Here you can find the Comprehensive mobile penetration testing tools and resource list that covers Performing Penetration testing Operations in Android Mobiles.
Android is the biggest organized base of any mobile platform and developing fast—every day.
Besides, Android is rising as the most extended operating system in this viewpoint because of different reasons.
Online Analyzers
Following are the online analyzers used to pentest the Android applications.
Appray
Dynamic Analysis Tools for Android and iOS Applications
Nowsecure
Complete Mobile Security Testing tool for Android & iOS Tools
AppKnox
Efficient Security Testing Tools for Mobile Apps
Static Analysis Tools
Androwarn
Detects and warn the user about potential malicious behaviors developed by an Android application
ApkAnalyser
Virtual Analysis Tools for Android Applications
APKInspector
GUI-based Security Analysis
DroidLegacy
extracts actionable data like C&C, phone number, etc.
FlowDroid
Static Analysis Tool
Android Decompiler
Professional Reverse Engineering Toolkit
PSCout
A tool that extracts the permission specification from the Android OS source code using static analysis
Android
static analysis framework
SmaliSCA
Smali Static Code Analysis
CFGScanDroid
Scans and compares CFG against CFG of malicious applications
Madrolyzer
extracts actionable data like C&C, phone number etc.
SPARTA
verifies (proves) that an app satisfies an information-flow security policy; built on the Checker Framework
ConDroid
Performs a combination of symbolic + concrete execution of the app
DroidRA
Virtual Analysis
RiskInDroid
A tool for calculating the risk of Android apps based on their permissions, with an online demo available.
SUPER
Secure, Unified, Powerful, and Extensible Rust Android Analyzer
ClassyShark
Standalone binary inspection tool which can browse any Android executable and show important info.
Mobile App Vulnerability ScannerTools
QARK
QARK by LinkedIn is for app developers to scan app for security issues
AndroBugs
Android vulnerability analysis system
Nogotofail
Network security testing tool
Devknox
Autocorrect Android Security issues as if it was spell check from your IDE
JAADAS
Joint intraprocedural and inter-procedure program analysis tool to find vulnerabilities in Android apps, built on Soot and Scala
Dynamic Analysis Tools
Androl4b
A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis
Android Malware Analysis Toolkit
(Linux distro) Earlier it use to be an online analyzer
Mobile-Security-Framework MobSF
Appie is a software package that has been pre-configured to function as an Android Pentesting Environment.It is completely portable and can be carried on a USB stick or smartphone.This is a one-stop answer for all the tools needed in Android Application Security Assessment and an awesome alternative to existing virtual machines.
AppUse
custom build for pentesting
Cobradroid
custom image for malware analysis
Xposed
equivalent of doing Stub based code injection but without any modifications to the binary
Inspeckage
Android Package Inspector – dynamic analysis with API hooks, start unexported activities, and more. (Xposed Module)
Android Hooker
Dynamic Java code instrumentation (requires the Substrate Framework)
ProbeDroidÂ
Dynamic Java code instrumentation
Android TamerÂ
Virtual / Live Platform for Android Security Professionals
DECAFÂ
Dynamic Executable Code Analysis Framework based on QEMU (DroidScope is now an extension to DECAF)
CuckooDroidÂ
Android extension for Cuckoo sandbox
MemÂ
Memory analysis of Android Security (root required)
AuditdAndroidÂ
Android port of auditd, not under active development anymore
Aurasium
Practical security policy enforcement for Android apps via bytecode rewriting and in-place reference monitor.
AppieÂ
Mobile Application Reverse Engineering and Analysis Framework
StaDynAÂ
A system supporting security app analysis in the presence of dynamic code update features (dynamic class loading and reflection). This tool combines static and dynamic analysis of Android applications in order to reveal the hidden/updated behavior and extend static analysis results with this information.
Vezir ProjectÂ
Virtual Machine for Mobile Application Pentesting and Mobile Malware Analysis
MARAÂ
Mobile Application Reverse engineering and Analysis Framework
TaintdroidÂ
Requires AOSP compilation
Reverse Engineering
Smali/BaksmaliÂ
apk decompilation
AndroguardÂ
powerful, integrates well with other tools
ApktoolÂ
really useful for compilation/decompilation (uses smali)
Android OpenDebug
make any application on device debuggable (using cydia substrate)
DareÂ
.dex to .class converter
Dex2JarÂ
dex to jar converter
EnjarifyÂ
dex to jar converter from Google
FridaÂ
Inject javascript to explore applications and a GUI tool for it
Indroid
thread injection kit
JadÂ
Java decompiler
JD-GUI
Java decompiler
CFR
Java decompiler
krakatau
Java decompiler
Procyon
Java decompiler
FernFlower
Java decompiler
Redexer
apk manipulation
Fuzz Testing
IntentFuzzer
Radamsa Fuzzer
Honggfuzz
An Android port of the melkor ELF fuzzer
Media Fuzzing Framework for Android
AndroFuzz
App Repackaging Detectors
FSquaDRA
Android Security tool for detection of repackaged Android applications based on app resources hash comparison.
Market Crawlers
Google play crawler (Java)
searching android applications on GooglePlay,
Google play crawler (Python)
browse and download Android apps from Google Play
Google play crawler (Node)Â
get app details and download apps from official Google Play Store
Aptoide downloader (Node)Â
download apps from Aptoide third-party Android market
Appland downloader (Node)
download apps from Appland third-party Android market
Misc Tools
smalihook
Decompiler
APK-Downloader
Downloader
AXMLPrinter2
to convert binary XML files to human-readable XML files
adb autocomplete
Repo Downloader
Dalvik opcodes
Registry
Opcodes table for quick reference
Registry
ExploitMe Android Labs
for practice
GoatDroidÂ
for practice
mitmproxy
intercepting proxy
dockerfile/androguard
shell environment
Android Vulnerability Test SuiteÂ
android-vts scans a device for set of vulnerabilities
AppMon-
AppMon is an automated framework for monitoring and tampering with system API calls of native macOS, iOS, and Android apps. It is based on Frida.
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.
Mitigating Vulnerability Types & 0-day Threats
Mitigating Vulnerability & 0-day Threats
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.
The problem of vulnerability fatigue today
Difference between CVSS-specific vulnerability vs risk-based vulnerability
Evaluating vulnerabilities based on the business impact/risk
Automation to reduce alert fatigue and enhance security posture significantly