A collection of android security related resources
July 28, 2017 at 11:53PM
via GitHub http://ift.tt/2uKuTxx
via Blogger http://ift.tt/2v5oX4V
A collection of android security related resources.
ACADEMIC / RESEARCH / PUBLICATIONS / BOOKS
EXPLOITS / VULNERABILITIES / BUGS
Mobile Malware Sandbox
Appknox – not free
IBM Security AppScan Mobile Analyzer – not free
Fireeye- max 60MB 15/day
Fraunhofer App-ray – not free
AppCritique – Upload your Android APKs and receive comprehensive free security assessments.
Mobile app insight
Static Analysis Tools
Androwarn – detect and warn the user about potential malicious behaviours developped by an Android application.
Droid Intent Data Flow Analysis for Information Leakage
Several tools from PSU
Smali CFG generator
Android Decompiler – not free
PSCout – A tool that extracts the permission specification from the Android OS source code using static analysis
SmaliSCA – Smali Static Code Analysis
CFGScanDroid – Scans and compares CFG against CFG of malicious applications
Madrolyzer – extracts actionable data like C&C, phone number etc.
SPARTA – verifies (proves) that an app satisfies an information-flow security policy; built on the Checker Framework
ConDroid – Performs a combination of symoblic + concrete execution of the app
App Vulnerability Scanners
QARK – QARK by LinkedIn is for app developers to scan app for security issues
Devknox – Autocorrect security issues as if it was spell check from your IDE
JAADAS – Joint intraprocedure and interprocedure program analysis tool to find vulnerabilities in Android apps, built on Soot and Scala
Dynamic Analysis Tools
Android DBI frameowork
Androl4b- A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis
Android Malware Analysis Toolkit – (linux distro) Earlier it use to be an online analyzer
Mobile-Security-Framework MobSF – Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static, dynamic analysis and web API testing.
AppUse – custom build for pentesting
Cobradroid – custom image for malware analysis
ViaLab Community Edition
Xposed – equivalent of doing Stub based code injection but without any modifications to the binary
Inspeckage – Android Package Inspector – dynamic analysis with api hooks, start unexported activities and more. (Xposed Module)
Android Hooker – Dynamic Java code instrumentation (requires the Substrate Framework)
ProbeDroid – Dynamic Java code instrumentation
Android Tamer – Virtual / Live Platform for Android Security Professionals
DECAF – Dynamic Executable Code Analysis Framework based on QEMU (DroidScope is now an extension to DECAF)
CuckooDroid – Android extension for Cuckoo sandbox
Mem – Memory analysis of Android (root required)
Crowdroid – unable to find the actual tool
AuditdAndroid – android port of auditd, not under active development anymore
Android Security Evaluation Framework – not under active development anymore
Android Reverse Engineering – ARE (android reverse engineering) not under active development anymore
Aurasium – Practical security policy enforcement for Android apps via bytecode rewriting and in-place reference monitor.
Android Linux Kernel modules
Appie – Appie is a software package that has been pre-configured to function as an Android Pentesting Environment.It is completely portable and can be carried on USB stick or smartphone.This is a one stop answer for all the tools needed in Android Application Security Assessment and an awesome alternative to existing virtual machines.
StaDynA – a system supporting security app analysis in the presence of dynamic code update features (dynamic class loading and reflection). This tool combines static and dynamic analysis of Android applications in order to reveal the hidden/updated behavior and extend static analysis results with this information.
DroidAnalytics – incomplete
Vezir Project – Virtual Machine for Mobile Application Pentesting and Mobile Malware Analysis
MARA – Mobile Application Reverse engineering and Analysis Framework
NowSecure Lab Automated – Enterprise tool for mobile app security testing both Android and iOS mobile apps. Lab Automated features dynamic and static analysis on real devices in the cloud to return results in minutes.
Taintdroid – requires AOSP compilation
Smali/Baksmali – apk decompilation
emacs syntax coloring for smali files
vim syntax coloring for smali files
Androguard – powerful, integrates well with other tools
Apktool – really useful for compilation/decompilation (uses smali)
Android Framework for Exploitation
Bypass signature and permission checks for IPCs
Android OpenDebug – make any application on device debuggable (using cydia substrate).
Dare – .dex to .class converter
Dex2Jar – dex to jar converter
Enjarify – dex to jar converter from Google
Indroid – thread injection kit
Jad – Java decompiler
JD-GUI – Java decompiler
CFR – Java decompiler
Krakatau – Java decompiler
Procyon – Java decompiler
FernFlower – Java decompiler
Redexer – apk manipulation
Simplify Android deobfuscator
An Android port of the melkor ELF fuzzer
Media Fuzzing Framework for Android
App Repackaging Detectors
FSquaDRA – a tool for detection of repackaged Android applications based on app resources hash comparison.
Google play crawler (Java)
Google play crawler (Python)
Google play crawler (Node) – get app details and download apps from official Google Play Store.
Aptoide downloader (Node) – download apps from Aptoide third-party Android market
Appland downloader (Node) – download apps from Appland third-party Android market
AXMLPrinter2 – to convert binary XML files to human-readable XML files
Opcodes table for quick reference
ExploitMe Android Labs – for practice
GoatDroid – for practice
Android Vulnerability Test Suite – android-vts scans a device for set of vulnerabilities
ACADEMIC / RESEARCH / PUBLICATIONS / BOOKS
Android security related presentations
A good collection of static analysis papers
SEI CERT Android Secure Coding Standard
OWASP Mobile Security Testing Guide Manual
Android Reverse Engineering 101 by Daniele Altomare
EXPLOITS / VULNERABILITIES / BUGS
Android Security Bulletins
Android’s reported security vulnerabilities
Android Devices Security Patch Status
AOSP – Issue tracker
OWASP Mobile Top 10 2016
Exploit Database – click search
Vulnerability Google Doc
Google Android Security Team’s Classifications for Potentially Harmful Applications (Malware)
androguard – Database Android Malwares wiki
Android Malware Github repo
Android Malware Genome Project – contains 1260 malware samples categorized into 49 different malware families, free for research purpose.
Contagio Mobile Malware Mini Dump
VirusTotal Malware Intelligence Service – powered by VirusTotal, not free
Android Security Reward Program
How to report
Android – reporting security issues
Other Awesome Lists
Other amazingly awesome lists can be found in the awesome-awesomeness list.
Your contributions are always welcome!
Support us with a monthly donation and help us continue our activities. [Become a backer]
Become a sponsor and get your logo on our README on Github with a link to your site. [Become a sponsor]
via Blogger http://ift.tt/2uKq4Ee
Smart Contracts for Dummies
If you still don’t get what the heck a Smart Contract is…
Ok, you know a bit about Bitcoin (see: Explain Bitcoin Like I’m Five). You’ve been seeing the blockchain on the news.
But what’s this new Ethereum thing? Apparently it’s this new crypto-currency you can use to build “smart contracts”. Sounds impressive. So, uh… what are they again? (Spoiler: They’re not that smart. And they’re not really contracts!)
Instead of a one line definition, let’s try to get an intuition. First, we’ll revisit the blockchain and the word “trust”. Then, we’ll talk about the word “contract”. Understanding both words is the secret.
Part I: What we mean by “Trust(less)”
Most of the time, when we think Bitcoin (or Ethereum), we have a mental image of, well…coins.
Aren’t these crypto-currencies after all? Isn’t that the whole point? In our minds we see objects — digital gold, or silver (or tulips for the skeptics). Things we pass around.
Because these images are easy to understand, we forget a bit about that thing that’s underneath it all. So, I say we start thinking about this in a different way.
Ugh, really? Digital rocks?
Actually, rocks are pretty useful.
We have this idiom in the english language that goes something like this: “set it in stone.”
“I’ve reviewed the contract Bob. Looks good. Let’s set this in stone!”
“Don’t get too excited Alice, nothing’s in stone yet.”
“This is God. I’ve written my 10 commandments on these two stone tablets. You know. Just in case ya’ll start getting any funny ideas.”
This metaphor continues to have meaning in a modern world because in the physical (ancient) world, stone had some interesting properties:
When you carve something on stone there is a physical finality and permanence to it. You can’t make changes just like that.
If you try to “erase” something later on, it’ll be obvious. Any changes you make to it are quite transparent and tamper proof (provable).
These rules apply equally to all. Stone is neutral. It obeys the laws of physics, not men. It doesn’t care if you’re a powerful king or a peasant — it behaves exactly the same for everyone.
Because of all these properties, we have a pretty high level of trust in stone.
I mean — there’s a reason why we never say “let’s set this agreement in sand.” Stone is the kind of thing I can point to in the future for evidence. Stone equals solid proof — not just any material will do!
The Economist agrees!
When it comes down to it, a blockchain is really just the above: a kind of material that, through a special mix of cryptography and decentralization, has the properties of permanence, transparency, and neutrality — whatever you put on it.
Whether it’s a list of how many apples you sent to Joe. Or the words “I love Jenny.” It doesn’t matter. When you put it on a blockchain — it’s on.
Setting something on a blockchain is like setting something in stone. It makes trust easier.
Except now we can do it digitally. And that’s pretty special.
Thinking about a blockchain as a piece of stone you can write things on (instead of a piece of currency) also helps us understand its broad potential. Which leads us to…contracts!
via Blogger http://ift.tt/2uKlBl5