awesome-mobile-security
Maintained by @vaib25vicky with contributions from the security and developer communities.
Android
General
- An Android Hacking Primer
- Secure an Android Device
- Security tips
- OWASP Mobile Security Testing Guide
- Security Testing for Android Cross Platform Application
- Dive deep into Android Application Security
- Pentesting Android Apps Using Frida
- Mobile Security Testing Guide
- Mobile Application Penetration Testing Cheat Sheet
- Android Applications Reversing 101
- Android Security Guidelines
- Android WebView Vulnerabilities
- OWASP Mobile Top 10
Books
- SEI CERT Android Secure Coding Standard
- Android Security Internals
- Android Cookbook
- Android Hacker's Handbook
- Android Security Cookbook
- The Mobile Application Hacker's Handbook
- Android Malware and Analysis
- Android Security: Attacks and Defenses
Courses
- Learning-Android-Security
- Mobile Application Security and Penetration Testing
- Advanced Android Development
- Learn the art of mobile app development
Tools
Static Analysis
- Amandroid – A Static Analysis Framework
- Androwarn – Yet Another Static Code Analyzer
- APK Analyzer – Static and Virtual Analysis Tool
- APK Inspector – A Powerful GUI Tool
- Droid Hunter – Android application vulnerability analysis and Android pentest tool
- Error Prone – Static Analysis Tool
- Findbugs – Find Bugs in Java Programs
- Find Security Bugs – A SpotBugs plugin for security audits of Java web applications.
- Flow Droid – Static Data Flow Tracker
- Smali/Baksmali – Assembler/Disassembler for the dex format
- Smali-CFGs – Smali Control Flow Graph’s
- SPARTA – Static Program Analysis for Reliable Trusted Apps
- Thresher – To check heap reachability properties
- Vector Attack Scanner – To search vulnerable points to attack
- Gradle Static Analysis Plugin
- Checkstyle – A tool for checking Java source code
- PMD – An extensible multilanguage static code analyzer
- Soot – A Java Optimization Framework
- Android Quality Starter
- QARK – Quick Android Review Kit
- Infer – A Static Analysis tool for Java, C, C++ and Objective-C
- Android Check – Static Code analysis plugin for Android Project
- FindBugs-IDEA Static byte code analysis to look for bugs in Java code
Dynamic Analysis
- Android Hooker - Opensource project for dynamic analyses of Android applications
- AppAudit - Online tool ( including an API) uses dynamic and static analysis
- AppAudit - A bare-metal analysis tool on Android devices
- CuckooDroid - Extension of Cuckoo Sandbox the Open Source software
- DroidBox - Dynamic analysis of Android applications
- Droid-FF - Android File Fuzzing Framework
- Drozer
- Marvin - Analyzes Android applications and allows tracking of an app
- Inspeckage
- PATDroid - Collection of tools and data structures for analyzing Android applications
- AndroL4b - Android security virtual machine based on ubuntu-mate
- Radare2 - Unix-like reverse engineering framework and commandline tools
- yteCodeViewer - Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger)
- Mobile-Security-Framework MobSF
- CobraDroid - Custom build of the Android operating system geared specifically for application security
Android Online APK Analyzers
- Android Observatory APK Scan
- Android APK Decompiler
- AndroTotal
- NVISO ApkScan
- VirusTotal
- Scan Your APK
- AVC Undroid
- OPSWAT
- ImmuniWeb Mobile App Scanner
- Ostor Lab
- Quixxi
- TraceDroid
- Visual Threat
- App Critique
Labs
- DIVA (Damn insecure and vulnerable App)
- SecurityShepherd
- Damn Vulnerable Hybrid Mobile App (DVHMA)
- OWASP-mstg
- VulnerableAndroidAppOracle
- Android InsecureBankv2
- Purposefully Insecure and Vulnerable Android Application (PIIVA)
- Sieve app
- DodoVulnerableBank
- Digitalbank
- OWASP GoatDroid
- AppKnox Vulnerable Application
- Vulnerable Android Application
- MoshZuk
- Hackme Bank
- Android Security Labs
- Android-InsecureBankv2
- Android-security
Talks
- One Step Ahead of Cheaters -- Instrumenting Android Emulators
- Vulnerable Out of the Box: An Evaluation of Android Carrier Devices
- Rock appround the clock: Tracking malware developers by Android
- Chaosdata - Ghost in the Droid: Possessing Android Applications with ParaSpectre
- Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets
- Honey, I Shrunk the Attack Surface – Adventures in Android Security Hardening
- Hide Android Applications in Images
- Scary Code in the Heart of Android
- Fuzzing Android: A Recipe For Uncovering Vulnerabilities Inside System Components In Android
- Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library
- Android FakeID Vulnerability Walkthrough
- Unleashing D* on Android Kernel Drivers
- The Smarts Behind Hacking Dumb Devices
- Overview of common Android app vulnerabilities
- Android Dev Summit 2019
- Android security architecture
Misc.
iOS
General
- iOS Security
- Basic iOS Apps Security Testing lab
- IOS Application security – Setting up a mobile pentesting platform
- Collection of the most common vulnerabilities found in iOS applications
- IOS_Application_Security_Testing_Cheat_Sheet
- OWASP iOS Basic Security Testing
- Dynamic analysis of iOS apps w/o Jailbreak
Books
- Hacking and Securing iOS Applications: Stealing Data, Hijacking Software, and How to Prevent It
- iOS Penetration Testing
- iOS App Security, Penetration Testing, and Development
- IOS Hacker's Handbook
- iOS Hacker′s Handbook
- Hacking iOS Applications a detailed testing guide
- Develop iOS Apps (Swift)
- iOS Programming Cookbook
Courses
Tools
- Cydia Impactor
- idb - iOS App Security Assessment Tool
- Frida
- Objection - mobile exploration toolkit by Frida
- Bfinject
- iFunbox
- Libimobiledevice - library to communicate with the services of the Apple ios devices
- iRET (iOS Reverse Engineering Toolkit) - includes oTool, dumpDecrypted, SQLite, Theos, Keychain_dumper, Plutil
- Myriam iOS
- iWep Pro - wireless suite of useful applications used to turn your iOS device into a wireless network diagnostic tool
- Burp Suite
- Cycript
- needle - The iOS Security Testing Framework
Labs
- OWASP iGoat
- Damn Vulnerable iOS App (DVIA) v2
- Damn Vulnerable iOS App (DVIA) v1
- iPhoneLabs
- iOS-Attack-Defense
Talks
- Behind the Scenes of iOS Security
- Modern iOS Application Security
- Demystifying the Secure Enclave Processor
- HackPac Hacking Pointer Authentication in iOS User Space
- Analyzing and Attacking Apple Kernel Drivers
- Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox
- Reverse Engineering iOS Mobile Apps
- iOS 10 Kernel Heap Revisited