit behaves exactly the same for everyone.
Because of all these properties, we have a pretty high level of trust in stone.
I meanโ€Šโ€”โ€Šthereโ€™s a reason why we never say โ€œletโ€™s set this agreement in sand.โ€ Stone is the kind of thing I can point to in the future for evidence. Stone equals solid proofโ€Šโ€”โ€Šnot just any material will do!

The Economist agrees!
When it comes down to it, a blockchain is really just the above: a kind of material that, through a special mix of cryptography and decentralization, has the properties of permanence, transparency, and neutralityโ€Šโ€”โ€Šwhatever you put on it.
Whether itโ€™s a list of how many apples you sent to Joe. Or the words โ€œI love Jenny.โ€ It doesnโ€™t matter. When you put it on a blockchainโ€Šโ€”โ€Šitโ€™s on.
Setting something on a blockchain is like setting something in stone. It makes trust easier.
Except now we can do it digitally. And thatโ€™s pretty special.
Thinking about a blockchain as a piece of stone you can write things on (instead of a piece of currency) also helps us understand its broad potential. Which leads us toโ€ฆcontracts!

from WordPress http://ift.tt/2v7M7ao

via Blogger http://ift.tt/2uKlBl5