2014-07-22 19:30:51 +00:00
android-security-awesome
========================
2014-07-22 19:53:10 +00:00
A collection of android security related resources.
A lot of work is happening in academia and industry on tools to perform dynamic analysis, static analysis and reverse engineering of android apps.
## ONLINE ANALYZERS
1. [AndroTotal ](http://andrototal.org/ )
2. [Anubis ](http://anubis.iseclab.org/ )
3. [App 360 scan ](http://www.app360scan.com/ )
4. [CopperDroid ](http://copperdroid.isg.rhul.ac.uk/copperdroid/ )
5. [Comdroid ](http://www.comdroid.org/ )
6. [Dexter ](https://dexter.bluebox.com/ )
7. [Foresafe ](http://www.foresafe.com/scan )
8. [Mobile app insight ](http://www.mobile-app-insight.org )
9. [Mobile-Sandbox ](http://mobile-sandbox.com )
10. [Sandroid ](http://sanddroid.xjtu.edu.cn/ )
11. [Tracedroid ](http://tracedroid.few.vu.nl/ )
12. [Visual Threat ](http://www.visualthreat.com/ )
2014-09-26 22:38:14 +00:00
13. [Android Sandbox ](http://www.androidsandbox.net/ )
2014-11-07 22:00:11 +00:00
14. [Mobile Malware Sandbox ](http://www.mobilemalware.com.br/analysis/index_en.php )
2014-07-22 19:53:10 +00:00
14. [Stowaway ](http://www.android-permissions.org/ ) – seems to be dead now
## STATIC ANALYSIS TOOLS
2. [Androwarn ](https://github.com/maaaaz/androwarn/ )
3. [ApkAnalyser ](https://github.com/sonyxperiadev/ApkAnalyser )
4. [APKInspector ](https://github.com/honeynet/apkinspector/ )
5. [Droid Intent Data Flow Analysis for Information Leakage ](https://www.cert.org/secure-coding/tools/didfail.cfm )
6. [Several tools from PSU ](http://siis.cse.psu.edu/tools.html )
7. [Smali CFG generator ](http://code.google.com/p/smali-cfgs/ )
2014-11-17 02:53:24 +00:00
8. [FlowDroid ](http://sseblog.ec-spride.de/tools/flowdroid/ )
2015-01-10 19:11:12 +00:00
9. [Android Decompiler ](http://www.android-decompiler.com/ ) – not free
2015-01-14 19:00:39 +00:00
10. [PSCout ](http://pscout.csl.toronto.edu/ ) - A tool that extracts the permission specification from the Android OS source code using static analysis
2014-07-22 19:53:10 +00:00
## DYNAMIC ANALYSIS TOOLS
1. [Android DBI frameowork ](http://www.mulliner.org/blog/blosxom.cgi/security/androiddbiv02.html )
2015-01-10 19:09:41 +00:00
2. [Android Malware Analysis Toolkit ](http://www.mobilemalware.com.br/amat/download.html ) - (linux distro) Earlier it use to be an [online analyzer ](http://dunkelheit.com.br/amat/analysis/index_en.html )
2014-07-22 19:53:10 +00:00
5. [AppUse ](https://appsec-labs.com/AppUse ) – custom build for pentesting
7. [Cobradroid ](http://thecobraden.com/projects/cobradroid/ ) – custom image for malware analysis
2015-01-10 19:09:41 +00:00
8. [ViaLab Community Edition ](https://viaforensics.com/product-updates/introducing-vialab-community-edition.html )
2014-07-22 19:53:10 +00:00
9. [Droidbox ](http://code.google.com/p/droidbox/ )
10. [Mercury ](http://labs.mwrinfosecurity.com/tools/2012/03/16/mercury/ )
11. [Drozer ](https://labs.mwrinfosecurity.com/tools/drozer/ )
12. [Taintdroid ](http://appanalysis.org/download.html ) - requires AOSP compilation
13. [Xposed ](http://forum.xda-developers.com/showthread.php?t=1574401 ) - equivalent of doing Stub based code injection but without any modifications to the binary
2015-01-10 19:09:41 +00:00
15. [Android Hooker ](https://github.com/AndroidHooker/hooker ) - API Hooking of java methods triggered by any Android application (requires the Substrate Framework)
2015-01-13 08:52:05 +00:00
16. [Android tamer ](https://androidtamer.com/ ) - custom image
2015-01-19 08:57:08 +00:00
17. [Droidscope ](https://code.google.com/p/decaf-platform/wiki/DroidScope ) - custom image for dynamic analysis
2015-01-10 19:09:41 +00:00
16. [Crowdroid ](http://www.ida.liu.se/labs/rtslab/publications/2011/spsm11-burguera.pdf ) – unable to find the actual tool
16. [AuditdAndroid ](https://github.com/nwhusted/AuditdAndroid ) – android port of auditd, not under active development anymore
16. [Android Security Evaluation Framework ](https://code.google.com/p/asef/ ) - not under active development anymore
2015-01-10 19:11:12 +00:00
18. [Android Reverse Engineering ](https://redmine.honeynet.org/projects/are/wiki ) – ARE (android reverse engineering) not under active development anymore
2015-01-10 19:09:41 +00:00
19. [Ijiami (Chinese) ](http://safe.ijiami.cn/ ) - seems dead now
2015-01-10 16:45:31 +00:00
16. [Aurasium ](http://www.aurasium.com/ ) – rewrites the android app to add security policy, seems dead now
2015-01-18 04:20:42 +00:00
17. [Android Linux Kernel modules ](https://github.com/strazzere/android-lkms )
2015-01-23 13:30:43 +00:00
18. [Appie ](http://manifestsecurity.com/appie/ )- Appie is a software package that has been pre-configured to function as an Android Pentesting Environment.It is completely portable and can be carried on USB stick or smartphone.This is a one stop answer for all the tools needed in Android Application Security Assessment and an awesome alternative to existing virtual machines.
2014-07-22 19:53:10 +00:00
## REVERSE ENGINEERING
2015-12-20 14:00:20 +00:00
1. [Smali/Baksmali ](https://github.com/JesusFreke/smali ) – apk decompilation
2014-07-22 19:53:10 +00:00
3. [emacs syntax coloring for smali files ](https://github.com/strazzere/Emacs-Smali )
4. [vim syntax coloring for smali files ](http://codetastrophe.com/smali.vim )
5. [AndBug ](https://github.com/swdunlop/AndBug )
6. [Androguard ](http://code.google.com/p/androguard/ ) – powerful, integrates well with other tools
2015-12-20 14:00:20 +00:00
7. [Apktool ](http://ibotpeaches.github.io/Apktool/ ) – really useful for compilation/decompilation (uses smali)
2014-07-22 19:53:10 +00:00
8. [Android Framework for Exploitation ](https://github.com/xysec/AFE )
9. [Bypass signature and permission checks for IPCs ](https://github.com/iSECPartners/Android-KillPermAndSigChecks )
10. [Android OpenDebug ](https://github.com/iSECPartners/Android-OpenDebug ) – make any application on device debuggable (using cydia substrate).
11. [Dare ](http://siis.cse.psu.edu/dare/index.html ) – .dex to .class converter
12. [Dex2Jar ](http://code.google.com/p/dex2jar/ )
13. [Dedexer ](http://dedexer.sourceforge.net )
14. [Fino ](https://github.com/sysdream/fino )
15. [Indroid ](https://bitbucket.org/aseemjakhar/indroid ) – thread injection kit
16. [IntentFuzzer ](https://www.isecpartners.com/tools/mobile-security/intent-fuzzer.aspx )
17. [IntentSniffer ](https://www.isecpartners.com/tools/mobile-security/intent-sniffer.aspx )
18. [Introspy ](https://github.com/iSECPartners/Introspy-Android )
2015-01-07 09:19:49 +00:00
19. [Jad ]( http://www.varaneckas.com/jad ) - Java decompiler
20. [JD-GUI ](http://java.decompiler.free.fr/?q=jdgui ) - Java decompiler
21. [CFR ](http://www.benf.org/other/cfr/ ) - Java decompiler
22. [Krakatau ](https://github.com/Storyyeller/Krakatau ) - Java decompiler
23. [Procyon ](https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler ) - Java decompiler
2014-07-22 19:53:10 +00:00
21. [Redexer ](https://github.com/plum-umd/redexer ) – apk manipulation
22. [Smali viewer ](http://blog.avlyun.com/wp-content/uploads/2014/04/SmaliViewer.zip )
2015-01-23 14:45:54 +00:00
23. [ZjDroid ](https://github.com/BaiduSecurityLabs/ZjDroid ) (no longer available), [fork/mirror ](https://github.com/yangbean9/ZjDroid )
2014-12-08 09:26:20 +00:00
24. [Simplify Android deobfuscator ](https://github.com/CalebFenton/simplify )
2015-01-13 09:59:34 +00:00
25. [Bytecode viewer ](https://github.com/Konloch/bytecode-viewer )
2014-07-22 19:53:10 +00:00
2014-08-11 02:42:24 +00:00
## Exploitable Vulnerabilties
1. [Vulnerability Google
doc](https://docs.google.com/spreadsheet/pub?key=0Am5hHW4ATym7dGhFU1A4X2lqbUJtRm1QSWNRc3E0UlE& single=true& gid=0& output=html)
2. [Root Exploits (from Drozer issue
#56 )(https://github.com/mwrlabs/drozer/issues/56)
2014-07-22 19:53:10 +00:00
## SAMPLE SOURCES
1. [contagio mini dump ](http://contagiominidump.blogspot.com )
2. [Open Source database ](http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares )
## MISC TOOLS/READINGS
1. [smalihook ](http://androidcracking.blogspot.com/2011/03/original-smalihook-java-source.html )
2. [APK-Downloader ](http://codekiem.com/2012/02/24/apk-downloader/ )
3. [AXMLPrinter2 ](http://code.google.com/p/android4me/downloads/detail?name=AXMLPrinter2.jar ) - to convert binary XML files to human-readable XML files
2014-08-27 21:51:33 +00:00
4. [An Android port of the melkor ELF fuzzer ](https://github.com/anestisb/melkor-android )
2014-12-03 15:48:07 +00:00
5. [adb autocomplete ](https://romannurik-code.googlecode.com/git/bash_completion/adb )
2014-08-27 21:51:33 +00:00
6. [Dalvik opcodes ](http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html )
7. [Opcodes table for quick reference ](http://xchg.info/corkami/opcodes_tables.pdf )
8. [A good collection of static analysis papers ](http://tthtlc.wordpress.com/2011/09/01/static-analysis-of-android-applications/ )
9. [ExploitMe ](http://securitycompass.github.io/AndroidLabs/setup.html ) - for practice
10. [GoatDroid ](https://github.com/jackMannino/OWASP-GoatDroid-Project ) - for practice
11. [Android Labs ](http://securitycompass.github.io/AndroidLabs/setup.html ) - for practice
2015-01-09 18:53:03 +00:00
12. [mitmproxy ](https://github.com/mitmproxy/mitmproxy )
2015-01-23 20:57:24 +00:00
13. [dockerfile/androguard ](https://github.com/dweinstein/dockerfile-androguard )
2014-07-29 08:07:02 +00:00
# Other Awesome Lists
Other amazingly awesome lists can be found in the
[awesome-awesomeness ](https://github.com/bayandin/awesome-awesomeness ) list.
# Contributing
Your contributions are always welcome!
2014-07-22 19:53:10 +00:00