Saturday, June 15, 2024

75 Best Android Penetration Testing Tools – 2023

Android penetration testing tools are more often used by security industries to test the vulnerabilities in Android applications.

Here you can find the Comprehensive mobile penetration testing tools and resource list that covers Performing Penetration testing Operations in Android Mobiles.

Android is the biggest organized base of any mobile platform and developing fast—every day.

Besides, Android is rising as the most extended operating system in this viewpoint because of different reasons.

Online Analyzers

Following are the online analyzers used to pentest the Android applications.

ApprayDynamic Analysis Tools for Android and iOS Applications
NowsecureComplete Mobile Security Testing tool for Android & iOS Tools
AppKnoxEfficient Security Testing Tools for Mobile Apps

Static Analysis Tools

AndrowarnDetects and warn the user about potential malicious behaviors developed by an Android application
ApkAnalyserVirtual Analysis Tools for Android Applications
APKInspectorGUI-based Security Analysis
DroidLegacyextracts actionable data like C&C, phone number, etc.
FlowDroidStatic Analysis Tool
Android DecompilerProfessional Reverse Engineering Toolkit
PSCoutA tool that extracts the permission specification from the Android OS source code using static analysis
Androidstatic analysis framework
SmaliSCASmali Static Code Analysis
CFGScanDroidScans and compares CFG against CFG of malicious applications
Madrolyzerextracts actionable data like C&C, phone number etc.
SPARTAverifies (proves) that an app satisfies an information-flow security policy; built on the Checker Framework
ConDroidPerforms a combination of symbolic + concrete execution of the app
DroidRAVirtual Analysis
RiskInDroidA tool for calculating the risk of Android apps based on their permissions, with an online demo available.
SUPERSecure, Unified, Powerful, and Extensible Rust Android Analyzer
ClassySharkStandalone binary inspection tool which can browse any Android executable and show important info.

Mobile App Vulnerability Scanner Tools

QARKQARK by LinkedIn is for app developers to scan app for security issues
AndroBugsAndroid vulnerability analysis system
NogotofailNetwork security testing tool
DevknoxAutocorrect Android Security issues as if it was spell check from your IDE
JAADASJoint intraprocedural and inter-procedure program analysis tool to find vulnerabilities in Android apps, built on Soot and Scala

Dynamic Analysis Tools

Androl4bA Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis
Android Malware Analysis Toolkit(Linux distro) Earlier it use to be an online analyzer
Mobile-Security-Framework MobSFAppie is a software package that has been pre-configured to function as an Android Pentesting Environment.It is completely portable and can be carried on a USB stick or smartphone.This is a one-stop answer for all the tools needed in Android Application Security Assessment and an awesome alternative to existing virtual machines.
AppUsecustom build for pentesting
Cobradroidcustom image for malware analysis
Xposedequivalent of doing Stub based code injection but without any modifications to the binary
InspeckageAndroid Package Inspector – dynamic analysis with API hooks, start unexported activities, and more. (Xposed Module)
Android HookerDynamic Java code instrumentation (requires the Substrate Framework)
ProbeDroid Dynamic Java code instrumentation
Android Tamer Virtual / Live Platform for Android Security Professionals
DECAF Dynamic Executable Code Analysis Framework based on QEMU (DroidScope is now an extension to DECAF)
CuckooDroid Android extension for Cuckoo sandbox
Mem Memory analysis of Android Security (root required)
AuditdAndroid Android port of auditd, not under active development anymore
AurasiumPractical security policy enforcement for Android apps via bytecode rewriting and in-place reference monitor.
Appie Mobile Application Reverse Engineering and Analysis Framework
StaDynA A system supporting security app analysis in the presence of dynamic code update features (dynamic class loading and reflection). This tool combines static and dynamic analysis of Android applications in order to reveal the hidden/updated behavior and extend static analysis results with this information.
Vezir Project Virtual Machine for Mobile Application Pentesting and Mobile Malware Analysis
MARA Mobile Application Reverse engineering and Analysis Framework
Taintdroid Requires AOSP compilation

Reverse Engineering

Smali/Baksmali apk decompilation
Androguard powerful, integrates well with other tools
Apktool really useful for compilation/decompilation (uses smali)
Android OpenDebugmake any application on device debuggable (using cydia substrate)
Dare .dex to .class converter
Dex2Jar dex to jar converter
Enjarify dex to jar converter from Google
Frida Inject javascript to explore applications and a GUI tool for it
Indroidthread injection kit
Jad Java decompiler
JD-GUIJava decompiler
CFRJava decompiler
krakatauJava decompiler
ProcyonJava decompiler
FernFlowerJava decompiler
Redexerapk manipulation

Fuzz Testing

IntentFuzzer
Radamsa Fuzzer
Honggfuzz
An Android port of the melkor ELF fuzzer
Media Fuzzing Framework for Android
AndroFuzz

App Repackaging Detectors

FSquaDRAAndroid Security tool for detection of repackaged Android applications based on app resources hash comparison.

Market Crawlers

Google play crawler (Java) searching android applications on GooglePlay,
Google play crawler (Python) browse and download Android apps from Google Play
Google play crawler (Node) get app details and download apps from official Google Play Store
Aptoide downloader (Node) download apps from Aptoide third-party Android market
Appland downloader (Node)download apps from Appland third-party Android market

Misc Tools

smalihookDecompiler
APK-DownloaderDownloader
AXMLPrinter2to convert binary XML files to human-readable XML files
adb autocompleteRepo Downloader
Dalvik opcodesRegistry
Opcodes table for quick referenceRegistry
ExploitMe Android Labsfor practice
GoatDroid for practice
mitmproxyintercepting proxy 
dockerfile/androguardshell environment
Android Vulnerability Test Suite android-vts scans a device for set of vulnerabilities
AppMon-AppMon is an automated framework for monitoring and tampering with system API calls of native macOS, iOS, and Android apps. It is based on Frida.

Website

Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles