Comprehensive Mobile Application Security Toolkit: Cheat Sheet with Tools and Techniques

@tanprathan recently shared on Github aMobile Application Security toolkit list (Cheat Sheet) that includes comprehensive tools. Security Toolkit has translated the Android segment for everyone’s interest and future reference.

Testing Tools

• Appie(https://manifestsecurity.com/appie) – A lightweight package for conducting Android-based penetration tests, useful when not using a VM.
• Android Tamer(https://androidtamer.com/) – A real-time monitoring virtual environment for comprehensive security testing, malware analysis, penetration tests, and reverse engineering.
• AppUse(https://appsec-labs.com/AppUse/) – An Android virtual environment developed by AppSec Labs.
• Mobisec(http://sourceforge.net/projects/mobisec/) – A mobile security testing environment also supporting real-time monitoring.
• Santoku(https://santoku-linux.com/) – A small Linux-based operating system offering a complete mobile device forensic environment, integrating numerous Android debugging, forensics, penetration testing, and network analysis tools.

Reverse Engineering and Static Analysis

• APKInspector(https://github.com/honeynet/apkinspector/) – Android application analysis tool with a GUI.
• APKTool(http://ibotpeaches.github.io/Apktool/) – A tool for decompiling APKs, converting its code into smali or Java, and repackaging the decompiled code.
• Dex2jar(https://github.com/pxb1988/dex2jar) – Allows conversion of .dex files into .class files or converting apt files into jar files.
• Oat2dex(https://github.com/testwhat/SmaliEx) – Oat2dex, as the name suggests, is similar to the previous tool and is used for converting .oat files into .dex files.
• JD-Gui(http://jd.benow.ca/) – Tool for decompiling and analyzing class, jar files.
• FindBugs(http://findbugs.sourceforge.net/) + FindSecurityBugs(http://findbugs.sourceforge.net/) – FindSecurityBugs is an extension of FindBugs, it loads various detection strategies to perform security checks for different vulnerabilities on specific applications.
• YSO-Mobile Security Framework(http://findbugs.sourceforge.net/) – Mobile Security Framework is a smart, integrated, open-source framework for automatic penetration testing of mobile applications (Android/iOS) offering static and dynamic analysis.python manage.py runserver 127.0.0.1:1337
• Qark(https://github.com/linkedin/qark) – An open-source static analysis tool released by LinkedIn used for analyzing potential security flaws in Android applications developed in Java.
• AndroBugs(https://github.com/AndroBugs/AndroBugs_Framework) – A free Android vulnerability analysis system helping developers or penetration testers find potential security issues. AndroBugs framework has discovered vulnerabilities in Android apps or SDKs from companies like Facebook, Twitter, Yahoo, Google Android, Huawei, Evernote, Alibaba, AT&T, and Sina.
• Simplify(https://github.com/CalebFenton/simplify) – Simplify helps de-obfuscate android code and restore it to Classes.dex files. After obtaining the .dex file, it can be further restored with tools like Dex2jar or JD-GUI.
• ClassNameDeobfuscator(https://github.com/HamiltonianCycle/ClassNameDeobfuscator) – Used for parsing smali files through simple scripts.

Dynamic Debugging and Real-Time Analysis

• Introspy-Android(https://github.com/iSECPartners/Introspy-Android) – A black-box testing tool that tracks and analyzes mobile applications, discovering security issues. It supports hooks for many crypto libraries, as well as custom hooks.
• Cydia Substrate(http://www.cydiasubstrate.com/) – A code modification platform allowing modifications to any main process code whether written in Java or C/C++ (native code); a powerful and practical HOOK tool.
• Xposed Framework(http://forum.xda-developers.com/xposed/xposed-installer-versions-changelog-t2714053) – A framework service that can affect program operation (modify system) without modifying the APK. It allows the creation of powerful modules operated simultaneously without functional conflicts.
• CatLog(https://github.com/nolanlawson/Catlog) – Android log viewing tool with a graphical interface.
• Droidbox(https://github.com/nolanlawson/Catlog) – A dynamic analysis tool for android code analysis.
• Frida(http://www.frida.re/) – A powerful hook and debug framework based on python JavaScript, cross-functional for Android/iOS/Linux/Win/OSX platforms, more convenient than Xposed and Substrate Cydia.
• Drozer(https://www.mwrinfosecurity.com/products/drozer/) – A robust app inspection tool for detecting app vulnerabilities and debugging.

Network State Analysis and Server-side Testing

• Tcpdump(http://www.androidtcpdump.com/) – A command-line packet capture utility.
• Wireshark(https://www.wireshark.org/download.html) – Formerly Ethereal, a packet analysis software that captures and displays detailed packet data.
• Canape(http://www.contextis.com/services/research/canape/) – A tool for testing any network protocol.
• Mallory(https://intrepidusgroup.com/insight/mallory/) – A Man-In-The-Middle (MiTM) attack tool that monitors and manipulates network traffic data of mobile devices and applications.
• Burp Suite(https://portswigger.net/burp/download.html) – An integrated platform for attacking web applications, containing numerous tools and interfaces for enhancing application penetration processes. All tools share a framework capable of handling and displaying HTTP messages, persistence, authentication, proxy, logs, and alerts in a powerful extendable environment.
• Proxydroid(https://play.google.com/store/apps/details?id=org.proxydroid) – Android ProxyDroid assists in setting up a global proxy (HTTP / SOCKS4 / SOCKS5) on Android devices.

Bypassing Root Detection and SSL Certificate Pinning

• Android SSL Trust Killer(https://github.com/iSECPartners/Android-SSL-TrustKiller) – A black-box tool for bypassing SSL encrypted communication defenses, supporting most mobile applications.
• Android-ssl-bypass(https://github.com/iSECPartners/android-ssl-bypass) – Interactive Android debugging tool in command-line for bypassing SSL encrypted communication even with certificate pinning.
• RootCoak Plus(https://github.com/devadvance/rootcloakplus) – RootCloak hides root, a tool for hiding the system’s root permissions information from specific apps.

Other Security-Related Libraries

• PublicKey Pinning(https://www.owasp.org/images/1/1f/Pubkey-pin-android.zip) – Public key pinning.
• Android Pinning(https://github.com/moxie0/AndroidPinning) – A standalone library project for implementing certificate pinning on Android.
• Java AES Crypto(https://github.com/tozny/java-aes-crypto) – An Android class for encrypting/decrypting strings, designed to prevent inappropriate encryption usage risks.
• Proguard(http://proguard.sourceforge.net/) – ProGuard is a free tool for compressing, optimizing, and obfuscating Java bytecode files, removing unused classes, fields, methods, and attributes for optimal bytecode file size. It renames existing classes, fields, methods, and attributes using short meaningless names, enhancing Android development by obfuscating the final project, raising decompilation difficulty.
• SQL Cipher(https://www.zetetic.net/sqlcipher/sqlcipher-for-android/) – SQLCipher is an open-source SQLite extension providing 256-bit AES encryption for database file security.
• Secure Preferences(https://github.com/scottyab/secure-preferences) – Encrypts Shared Preferences on Android to prevent data theft in insufficiently protected scenarios.
• Trusted Intents(https://github.com/guardianproject/TrustedIntents) – Library for flexible, trusted interactions between Android apps.