From 49e3e54075424d1b935804c0f005b2e91f15d5c4 Mon Sep 17 00:00:00 2001 From: Shayan Rais Date: Thu, 16 Feb 2017 15:23:58 +0500 Subject: [PATCH 1/3] Formatted ReadMe Converted ReadMe into 3 main sections. Transfer READING MATERIAL & TUTORIALS sections to ACADEMIC / RESEARCH / PUBLICATIONS / BOOKS section. --- README.md | 73 +++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 52 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 05b1fda..cdd5d09 100644 --- a/README.md +++ b/README.md @@ -3,10 +3,15 @@ android-security-awesome [![Awesome](https://cdn.rawgit.com/sindresorhus/awesome A collection of android security related resources. -A lot of work is happening in academia and industry on tools to perform dynamic analysis, static analysis and reverse engineering of android apps. +1. [TOOLS](#tools) +2. [ACADEMIC / RESEARCH / PUBLICATIONS / BOOKS](#academic) +3. [EXPLOITS / VULNERABILITIES / BUGS](#exploits) +---- +#1- TOOLS -## ONLINE ANALYZERS +Online Analyzers +---- 1. [AndroTotal](http://andrototal.org/) * [Dexter](https://dexter.dexlabs.org/) @@ -34,7 +39,8 @@ A lot of work is happening in academia and industry on tools to perform dynamic * ~~[Android Sandbox](http://www.androidsandbox.net/)~~ * ~~[Foresafe](http://www.foresafe.com/scan)~~ -## STATIC ANALYSIS TOOLS +Static Analysis Tools +---- 1. [Androwarn](https://github.com/maaaaz/androwarn/) - detect and warn the user about potential malicious behaviours developped by an Android application. * [ApkAnalyser](https://github.com/sonyxperiadev/ApkAnalyser) @@ -53,7 +59,8 @@ A lot of work is happening in academia and industry on tools to perform dynamic * [SPARTA](http://www.cs.washington.edu/sparta) - verifies (proves) that an app satisfies an information-flow security policy; built on the [Checker Framework](http://types.cs.washington.edu/checker-framework/) * [ConDroid](https://github.com/JulianSchuette/ConDroid) - Performs a combination of symoblic + concrete execution of the app -## APP VULNERABILITY SCANNERS +App Vulnerability Scanners +---- 1. [QARK](https://github.com/linkedin/qark/) - QARK by LinkedIn is for app developers to scan app for security issues * [AndroBugs](https://github.com/AndroBugs/AndroBugs_Framework) @@ -61,7 +68,8 @@ A lot of work is happening in academia and industry on tools to perform dynamic * [Devknox](https://devknox.io/) - Autocorrect security issues as if it was spell check from your IDE * [JAADAS](https://github.com/flankerhqd/JAADAS) - Joint intraprocedure and interprocedure program analysis tool to find vulnerabilities in Android apps, built on Soot and Scala -## DYNAMIC ANALYSIS TOOLS +Dynamic Analysis Tools +---- 1. [Android DBI frameowork](http://www.mulliner.org/blog/blosxom.cgi/security/androiddbiv02.html) 2. [Androl4b](https://github.com/sh4hin/Androl4b)- A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis @@ -95,7 +103,8 @@ A lot of work is happening in academia and industry on tools to perform dynamic * [NowSecure Lab Automated](https://www.nowsecure.com/blog/2016/09/19/announcing-nowsecure-lab-automated/) - Enterprise tool for mobile app security testing both Android and iOS mobile apps. Lab Automated features dynamic and static analysis on real devices in the cloud to return results in minutes. * ~~[Taintdroid](https://appanalysis.org/download.html)~~ - requires AOSP compilation -## REVERSE ENGINEERING +Reverse Engineering +---- 1. [Smali/Baksmali](https://github.com/JesusFreke/smali) – apk decompilation * [emacs syntax coloring for smali files](https://github.com/strazzere/Emacs-Smali) @@ -128,7 +137,8 @@ A lot of work is happening in academia and industry on tools to perform dynamic * [Bytecode viewer](https://github.com/Konloch/bytecode-viewer) * [Radare2](https://github.com/radare/radare2) -## FUZZ TESTING +Fuzz Testing +---- 1. [IntentFuzzer](https://www.nccgroup.trust/us/about-us/resources/intent-fuzzer/) * [Radamsa Fuzzer](https://github.com/anestisb/radamsa-android) @@ -137,11 +147,13 @@ A lot of work is happening in academia and industry on tools to perform dynamic * [Media Fuzzing Framework for Android](https://github.com/fuzzing/MFFA) * [AndroFuzz](https://github.com/jonmetz/AndroFuzz) -## APP REPACKAGING DETECTORS +App Repackaging Detectors +---- 1. [FSquaDRA](https://github.com/zyrikby/FSquaDRA) - a tool for detection of repackaged Android applications based on app resources hash comparison. -## SAMPLE SOURCES +Sample Sources +---- 1. [Contagio Mini Dump](http://contagiominidump.blogspot.com) 2. [Android Malware Github repo](https://github.com/ashishb/android-malware) @@ -151,13 +163,8 @@ A lot of work is happening in academia and industry on tools to perform dynamic * [VirusTotal Malware Intelligence Service](https://www.virustotal.com/en/about/contact/) - powered by VirusTotal,not free * ~~[Drebin](http://user.informatik.uni-goettingen.de/~darp/drebin/)~~ -## READING MATERIAL - -1. [Android Security (and Not) Internals](http://www.zhauniarovich.com/pubs.html) -* [Android security related presentations](https://github.com/jacobsoo/AndroidSlides) -* [A good collection of static analysis papers](https://tthtlc.wordpress.com/2011/09/01/static-analysis-of-android-applications/) - -## MARKET CRAWLERS +Market Crawlers +---- 1. [Google play crawler (Java)](https://github.com/Akdeniz/google-play-crawler) * [Google play crawler (Python)](https://github.com/egirault/googleplay-api) @@ -165,7 +172,8 @@ A lot of work is happening in academia and industry on tools to perform dynamic * [Aptoide downloader (Node)](https://github.com/dweinstein/node-aptoide) - download apps from Aptoide third-party Android market * [Appland downloader (Node)](https://github.com/dweinstein/node-appland) - download apps from Appland third-party Android market -## MISC TOOLS +Misc Tools +---- 1. [smalihook](http://androidcracking.blogspot.com/2011/03/original-smalihook-java-source.html) * [APK-Downloader](http://codekiem.com/2012/02/24/apk-downloader/) @@ -179,26 +187,49 @@ A lot of work is happening in academia and industry on tools to perform dynamic * [dockerfile/androguard](https://github.com/dweinstein/dockerfile-androguard) * [Android Vulnerability Test Suite](https://github.com/AndroidVTS/android-vts) - android-vts scans a device for set of vulnerabilities -## TUTORIALS +---- + +#2- ACADEMIC / RESEARCH / PUBLICATIONS / BOOKS + +Android Security Researchers +---- +1. [Yury Zhauniarovich](http://www.zhauniarovich.com) + +Research Papers +---- +1. [Android security related presentations](https://github.com/jacobsoo/AndroidSlides) +* [A good collection of static analysis papers](https://tthtlc.wordpress.com/2011/09/01/static-analysis-of-android-applications/) + +Books +---- +1. [SEI CERT Android Secure Coding Standard](https://www.securecoding.cert.org/confluence/display/android/Android+Secure+Coding+Standard) + +Tutorials +---- 1. [Android Reverse Engineering 101 by Daniele Altomare](http://www.fasteque.com/android-reverse-engineering-101-part-1/) -#EXPLOITS / VULNERABILITIES / BUGS + +---- + +#3- EXPLOITS / VULNERABILITIES / BUGS List ---- 1. [Vulnerability Google Doc](https://docs.google.com/spreadsheet/pub?key=0Am5hHW4ATym7dGhFU1A4X2lqbUJtRm1QSWNRc3E0UlE&single=true&gid=0&output=html) * [Root Exploits (from Drozer issue #56)](https://github.com/mwrlabs/drozer/issues/56) * [Android Security Bulletins](https://source.android.com/security/bulletin/) -* [Android reported security vulnerabilities](https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html) +* [Android's reported security vulnerabilities](https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html) Bounty Programs ---- -1. [Android's Security Reward Program](https://www.google.com/about/appsecurity/android-rewards/) +1. [Android Security Reward Program](https://www.google.com/about/appsecurity/android-rewards/) How to report ---- 1. [Android - reporting security issues](https://source.android.com/security/overview/updates-resources.html#report-issues) +---- + # Other Awesome Lists Other amazingly awesome lists can be found in the [awesome-awesomeness](https://github.com/bayandin/awesome-awesomeness) list. From 516516428415bef5a317c551d096051030bd525f Mon Sep 17 00:00:00 2001 From: Shayan Rais Date: Thu, 16 Feb 2017 15:28:46 +0500 Subject: [PATCH 2/3] added Android Devices Security Patch link added Android Devices Security Patch link as mentioned by Chan9390 --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index cdd5d09..515d7ac 100644 --- a/README.md +++ b/README.md @@ -219,6 +219,7 @@ List * [Root Exploits (from Drozer issue #56)](https://github.com/mwrlabs/drozer/issues/56) * [Android Security Bulletins](https://source.android.com/security/bulletin/) * [Android's reported security vulnerabilities](https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/Google-Android.html) +* [Android Devices Security Patch Status](https://kb.androidtamer.com/Device_Security_Patch_tracker/) Bounty Programs ---- From 222614744c5108ffdd8a021e647039bfa2e09b84 Mon Sep 17 00:00:00 2001 From: Shayan Rais Date: Fri, 17 Feb 2017 22:15:52 +0500 Subject: [PATCH 3/3] Formatted ReadMe --- README.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index bf6ae73..6409bf8 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ A collection of android security related resources. 3. [EXPLOITS / VULNERABILITIES / BUGS](#exploits) ---- -#1- TOOLS +#TOOLS Online Analyzers ---- @@ -189,11 +189,7 @@ Misc Tools ---- -#2- ACADEMIC / RESEARCH / PUBLICATIONS / BOOKS - -Android Security Researchers ----- -1. [Yury Zhauniarovich](http://www.zhauniarovich.com) +#ACADEMIC / RESEARCH / PUBLICATIONS / BOOKS Research Papers ---- @@ -210,7 +206,7 @@ Tutorials ---- -#3- EXPLOITS / VULNERABILITIES / BUGS +#EXPLOITS / VULNERABILITIES / BUGS List ----