# awesome-mobile-security ![awesome](https://awesome.re/badge.svg) A curated list of Mobile Security materials and resources. Maintained by [@vaib25vicky](https://twitter.com/vaib25vicky) with contributions from the security and developer communities. ## Android ### General * [An Android Hacking Primer](https://medium.com/swlh/an-android-hacking-primer-3390fef4e6a0) * [Secure an Android Device](https://source.android.com/security) * [Security tips](https://developer.android.com/training/articles/security-tips) * [OWASP Mobile Security Testing Guide](https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide) * [Security Testing for Android Cross Platform Application](https://3xpl01tc0d3r.blogspot.com/2019/09/security-testing-for-android-app-part1.html) * [Dive deep into Android Application Security](https://blog.0daylabs.com/2019/09/18/deep-dive-into-Android-security/) * [Pentesting Android Apps Using Frida](https://www.notsosecure.com/pentesting-android-apps-using-frida/) * [Mobile Security Testing Guide](https://mobile-security.gitbook.io/mobile-security-testing-guide/) * [Mobile Application Penetration Testing Cheat Sheet](https://github.com/sh4hin/MobileApp-Pentest-Cheatsheet) * [Android Applications Reversing 101](https://www.evilsocket.net/2017/04/27/Android-Applications-Reversing-101/#.WQND0G3TTOM.reddit) * [Android Security Guidelines](https://developer.box.com/en/guides/security/) * [Android WebView Vulnerabilities](https://pentestlab.blog/2017/02/12/android-webview-vulnerabilities/) * [OWASP Mobile Top 10](https://www.owasp.org/index.php/OWASP_Mobile_Top_10) ### Books * [SEI CERT Android Secure Coding Standard](https://www.securecoding.cert.org/confluence/display/android/Android+Secure+Coding+Standard) * [Android Security Internals](https://www.oreilly.com/library/view/android-security-internals/9781457185496/) * [Android Cookbook](https://androidcookbook.com/) * [Android Hacker's Handbook](https://www.amazon.com/Android-Hackers-Handbook-Joshua-Drake/dp/111860864X) * [Android Security Cookbook](https://www.packtpub.com/in/application-development/android-security-cookbook) * [The Mobile Application Hacker's Handbook](https://www.amazon.in/Mobile-Application-Hackers-Handbook-ebook/dp/B00TSA6KLG) * [Android Malware and Analysis](https://www.oreilly.com/library/view/android-malware-and/9781482252200/) * [Android Security: Attacks and Defenses](https://www.crcpress.com/Android-Security-Attacks-and-Defenses/Misra-Dubey/p/book/9780367380182) ### Courses * [Learning-Android-Security](https://www.lynda.com/Android-tutorials/Learning-Android-Security/689762-2.html) * [Mobile Application Security and Penetration Testing](https://www.elearnsecurity.com/course/mobile_application_security_and_penetration_testing/) * [Advanced Android Development](https://developer.android.com/courses/advanced-training/overview) * [Learn the art of mobile app development](https://www.edx.org/professional-certificate/harvardx-computer-science-and-mobile-apps) ### Tools #### Static Analysis * [Amandroid – A Static Analysis Framework](http://pag.arguslab.org/argus-saf) * [Androwarn – Yet Another Static Code Analyzer](https://github.com/maaaaz/androwarn/) * [APK Analyzer – Static and Virtual Analysis Tool](https://github.com/sonyxperiadev/ApkAnalyser) * [APK Inspector – A Powerful GUI Tool](https://github.com/honeynet/apkinspector/) * [Droid Hunter – Android application vulnerability analysis and Android pentest tool](https://github.com/hahwul/droid-hunter) * [Error Prone – Static Analysis Tool](https://github.com/google/error-prone) * [Findbugs – Find Bugs in Java Programs](http://findbugs.sourceforge.net/downloads.html) * [Find Security Bugs – A SpotBugs plugin for security audits of Java web applications.](https://github.com/find-sec-bugs/find-sec-bugs/) * [Flow Droid – Static Data Flow Tracker](https://github.com/secure-software-engineering/FlowDroid) * [Smali/Baksmali – Assembler/Disassembler for the dex format](https://github.com/JesusFreke/smali) * [Smali-CFGs – Smali Control Flow Graph’s](https://github.com/EugenioDelfa/Smali-CFGs) * [SPARTA – Static Program Analysis for Reliable Trusted Apps](https://www.cs.washington.edu/sparta) * [Thresher – To check heap reachability properties](https://plv.colorado.edu/projects/thresher/) * [Vector Attack Scanner – To search vulnerable points to attack](https://github.com/Sukelluskello/VectorAttackScanner) * [Gradle Static Analysis Plugin](https://github.com/novoda/gradle-static-analysis-plugin) * [Checkstyle – A tool for checking Java source code](https://github.com/checkstyle/checkstyle) * [PMD – An extensible multilanguage static code analyzer](https://github.com/pmd/pmd) * [Soot – A Java Optimization Framework](https://github.com/Sable/soot) * [Android Quality Starter](https://github.com/pwittchen/android-quality-starter) * [QARK – Quick Android Review Kit](https://github.com/linkedin/qark) * [Infer – A Static Analysis tool for Java, C, C++ and Objective-C](https://github.com/facebook/infer) * [Android Check – Static Code analysis plugin for Android Project](https://github.com/noveogroup/android-check) * [FindBugs-IDEA Static byte code analysis to look for bugs in Java code](https://plugins.jetbrains.com/plugin/3847-findbugs-idea) #### Dynamic Analysis * [Android Hooker - Opensource project for dynamic analyses of Android applications](https://github.com/AndroidHooker/hooker) * [AppAudit - Online tool ( including an API) uses dynamic and static analysis](http://appaudit.io/) * [AppAudit - A bare-metal analysis tool on Android devices](https://github.com/ucsb-seclab/baredroid) * [CuckooDroid - Extension of Cuckoo Sandbox the Open Source software](https://github.com/idanr1986/cuckoo-droid) * [DroidBox - Dynamic analysis of Android applications](https://code.google.com/p/droidbox/) * [Droid-FF - Android File Fuzzing Framework](https://github.com/antojoseph/droid-ff) * [Drozer](https://www.mwrinfosecurity.com/products/drozer/) * [Marvin - Analyzes Android applications and allows tracking of an app](https://github.com/programa-stic/marvin-django) * [Inspeckage](https://github.com/ac-pm/Inspeckage) * [PATDroid - Collection of tools and data structures for analyzing Android applications](https://github.com/mingyuan-xia/PATDroid) * [AndroL4b - Android security virtual machine based on ubuntu-mate](https://github.com/sh4hin/Androl4b) * [Radare2 - Unix-like reverse engineering framework and commandline tools](https://github.com/radareorg/radare2) * [yteCodeViewer - Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger)](https://bytecodeviewer.com/) * [Mobile-Security-Framework MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) * [CobraDroid - Custom build of the Android operating system geared specifically for application security ](https://thecobraden.com/projects/cobradroid/) #### Android Online APK Analyzers * [Android Observatory APK Scan](https://androidobservatory.org/upload) * [Android APK Decompiler](http://www.decompileandroid.com/) * [AndroTotal](http://andrototal.org/) * [NVISO ApkScan](https://apkscan.nviso.be/) * [VirusTotal](https://www.virustotal.com/#/home/upload) * [Scan Your APK](https://scanyourapk.com/) * [AVC Undroid](https://undroid.av-comparatives.org/index.php) * [OPSWAT](https://metadefender.opswat.com/#!/) * [ImmuniWeb Mobile App Scanner](https://www.htbridge.com/mobile/) * [Ostor Lab](https://www.ostorlab.co/scan/mobile/) * [Quixxi](https://quixxisecurity.com/) * [TraceDroid](http://tracedroid.few.vu.nl/submit.php) * [Visual Threat](http://www.visualthreat.com/UIupload.action) * [App Critique](https://appcritique.boozallen.com/) ### Labs * [DIVA (Damn insecure and vulnerable App)](https://github.com/payatu/diva-android) * [SecurityShepherd](https://github.com/OWASP/SecurityShepherd) * [Damn Vulnerable Hybrid Mobile App (DVHMA)](https://github.com/logicalhacking/DVHMA) * [OWASP-mstg](https://github.com/OWASP/owasp-mstg/tree/master/Crackmes) * [VulnerableAndroidAppOracle](https://github.com/dan7800/VulnerableAndroidAppOracle) * [Android InsecureBankv2](https://github.com/dineshshetty/Android-InsecureBankv2) * [Purposefully Insecure and Vulnerable Android Application (PIIVA)](https://github.com/htbridge/pivaa) * [Sieve app](https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk) * [DodoVulnerableBank](https://github.com/CSPF-Founder/DodoVulnerableBank) * [Digitalbank](https://github.com/CyberScions/Digitalbank) * [OWASP GoatDroid](https://github.com/jackMannino/OWASP-GoatDroid-Project) * [AppKnox Vulnerable Application](https://github.com/appknox/vulnerable-application) * [Vulnerable Android Application](https://github.com/Lance0312/VulnApp) * [MoshZuk](https://dl.dropboxusercontent.com/u/37776965/Work/MoshZuk.apk) * [Hackme Bank](http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx) * [Android Security Labs](https://github.com/SecurityCompass/AndroidLabs) * [Android-InsecureBankv2](https://github.com/dineshshetty/Android-InsecureBankv2) * [Android-security](https://github.com/rafaeltoledo/android-security) ### Talks * [One Step Ahead of Cheaters -- Instrumenting Android Emulators](https://www.youtube.com/watch?v=L3AniAxp_G4) * [Vulnerable Out of the Box: An Evaluation of Android Carrier Devices](https://www.youtube.com/watch?v=R2brQvQeTvM) * [Rock appround the clock: Tracking malware developers by Android](https://www.youtube.com/watch?v=wd5OU9NvxjU) * [Chaosdata - Ghost in the Droid: Possessing Android Applications with ParaSpectre](https://www.youtube.com/watch?v=ohjTWylMGEA) * [Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets](https://www.youtube.com/watch?v=TDk2RId8LFo) * [Honey, I Shrunk the Attack Surface – Adventures in Android Security Hardening](https://www.youtube.com/watch?v=EkL1sDMXRVk) * [Hide Android Applications in Images](https://www.youtube.com/watch?v=hajOlvLhYJY) * [Scary Code in the Heart of Android](https://www.youtube.com/watch?v=71YP65UANP0) * [Fuzzing Android: A Recipe For Uncovering Vulnerabilities Inside System Components In Android](https://www.youtube.com/watch?v=q_HibdrbIxo) * [Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library](https://www.youtube.com/watch?v=s0Tqi7fuOSU) * [Android FakeID Vulnerability Walkthrough](https://www.youtube.com/watch?v=5eJYCucZ-Tc) * [Unleashing D* on Android Kernel Drivers](https://www.youtube.com/watch?v=1XavjjmfZAY) * [The Smarts Behind Hacking Dumb Devices](https://www.youtube.com/watch?v=yU1BrY1ZB2o) * [Overview of common Android app vulnerabilities](https://www.bugcrowd.com/resources/webinars/overview-of-common-android-app-vulnerabilities/) * [Android Dev Summit 2019](https://developer.android.com/dev-summit) * [Android security architecture](https://www.youtube.com/watch?v=3asW-nBU-JU) ### Misc. * [Android-Reports-and-Resources](https://github.com/B3nac/Android-Reports-and-Resources/blob/master/README.md) * [android-security-awesome](https://github.com/ashishb/android-security-awesome) * [Android Penetration Testing Courses](https://medium.com/mobile-penetration-testing/android-penetration-testing-courses-4effa36ac5ed) ## iOS ### General * [iOS Security](https://www.cse.wustl.edu/~jain/cse571-14/ftp/ios_security/index.html) * [Basic iOS Apps Security Testing lab](https://medium.com/@ehsahil/basic-ios-apps-security-testing-lab-1-2bf37c2a7d15) * [IOS Application security – Setting up a mobile pentesting platform](https://resources.infosecinstitute.com/ios-application-security-part-1-setting-up-a-mobile-pentesting-platform/#gref) * [Collection of the most common vulnerabilities found in iOS applications](https://github.com/felixgr/secure-ios-app-dev) * [IOS_Application_Security_Testing_Cheat_Sheet](https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet) * [OWASP iOS Basic Security Testing](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing) * [Dynamic analysis of iOS apps w/o Jailbreak](https://medium.com/@ansjdnakjdnajkd/dynamic-analysis-of-ios-apps-wo-jailbreak-1481ab3020d8) ### Books * [Hacking and Securing iOS Applications: Stealing Data, Hijacking Software, and How to Prevent It](https://www.amazon.com/Hacking-Securing-iOS-Applications-Hijacking/dp/1449318746) * [iOS Penetration Testing](https://www.apress.com/gp/book/9781484223543) * [iOS App Security, Penetration Testing, and Development](https://www.allysonomalley.com/) * [IOS Hacker's Handbook](https://www.amazon.com/iOS-Hackers-Handbook-Charlie-Miller/dp/1118204123) * [iOS Hacker′s Handbook](https://www.amazon.in/iOS-Hacker%E2%80%B2s-Handbook-Charlie-Miller/dp/1118204123) * [Hacking iOS Applications a detailed testing guide](https://web.securityinnovation.com/hubfs/iOS%20Hacking%20Guide.pdf) * [Develop iOS Apps (Swift)](https://developer.apple.com/library/archive/referencelibrary/GettingStarted/DevelopiOSAppsSwift/) * [iOS Programming Cookbook](https://www.packtpub.com/in/application-development/ios-programming-cookbook) ### Courses * [Pentesting iOS Applications](https://www.pentesteracademy.com/course?id=2) * [Reverse Engineering iOS Applications](https://github.com/ivRodriguezCA/RE-iOS-Apps) * [App Design and Development for iOS](https://www.coursera.org/learn/ios-app-design-development) ### Tools * [Cydia Impactor](http://www.cydiaimpactor.com/) * [idb - iOS App Security Assessment Tool](https://www.idbtool.com/) * [Frida](https://github.com/frida/frida/releases) * [Objection - mobile exploration toolkit by Frida](https://github.com/sensepost/objection) * [Bfinject](https://github.com/BishopFox/bfinject) * [iFunbox](http://www.i-funbox.com/) * [Libimobiledevice - library to communicate with the services of the Apple ios devices](https://www.libimobiledevice.org/) * [iRET (iOS Reverse Engineering Toolkit)](https://www.veracode.com/sites/default/files/Resources/Tools/iRETTool.zip) - includes oTool, dumpDecrypted, SQLite, Theos, Keychain_dumper, Plutil * [Myriam iOS](https://github.com/GeoSn0w/Myriam) * [iWep Pro - wireless suite of useful applications used to turn your iOS device into a wireless network diagnostic tool](https://itunes.apple.com/us/app/iweppro/id578135585?mt=8) * [Burp Suite](https://portswigger.net/burp/communitydownload) * [Cycript](https://cydia.saurik.com/api/latest/3) * [needle - The iOS Security Testing Framework](https://github.com/FSecureLABS/needle) ### Labs * [OWASP iGoat](https://www.owasp.org/index.php/OWASP_iGoat_Tool_Project) * [Damn Vulnerable iOS App (DVIA) v2](https://github.com/prateek147/DVIA-v2) * [Damn Vulnerable iOS App (DVIA) v1](https://github.com/prateek147/DVIA) * [iPhoneLabs](https://github.com/SecurityCompass/iPhoneLabs) * [iOS-Attack-Defense](https://github.com/ManicodeSecurity/iOS-Attack-Defense) ### Talks * [Behind the Scenes of iOS Security](https://www.youtube.com/watch?v=BLGFriOKz6U) * [Modern iOS Application Security](https://www.infoq.com/presentations/ios-security/) * [Demystifying the Secure Enclave Processor](https://www.youtube.com/watch?v=7UNeUT_sRos) * [HackPac Hacking Pointer Authentication in iOS User Space](https://www.youtube.com/watch?v=DJFxhShJ6Ns) * [Analyzing and Attacking Apple Kernel Drivers](https://www.youtube.com/watch?v=07VqX4bbXTI) * [Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox](https://www.youtube.com/watch?v=bP5VP7vLLKo) * [Reverse Engineering iOS Mobile Apps](https://www.bugcrowd.com/resources/webinars/reverse-engineering-ios-mobile-apps/) * [iOS 10 Kernel Heap Revisited](https://www.youtube.com/watch?v=DNW6Im31lQo) ### Misc. * [Most usable tools for iOS penetration testing](https://github.com/ansjdnakjdnajkd/iOS) * [iOS-Security-Guides](https://github.com/0xmachos/iOS-Security-Guides) * [osx-security-awesome - OSX and iOS related security tools](https://github.com/ashishb/osx-and-ios-security-awesome)