Awesome Android Security – A Curated List Of Android Security Materials And Resources For Pentesters And Bug Hunters

Follow me on twitter and join the Telegram channel Telegram

A curated list of Android Security materials and resources For Pentesters and Bug Hunters.

Blog

  • AAPG – Android application penetration testing guide
  • TikTok: three persistent arbitrary code executions and one theft of arbitrary files
  • Persistent arbitrary code execution in Android’s Google Play Core Library: details, explanation and the PoC – CVE-2020-8913
  • Android: Access to app protected components
  • Android: arbitrary code execution via third-party package contexts
  • Android Pentesting Labs – Step by Step guide for beginners
  • An Android Hacking Primer
  • An Android Security tips
  • OWASP Mobile Security Testing Guide
  • Security Testing for Android Cross Platform Application
  • Dive deep into Android Application Security
  • Pentesting Android Apps Using Frida
  • Mobile Security Testing Guide
  • Android Applications Reversing 101
  • Android Security Guidelines
  • Android WebView Vulnerabilities
  • OWASP Mobile Top 10
  • Practical Android Phone Forensics
  • Mobile Pentesting With Frida
  • Zero to Hero – Mobile Application Testing – Android Platform

How To’s

  • How To Configuring Burp Suite With Android Nougat
  • How To Bypassing Xamarin Certificate Pinning
  • How To Bypassing Android Anti-Emulation
  • How To Secure an Android Device
  • Android Root Detection Bypass Using Objection and Frida Scripts
  • Root Detection Bypass By Manual Code Manipulation.
  • Magisk Systemless Root – Detection and Remediation
  • How to use FRIDA to bruteforce Secure Startup with FDE-encryption on a Samsung G935F running Android 8

Paper

  • AndrODet: An adaptive Android obfuscation detector
  • GEOST BOTNET – the discovery story of a new Android banking trojan

Books

  • SEI CERT Android Secure Coding Standard
  • Android Security Internals
  • Android Cookbook
  • Android Hacker’s Handbook
  • Android Security Cookbook
  • The Mobile Application Hacker’s Handbook
  • Android Malware and Analysis
  • Android Security: Attacks and Defenses
  • Learning Penetration Testing For Android Devices

Course

  • Learning-Android-Security
  • Mobile Application Security and Penetration Testing
  • Advanced Android Development
  • Learn the art of mobile app development
  • Learning Android Malware Analysis
  • Android App Reverse Engineering 101
  • MASPT V2
  • Android Pentration Testing(Persian)

Tools

Static Analysis

  • Apktool:A tool for reverse engineering Android apk files

  • quark-engine – An Obfuscation-Neglect Android Malware Scoring System

  • DeGuard:Statistical Deobfuscation for Android

  • jadx – Dex to Java decompiler

  • Amandroid – A Static Analysis Framework

  • Androwarn – Yet Another Static Code Analyzer

  • Droid Hunter – Android application vulnerability analysis and Android pentest tool

  • Error Prone – Static Analysis Tool

  • Findbugs – Find Bugs in Java Programs

  • Find Security Bugs – A SpotBugs plugin for security audits of Java web applications.

  • Flow Droid – Static Data Flow Tracker

  • Smali/Baksmali – Assembler/Disassembler for the dex format

  • Smali-CFGs – Smali Control Flow Graph’s

  • SPARTA – Static Program Analysis for Reliable Trusted Apps

  • Gradle Static Analysis Plugin

  • Checkstyle – A tool for checking Java source code

  • PMD – An extensible multilanguage static code analyzer

  • Soot – A Java Optimization Framework

  • Android Quality Starter

  • QARK – Quick Android Review Kit

  • Infer – A Static Analysis tool for Java, C, C++ and Objective-C

  • Android Check – Static Code analysis plugin for Android Project

  • FindBugs-IDEA Static byte code analysis to look for bugs in Java code

  • APK Leaks – Scanning APK file for URIs, endpoints & secrets

  • Trueseeing – fast, accurate and resillient vulnerabilities scanner for Android apps

  • StaCoAn – crossplatform tool which aids developers, bugbounty hunters and ethical hackers

Dynamic Analysis

  • Mobile-Security-Framework MobSF
  • Magisk v20.2 – Root & Universal Systemless Interface
  • Runtime Mobile Security (RMS) – is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime
  • Droid-FF – Android File Fuzzing Framework
  • Drozer
  • Inspeckage
  • PATDroid – Collection of tools and data structures for analyzing Android applications
  • Radare2 – Unix-like reverse engineering framework and commandline tools
  • Cutter – Free and Open Source RE Platform powered by radare2
  • ByteCodeViewer – Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger)

Online APK Analyzers

  • Oversecured
  • Android Observatory APK Scan
  • AndroTotal
  • VirusTotal
  • Scan Your APK
  • AVC Undroid
  • OPSWAT
  • ImmuniWeb Mobile App Scanner
  • Ostor Lab
  • Quixxi
  • TraceDroid
  • Visual Threat
  • App Critique
  • Jotti’s malware scan
  • kaspersky scanner

Online APK Decompiler

  • Android APK Decompiler
  • Java Decompiler APk
  • APK DECOMPILER APP
  • DeAPK is an open-source, online APK decompiler
  • apk and dex decompilation back to Java source code
  • APK Decompiler Tools

Labs

  • OVAA (Oversecured Vulnerable Android App)
  • DIVA (Damn insecure and vulnerable App)
  • OWASP Security Shepherd
  • Damn Vulnerable Hybrid Mobile App (DVHMA)
  • OWASP-mstg(UnCrackable Mobile Apps)
  • VulnerableAndroidAppOracle
  • Android InsecureBankv2
  • Purposefully Insecure and Vulnerable Android Application (PIIVA)
  • Sieve app(An android application which exploits through android components)
  • DodoVulnerableBank(Insecure Vulnerable Android Application that helps to learn hacing and securing apps)
  • Digitalbank(Android Digital Bank Vulnerable Mobile App)
  • AppKnox Vulnerable Application
  • Vulnerable Android Application
  • Android Security Labs
  • Android-security Sandbox
  • VulnDroid(CTF Style Vulnerable Android App)
  • FridaLab
  • Santoku Linux – Mobile Security VM
  • AndroL4b – A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis

Talks

  • One Step Ahead of Cheaters — Instrumenting Android Emulators
  • Vulnerable Out of the Box: An Evaluation of Android Carrier Devices
  • Rock appround the clock: Tracking malware developers by Android
  • Chaosdata – Ghost in the Droid: Possessing Android Applications with ParaSpectre
  • Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets
  • Honey, I Shrunk the Attack Surface – Adventures in Android Security Hardening
  • Hide Android Applications in Images
  • Scary Code in the Heart of Android
  • Fuzzing Android: A Recipe For Uncovering Vulnerabilities Inside System Components In Android
  • Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library
  • Android FakeID Vulnerability Walkthrough
  • Unleashing D* on Android Kernel Drivers
  • The Smarts Behind Hacking Dumb Devices
  • Overview of common Android app vulnerabilities
  • Android security architecture
  • Get the Ultimate Privilege of Android Phone

Misc

  • Android Malware Adventures
  • Android-Reports-and-Resources
  • Hands On Mobile API Security
  • Android Penetration Testing Courses
  • Lesser-known Tools for Android Application PenTesting
  • android-device-check – a set of scripts to check Android device security configuration
  • apk-mitm – a CLI application that prepares Android APK files for HTTPS inspection
  • Andriller – is software utility with a collection of forensic tools for smartphones
  • Dexofuzzy: Android malware similarity clustering method using opcode sequence-Paper
  • Chasing the Joker
  • Side Channel Attacks in 4G and 5G Cellular Networks-Slides
  • Shodan.io-mobile-app for Android
  • Popular Android Malware 2018
  • Popular Android Malware 2019
  • Popular Android Malware 2020

Bug Bounty & Writeup

  • Hacker101 CTF: Android Challenge Writeups

  • Arbitrary code execution on Facebook for Android through download feature

  • RCE via Samsung Galaxy Store App

Cheat Sheet

  • Mobile Application Penetration Testing Cheat Sheet
  • ADB (Android Debug Bridge) Cheat Sheet
  • Frida Cheatsheet and Code Snippets for Android
Awesome-Android-Security

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Want to Support the Site, Become a Patron!

Original Source