This document is intended to provide a list of tools used for vulnerability analysis and penetration testing of Android applications. This is by no means a comprehensive list and some tools achieve similar goals. As most tools are open projects, some might not be constantly maintained and hence the use of multiple tools for security assessments and penetration testing might be necessary.
| Tool | Description |
|---|---|
| Static Analysis Tools | |
| Androwarn | Detects and warns the user about potential malicious behaviours developed by an Android application. |
| ApkAnalyser | ApkAnalyser is a static, virtual analysis tool for examining and validating the development work of your Android app. |
| APKInspector | APKinspector is a powerful GUI tool for analysts to analyse the Android applications. |
| Droid Intent Data Flow Analysis for Information Leakage | Droid Intent Data Flow Analysis for Information Leakage (DidFail) is an analysis method that is designed to identify and expose potential data leaks within Android applications. |
| DroidLegacy | An automated method for extracting familial signatures for Android malware, i.e., signatures that identify malware produced by piggybacking potentially different benign applications with the same (or similar) malicious code. |
| Several tools from PSU | Dare, Ded, Fortify SCA, Kirin and JLift |
| Smali CFG generator | This tool generates Smali Control Flow Graphs which can facilitate the review process. |
| FlowDroid | FlowDroid is a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications. |
| PSCout | A tool that extracts the permission specification from the Android OS source code using static analysis |
| Amandroid | Amandroid is a static analysis framework for Android apps. |
| SmaliSCA | Smali Static Code Analysis |
| CFGScanDroid | Scans and compares CFG against CFG of malicious applications |
| Madrolyzer | Simple framework to extract "actionable" data from Android malware (C&Cs, phone numbers etc.) |
| SPARTA | The SPARTA project (Static Program Analysis for Reliable Trusted Apps) is building a toolset to verify the security of mobile phone applications. It verifies that an app satisfies an information-flow security policy. It is built on the Checker Framework. |
| ConDroid | ConDroid performs concolic execution of Android apps - a combination of pure symbolic and concrete execution of a program. The goal of ConDroid is to drive execution of Android app to specific code locations without requiring any manual interaction with the app. This allows to observe "interesting" behaviour in a dynamic analysis, such as network traffic or dynamic code loading. |
| DroidRA | Android developers heavily use reflection in their apps for legitimate reasons, but also significantly for hiding malicious actions. |
| RiskInDroid | RiskInDroid (Risk Index for Android) is a tool for quantitative risk analysis of Android applications written in Java (used to check the permissions of the apps) and Python (used to compute a risk value based on apps' permissions). The tool uses classification techniques through scikit-learn, a machine learning library for Python, in order to generate a numeric risk value between 0 and 100 for a given app. |
| SUPER | SUPER is a command-line application that can be used in Windows, MacOS X and Linux, that analyses .apk files in search for vulnerabilities. It does this by decompressing APKs and applying a series of rules to detect those vulnerabilities. |
| ClassyShark | ClassyShark is a standalone binary inspection tool for Android developers. It can reliably browse any Android executable and show important info such as class interfaces and members, dex counts and dependencies. |
| Droidstat-x | Python tool that generates an Xmind map with all the information gathered and any evidence of possible vulnerabilities identified via static analysis. The map itself is an Android Application Pentesting Methodology component, which assists Pentesters to cover all important areas during an assessment. |
| Androwarn | Androwarn is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application. The detection is performed with the static analysis of the application's Dalvik bytecode, represented as Smali. This analysis leads to the generation of a report, according to a technical detail level chosen from the user. |
| App Vulnerability Scanners | |
| QARK | Quick Android Review Kit - This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs. The tool is also capable of creating "Proof-of-Concept" deployable APKs and/or ADB commands, capable of exploiting many of the vulnerabilities it finds. There is no need to root the test device, as this tool focuses on vulnerabilities that can be exploited under otherwise secure conditions. |
| AndroBugs | AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities in Android applications. |
| Nogotofail | Nogotofail is a network security testing tool designed to help developers and security researchers spot and fix weak TLS/SSL connections and sensitive cleartext traffic on devices and applications in a flexible, scalable, powerful way. It includes testing for common SSL certificate verification issues, HTTPS and TLS/SSL library bugs, SSL and STARTTLS stripping issues, cleartext issues, and more. |
| Devknox | Devknox is a developer friendly Android Studio plugin that helps Android developers detect and resolve security issues in their apps, while writing code. |
| JAADAS | This is Joint Advanced Defect Assessment framework for android applications (JAADS, original name JADE renamed to avoid potential trademark issue), written in 2014. JAADAS is a tool written in Java and Scala with the power of Soot to provide both interprocedure and intraprocedure static analysis for android applications. Its features include API misuse analysis, local-denial-of-service (intent crash) analysis, inter-procedure style taint flow analysis (from intent to sensitive API, i.e. getting a parcelable from intent, and use it to start activity). |
| Dynamic Analysis Tools | |
| Android DBI frameowork | Simple binary instrumentation toolkit for Android ARM + Thumb. Instrumentation is based on library injection and hooking function entry points (in-line hooking). The toolkit consists of two main components the hijack tool and the base library. |
| Androl4b | AndroL4b is an android security virtual machine based on ubuntu-mate includes the collection of latest framework, tutorials and labs from different security geeks and researchers for reverse engineering and malware analysis. |
| Android Malware Analysis Toolkit | A Linux distro focused on Mobile Malware Analysis for Android. |
| Mobile-Security-Framework MobSF | Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and support both binaries (APK, IPA & APPX ) and zipped source code. |
| AppUse | AppUse is a VM (Virtual Machine) developed by AppSec Labs. It is a unique platform for mobile application security testing, Android and iOS applications and includes exclusive custom-made tools and scripts created by AppSec Labs. |
| Cobradroid | CobraDroid is a custom build of the Android operating system geared specifically for application security analysts and for individuals dealing with mobile malware. |
| Droidbox | DroidBox is developed to offer dynamic analysis of Android applications. The following information is described in the results, generated when analysis is complete: - Hashes for the analyzed package - Incoming/outgoing network data - File read and write operations - Started services and loaded classes through DexClassLoader - Information leaks via the network, file and SMS - Circumvented permissions - Cryptographic operations performed using Android API - Listing broadcast receivers - Sent SMS and phone calls |
| drozer | drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS. drozer provides tools to help you use, share and understand public Android exploits. It helps you to deploy a drozer Agent to a device through exploitation or social engineering. |
| Xposed | Xposed framework, which gives you the possibility to modify your ROM - without modifying any APK; equivalent of doing Stub based code injection but without any modifications to the binary. |
| Inspeckage | Inspeckage is a tool developed to offer dynamic analysis of Android applications. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime. |
| Android Hooker | Hooker is an opensource project for dynamic analyses of Android applications. This project provides various tools and applications that can be used to automatically intercept and modify any API calls made by a targeted application. |
| ProbeDroid | ProbeDroid is a dynamic Java code instrumentation kit for Android application. It provides APIs for users to craft their own instrumentation tools. Thus, they can trace, profile, or change the runtime behavior of an interested application. |
| Android Tamer | Android Tamer is a Virtual / Live Platform for Android Security professionals. This Environment allows people to work on large array of android security related task's ranging from Malware Analysis, Penetration Testing and Reverse Engineering. |
| DECAF | DECAF (short for Dynamic Executable Code Analysis Framework) is a binary analysis platform based on QEMU. This is also the home of the DroidScope dynamic Android malware analysis platform. DroidScope is now an extension to DECAF. |
| CuckooDroid | CuckooDroid is an extension of Cuckoo Sandbox the Open Source software for automating analysis of suspicious files, CuckooDroid brings to cuckoo the capabilities of execution and analysis of android application. |
| Mem | Tool used for dumping memory from Android devices. Root access is required. |
| AuditdAndroid | A Fork of Auditd geared specifically for running on the Android platform. Includes system applications, AOSP patches, and kernel patches to maximize the audit experience. |
| Android Security Evaluation Framework | ASEF - Android Security Evaluation Framework: Open Source Project to perform security analysis of Android Apps by various security measures. (no longer under active development) |
| Android Reverse Engineering | ARE (android reverse engineering) is a Virtual Machine for Android Reverse Engineering. |
| Aurasium | Practical security policy enforcement for Android apps via bytecode rewriting and in-place reference monitor. |
| Android Linux Kernel modules | Android Loadable Kernel Modules - mostly used for reversing and debugging on controlled systems/emulators. |
| Appie | Android Pentesting Portable Integrated Environment Appie is a software package that has been pre-configured to function as an Android Pentesting Environment on any windows-based machine without the need of a Virtual Machine (VM) or dualboot. |
| StaDynA | StaDynA is a system supporting security app analysis in the presence of dynamic code update features (dynamic class loading and reflection). This tool combines static and dynamic analysis of Android applications in order to reveal the hidden/updated behaviour and extend static analysis results with this information. |
| Vezir Project | Linux Virtual Machine for Mobile Application Pentesting and Mobile Malware Analysis. The Main purpose of Vezir is to provide up-to-date testing environment for mobile security researchers. |
| MARA | MARA is a Mobile Application Reverse engineering and Analysis Framework. It is a tool that puts together commonly used mobile application reverse engineering and analysis tools, to assist in testing mobile applications against the OWASP mobile security threats. |
| Network Scanning, Vulnerability Assessment and Proxy tools | |
| Burp suite | Burp Suite is a graphical tool for testing Web application security. The tool is written in Java and developed by PortSwigger Security. the HTTP Proxy operates as a web proxy server, and sits as a man-in-the-middle between the browser and destination web servers. This allows the interception, inspection and modification of the raw traffic passing in both directions. |
| ZAP | The OWASP Zed Attack Proxy (ZAP) is one of the world's most popular free security tools and is actively maintained by hundreds of international volunteers. It can be used the same way as Burp Suite in order to intercept traffic from the client and change requests accordingly., |
| SSLyze | SSLyze is a stand-alone python application that looks for classic SSL misconfigurations, while providing the advanced user with the opportunity to customize the application via a simple plugin interface. |
| Nmap | Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. |
| OpenVAS | OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. |
| Wireshark | Wireshark is the world’s foremost and widely-used network protocol analyser. It is useful to capture and analyse traffic for potential insecure protocols or plaintext data in the payload. |
| Reverse Engineering | |
| Smali/Baksmali | smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android's Java VM implementation. The syntax is loosely based on Jasmin's/dedexer's syntax, and supports the full functionality of the dex format (annotations, debug info, line info, etc.) |
| emacs syntax coloring for smali files | Smali/Baksmali mode for Emacs. |
| vim syntax coloring for smali files | Syntax highlighting for baksmali (Dalvik disassembler) output. |
| AndBug | AndBug is a debugger targeting the Android platform's Dalvik virtual machine intended for reverse engineers and developers. It uses the same interfaces as Android's Eclipse debugging plugin, the Java Debug Wire Protocol (JDWP) and Dalvik Debug Monitor (DDM) to permit users to hook Dalvik methods, examine process state, and even perform changes. |
| Androguard | Reverse engineering, Malware and goodware analysis of Android applications. |
| Apktool | A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications. It also makes working with an app easier because of the project like file structure and automation of some repetitive tasks like building apk, etc |
| Android Framework for Exploitation | AFE (Android Framework for Exploitation) is a framework for exploiting android based devices and applications. |
| Android-KillPermAndSigChecks | This tool leverages Cydia Substrate to bypass signature and permission checks for IPCs. |
| Android OpenDebug | This tool leverages Cydia Substrate to make all applications running on the device debuggable; once installed any application will let a debugger attach to them. |
| Dare | .dex to .class converter |
| Dex2Jar | dex to jar converter |
| Enjarify | dex to jar converter from Google |
| Dedexer | Dedexer is a disassembler tool for DEX files. DEX is a format introduced by the creators of the Android platform. |
| Fino | An Android Dynamic Analysis Tool. |
| Frida | Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts. |
| diff-gui | GUI for Frida -Scripts. Uses flask for a web framework, jinja for templates, redis for message queue, server-side push for real time updates and some js. |
| Indroid | Thread injection kit. The aim of the project is to demonstrate that a simple debugging functionality on *nix systems a.k.a ptrace() can be abused by malware to inject malicious code in remote processes. Indroid provides CreateRemoteThread() equivalent for ARM based *nix devices. |
| IntentSniffer | Intent Sniffer is a tool that can be used on any device using the Google Android operating system (OS). |
| Introspy | Blackbox tool to help understand what an Android application is doing at runtime and assist in the identification of potential security issues. |
| Jad | Java decompiler |
| JD-GUI | Java decompiler |
| CFR | Java decompiler |
| Krakatau | Java decompiler |
| Procyon | Java decompiler |
| FernFlower | Java decompiler |
| Redexer | Redexer is a reengineering tool that manipulates Android app binaries. This tool is able to parse a DEX file into an in-memory data structure; to infer with which parameters the app uses certain permissions (we name this feature RefineDroid); to modify and unparse that data structure to produce an output DEX file (we name these features Dr. Android, which stands for Dalvik Rewriting for Android). |
| Smali viewer | GUI APK analysis software. Manual page shows full process. |
| Simplify | Simplify virtually executes an app to understand its behaviour and then tries to optimize the code so that it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn't matter what the specific type of obfuscation is used. |
| Bytecode viewer | Bytecode Viewer is an Advanced Lightweight Java Bytecode Viewer, GUI Java Decompiler, GUI Bytecode Editor, GUI Smali, GUI Baksmali, GUI APK Editor, GUI Dex Editor, GUI APK Decompiler, GUI DEX Decompiler, GUI Procyon Java Decompiler, GUI Krakatau, GUI CFR Java Decompiler, GUI FernFlower Java Decompiler, GUI DEX2Jar, GUI Jar2DEX, GUI Jar-Jar, Hex Viewer, Code Searcher, Debugger and more. It's written completely in Java, and it's open sourced. It's currently being maintained and developed by Konloch. |
| Radare2 | r2 is a rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files. Radare project started as a forensics tool, a scriptable commandline hexadecimal editor able to open disk files, but later support for analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers, .. |
| Fuzz Testing | |
| IntentFuzzer | Intent Fuzzer is a tool that can be used on any device using the Google Android operating system (OS). |
| Radamsa Fuzzer | Radamsa is a test case generator for robustness testing, a.k.a. a fuzzer. It is typically used to test how well a program can withstand malformed and potentially malicious inputs. |
| Honggfuzz | Security oriented fuzzer with powerful analysis options. Supports evolutionary, feedback-driven fuzzing based on code coverage (software- and hardware-based). |
| Melkor | Melkor is a hybrid fuzzer (mutation-based and generation-based). It mutates the existing data in an ELF sample given to create orcs (malformed ELFs), however, it does not change values randomly (dumb fuzzing), instead, it fuzzes certain metadata with semi-valid values through the use of fuzzing rules (knowledge base). Written in C, Melkor is a very intuitive and easy-to-use fuzzer to find functional (and security) bugs in ELF parsers. |
| MFFA | Media Fuzzing Framework for Android (Stagefright fuzzer). |
| AndroFuzz | A simple file format fuzzer for android. Used by me to fuzz pdf readers, but should work for any file format. |
| Market Crawlers | |
| Google play crawler (Java) | google-play-crawler is simply for searching android applications on GooglePlay, and also downloading them. |
| Google play crawler (Python) | An unofficial Python API that let you search, browse and download Android apps from Google Play (formerly Android Market). |
| Google play crawler (Node) | Call Google Play APIs from Node. You might want to check out the CLI package as well. |
| Aptoide downloader (Node) | Download APKs from aptoide – third party market place. |
| Appland downloader (Node) | Download APKs from appland – third party market place. |
| Miscellaneous Tools | |
| smalihook | Smalihook's purpose is to provide a "hook" (actually replacement) methods for things like getting device id or signature. |
| APK-Downloader | APK-Downloader downloads APK files from Android Market to desktop. |
| AXMLPrinter2 | AXMLPrinter2 converts binary XML files to human-readable XML files. |
| adb autocomplete | This is a Bash completion script for the android, adb, emulator, fastboot and repo command-line tools from the Google Android SDK. |
| Dalvik opcodes | A page showing all Dalvik opcodes. |
| ExploitMe Android Labs | This is an open source project demonstrating Android mobile hacking. |
| GoatDroid | OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. |
| mitmproxy | An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers. |
| dockerfile/androguard | Docker file for building androguard dependencies w/ an optional interactive shell environment. |
| Android Vulnerability Test Suite | This tool is meant to show the end user the attack surface that a given device is susceptible to. In implementing these checks, we attempt to minimize or eliminate both false positives/false negatives without negatively affecting system stability. |
| AppMon | AppMon is an automated framework for monitoring and tampering system API calls of native macOS, iOS and android apps. It is based on Frida. |
| App Repackaging Detectors | |
| FSquaDRA | FSquaDRA is a tool for detection of repackaged Android applications. The approach is based on the idea that repackaged applications want to maintain "look and feel" of the originals. |