Categories: Android

75 Best Android Penetration Testing Tools – 2023

Android penetration testing tools are more often used by security industries to test the vulnerabilities in Android applications.

Here you can find the Comprehensive mobile penetration testing tools and resource list that covers Performing Penetration testing Operations in Android Mobiles.

Android is the biggest organized base of any mobile platform and developing fast—every day.

Besides, Android is rising as the most extended operating system in this viewpoint because of different reasons.

Online Analyzers

Following are the online analyzers used to pentest the Android applications.

ApprayDynamic Analysis Tools for Android and iOS Applications
NowsecureComplete Mobile Security Testing tool for Android & iOS Tools
AppKnoxEfficient Security Testing Tools for Mobile Apps

Static Analysis Tools

AndrowarnDetects and warn the user about potential malicious behaviors developed by an Android application
ApkAnalyserVirtual Analysis Tools for Android Applications
APKInspectorGUI-based Security Analysis
DroidLegacyextracts actionable data like C&C, phone number, etc.
FlowDroidStatic Analysis Tool
Android DecompilerProfessional Reverse Engineering Toolkit
PSCoutA tool that extracts the permission specification from the Android OS source code using static analysis
Androidstatic analysis framework
SmaliSCASmali Static Code Analysis
CFGScanDroidScans and compares CFG against CFG of malicious applications
Madrolyzerextracts actionable data like C&C, phone number etc.
SPARTAverifies (proves) that an app satisfies an information-flow security policy; built on the Checker Framework
ConDroidPerforms a combination of symbolic + concrete execution of the app
DroidRAVirtual Analysis
RiskInDroidA tool for calculating the risk of Android apps based on their permissions, with an online demo available.
SUPERSecure, Unified, Powerful, and Extensible Rust Android Analyzer
ClassySharkStandalone binary inspection tool which can browse any Android executable and show important info.

Mobile App Vulnerability Scanner Tools

QARKQARK by LinkedIn is for app developers to scan app for security issues
AndroBugsAndroid vulnerability analysis system
NogotofailNetwork security testing tool
DevknoxAutocorrect Android Security issues as if it was spell check from your IDE
JAADASJoint intraprocedural and inter-procedure program analysis tool to find vulnerabilities in Android apps, built on Soot and Scala

Dynamic Analysis Tools

Androl4bA Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis
Android Malware Analysis Toolkit(Linux distro) Earlier it use to be an online analyzer
Mobile-Security-Framework MobSFAppie is a software package that has been pre-configured to function as an Android Pentesting Environment.It is completely portable and can be carried on a USB stick or smartphone.This is a one-stop answer for all the tools needed in Android Application Security Assessment and an awesome alternative to existing virtual machines.
AppUsecustom build for pentesting
Cobradroidcustom image for malware analysis
Xposedequivalent of doing Stub based code injection but without any modifications to the binary
InspeckageAndroid Package Inspector – dynamic analysis with API hooks, start unexported activities, and more. (Xposed Module)
Android HookerDynamic Java code instrumentation (requires the Substrate Framework)
ProbeDroid Dynamic Java code instrumentation
Android Tamer Virtual / Live Platform for Android Security Professionals
DECAF  Dynamic Executable Code Analysis Framework based on QEMU (DroidScope is now an extension to DECAF)
CuckooDroid Android extension for Cuckoo sandbox
Mem Memory analysis of Android Security (root required)
AuditdAndroid Android port of auditd, not under active development anymore
AurasiumPractical security policy enforcement for Android apps via bytecode rewriting and in-place reference monitor.
Appie Mobile Application Reverse Engineering and Analysis Framework
StaDynA A system supporting security app analysis in the presence of dynamic code update features (dynamic class loading and reflection). This tool combines static and dynamic analysis of Android applications in order to reveal the hidden/updated behavior and extend static analysis results with this information.
Vezir Project Virtual Machine for Mobile Application Pentesting and Mobile Malware Analysis
MARA Mobile Application Reverse engineering and Analysis Framework
Taintdroid Requires AOSP compilation

Reverse Engineering

Smali/Baksmali apk decompilation
Androguard powerful, integrates well with other tools
Apktool  really useful for compilation/decompilation (uses smali)
Android OpenDebug make any application on device debuggable (using cydia substrate)
Dare .dex to .class converter
Dex2Jar dex to jar converter
Enjarify dex to jar converter from Google
Frida Inject javascript to explore applications and a GUI tool for it
Indroid thread injection kit
Jad  Java decompiler
JD-GUIJava decompiler
CFRJava decompiler
krakatauJava decompiler
ProcyonJava decompiler
FernFlowerJava decompiler
Redexerapk manipulation

Fuzz Testing

IntentFuzzer
Radamsa Fuzzer
Honggfuzz
An Android port of the melkor ELF fuzzer
Media Fuzzing Framework for Android
AndroFuzz

App Repackaging Detectors

FSquaDRAAndroid Security tool for detection of repackaged Android applications based on app resources hash comparison.

Market Crawlers

Google play crawler (Java) searching android applications on GooglePlay,
Google play crawler (Python) browse and download Android apps from Google Play
Google play crawler (Node) get app details and download apps from official Google Play Store
Aptoide downloader (Node) download apps from Aptoide third-party Android market
Appland downloader (Node)download apps from Appland third-party Android market

Misc Tools

smalihookDecompiler
APK-DownloaderDownloader
AXMLPrinter2to convert binary XML files to human-readable XML files
adb autocompleteRepo Downloader
Dalvik opcodesRegistry
Opcodes table for quick referenceRegistry
ExploitMe Android Labsfor practice
GoatDroid for practice
mitmproxyintercepting proxy
dockerfile/androguardshell environment
Android Vulnerability Test Suite android-vts scans a device for set of vulnerabilities
AppMon-AppMon is an automated framework for monitoring and tampering with system API calls of native macOS, iOS, and Android apps. It is based on Frida.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

View Comments

Recent Posts

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

10 hours ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

1 day ago

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…

1 day ago

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…

1 day ago

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…

1 day ago

New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…

1 day ago