Awesome Android Security - A Curated List Of Android Security Materials And Resources For Pentesters And Bug Hunters
A curated list of Android Security materials and resources For Pentesters and Bug Hunters.
- AAPG - Android application penetration testing guide
- TikTok: three persistent arbitrary code executions and one theft of arbitrary files
- Persistent arbitrary code execution in Android's Google Play Core Library: details, explanation and the PoC - CVE-2020-8913
- Android: Access to app protected components
- Android: arbitrary code execution via third-party package contexts
- Android Pentesting Labs - Step by Step guide for beginners
- An Android Hacking Primer
- An Android Security tips
- OWASP Mobile Security Testing Guide
- Security Testing for Android Cross Platform Application
- Dive deep into Android Application Security
- Pentesting Android Apps Using Frida
- Mobile Security Testing Guide
- Android Applications Reversing 101
- Android Security Guidelines
- Android WebView Vulnerabilities
- OWASP Mobile Top 10
- Practical Android Phone Forensics
- Mobile Pentesting With Frida
- Zero to Hero - Mobile Application Testing - Android Platform
How To's
- How To Configuring Burp Suite With Android Nougat
- How To Bypassing Xamarin Certificate Pinning
- How To Bypassing Android Anti-Emulation
- How To Secure an Android Device
- Android Root Detection Bypass Using Objection and Frida Scripts
- Root Detection Bypass By Manual Code Manipulation.
- Magisk Systemless Root - Detection and Remediation
- How to use FRIDA to bruteforce Secure Startup with FDE-encryption on a Samsung G935F running Android 8
Paper
- AndrODet: An adaptive Android obfuscation detector
- GEOST BOTNET - the discovery story of a new Android banking trojan
Books
- SEI CERT Android Secure Coding Standard
- Android Security Internals
- Android Cookbook
- Android Hacker's Handbook
- Android Security Cookbook
- The Mobile Application Hacker's Handbook
- Android Malware and Analysis
- Android Security: Attacks and Defenses
- Learning Penetration Testing For Android Devices
Course
- Learning-Android-Security
- Mobile Application Security and Penetration Testing
- Advanced Android Development
- Learn the art of mobile app development
- Learning Android Malware Analysis
- Android App Reverse Engineering 101
- MASPT V2
- Android Pentration Testing(Persian)
Tools
Static Analysis
-
quark-engine - An Obfuscation-Neglect Android Malware Scoring System
-
Droid Hunter – Android application vulnerability analysis and Android pentest tool
-
Find Security Bugs – A SpotBugs plugin for security audits of Java web applications.
-
Infer – A Static Analysis tool for Java, C, C++ and Objective-C
-
Android Check – Static Code analysis plugin for Android Project
-
FindBugs-IDEA Static byte code analysis to look for bugs in Java code
-
Trueseeing – fast, accurate and resillient vulnerabilities scanner for Android apps
-
StaCoAn – crossplatform tool which aids developers, bugbounty hunters and ethical hackers
Dynamic Analysis
- Mobile-Security-Framework MobSF
- Magisk v20.2 - Root & Universal Systemless Interface
- Runtime Mobile Security (RMS) - is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime
- Droid-FF - Android File Fuzzing Framework
- Drozer
- Inspeckage
- PATDroid - Collection of tools and data structures for analyzing Android applications
- Radare2 - Unix-like reverse engineering framework and commandline tools
- Cutter - Free and Open Source RE Platform powered by radare2
- ByteCodeViewer - Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger)
Online APK Analyzers
- Oversecured
- Android Observatory APK Scan
- AndroTotal
- VirusTotal
- Scan Your APK
- AVC Undroid
- OPSWAT
- ImmuniWeb Mobile App Scanner
- Ostor Lab
- Quixxi
- TraceDroid
- Visual Threat
- App Critique
- Jotti's malware scan
- kaspersky scanner
Online APK Decompiler
- Android APK Decompiler
- Java Decompiler APk
- APK DECOMPILER APP
- DeAPK is an open-source, online APK decompiler
- apk and dex decompilation back to Java source code
- APK Decompiler Tools
Labs
- OVAA (Oversecured Vulnerable Android App)
- DIVA (Damn insecure and vulnerable App)
- OWASP Security Shepherd
- Damn Vulnerable Hybrid Mobile App (DVHMA)
- OWASP-mstg(UnCrackable Mobile Apps)
- VulnerableAndroidAppOracle
- Android InsecureBankv2
- Purposefully Insecure and Vulnerable Android Application (PIIVA)
- Sieve app(An android application which exploits through android components)
- DodoVulnerableBank(Insecure Vulnerable Android Application that helps to learn hacing and securing apps)
- Digitalbank(Android Digital Bank Vulnerable Mobile App)
- AppKnox Vulnerable Application
- Vulnerable Android Application
- Android Security Labs
- Android-security Sandbox
- VulnDroid(CTF Style Vulnerable Android App)
- FridaLab
- Santoku Linux - Mobile Security VM
- AndroL4b - A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis
Talks
- One Step Ahead of Cheaters -- Instrumenting Android Emulators
- Vulnerable Out of the Box: An Evaluation of Android Carrier Devices
- Rock appround the clock: Tracking malware developers by Android
- Chaosdata - Ghost in the Droid: Possessing Android Applications with ParaSpectre
- Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets
- Honey, I Shrunk the Attack Surface – Adventures in Android Security Hardening
- Hide Android Applications in Images
- Scary Code in the Heart of Android
- Fuzzing Android: A Recipe For Uncovering Vulnerabilities Inside System Components In Android
- Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library
- Android FakeID Vulnerability Walkthrough
- Unleashing D* on Android Kernel Drivers
- The Smarts Behind Hacking Dumb Devices
- Overview of common Android app vulnerabilities
- Android security architecture
- Get the Ultimate Privilege of Android Phone
Misc
- Android Malware Adventures
- Android-Reports-and-Resources
- Hands On Mobile API Security
- Android Penetration Testing Courses
- Lesser-known Tools for Android Application PenTesting
- android-device-check - a set of scripts to check Android device security configuration
- apk-mitm - a CLI application that prepares Android APK files for HTTPS inspection
- Andriller - is software utility with a collection of forensic tools for smartphones
- Dexofuzzy: Android malware similarity clustering method using opcode sequence-Paper
- Chasing the Joker
- Side Channel Attacks in 4G and 5G Cellular Networks-Slides
- Shodan.io-mobile-app for Android
- Popular Android Malware 2018
- Popular Android Malware 2019
- Popular Android Malware 2020
Bug Bounty & Writeup
Cheat Sheet
- Mobile Application Penetration Testing Cheat Sheet
- ADB (Android Debug Bridge) Cheat Sheet
- Frida Cheatsheet and Code Snippets for Android