BluegrassSocialist/awesome-mobile-security

An effort to build a single place for all useful android and iOS security related stuff. All references and tools are belong to their respective owners. I'm just maintaining it.

awesome-mobile-security

Maintained by @vaib25vicky with contributions from the security and developer communities.

Android

General

• An Android Hacking Primer
• Secure an Android Device
• Security tips
• OWASP Mobile Security Testing Guide
• Security Testing for Android Cross Platform Application
• Dive deep into Android Application Security
• Pentesting Android Apps Using Frida
• Mobile Security Testing Guide
• Mobile Application Penetration Testing Cheat Sheet
• Android Applications Reversing 101
• Android Security Guidelines
• Android WebView Vulnerabilities
• OWASP Mobile Top 10

Books

• SEI CERT Android Secure Coding Standard
• Android Security Internals
• Android Cookbook
• Android Hacker's Handbook
• Android Security Cookbook
• The Mobile Application Hacker's Handbook
• Android Malware and Analysis
• Android Security: Attacks and Defenses

Courses

• Learning-Android-Security
• Mobile Application Security and Penetration Testing
• Advanced Android Development
• Learn the art of mobile app development

Tools

Static Analysis

• Amandroid – A Static Analysis Framework
• Androwarn – Yet Another Static Code Analyzer
• APK Analyzer – Static and Virtual Analysis Tool
• APK Inspector – A Powerful GUI Tool
• Droid Hunter – Android application vulnerability analysis and Android pentest tool
• Error Prone – Static Analysis Tool
• Findbugs – Find Bugs in Java Programs
• Find Security Bugs – A SpotBugs plugin for security audits of Java web applications.
• Flow Droid – Static Data Flow Tracker
• Smali/Baksmali – Assembler/Disassembler for the dex format
• Smali-CFGs – Smali Control Flow Graph’s
• SPARTA – Static Program Analysis for Reliable Trusted Apps
• Thresher – To check heap reachability properties
• Vector Attack Scanner – To search vulnerable points to attack
• Gradle Static Analysis Plugin
• Checkstyle – A tool for checking Java source code
• PMD – An extensible multilanguage static code analyzer
• Soot – A Java Optimization Framework
• Android Quality Starter
• QARK – Quick Android Review Kit
• Infer – A Static Analysis tool for Java, C, C++ and Objective-C
• Android Check – Static Code analysis plugin for Android Project
• FindBugs-IDEA Static byte code analysis to look for bugs in Java code

Dynamic Analysis

• Android Hooker - Opensource project for dynamic analyses of Android applications
• AppAudit - Online tool ( including an API) uses dynamic and static analysis
• AppAudit - A bare-metal analysis tool on Android devices
• CuckooDroid - Extension of Cuckoo Sandbox the Open Source software
• DroidBox - Dynamic analysis of Android applications
• Droid-FF - Android File Fuzzing Framework
• Drozer
• Marvin - Analyzes Android applications and allows tracking of an app
• Inspeckage
• PATDroid - Collection of tools and data structures for analyzing Android applications
• AndroL4b - Android security virtual machine based on ubuntu-mate
• Radare2 - Unix-like reverse engineering framework and commandline tools
• yteCodeViewer - Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger)
• Mobile-Security-Framework MobSF
• CobraDroid - Custom build of the Android operating system geared specifically for application security

Android Online APK Analyzers

• Android Observatory APK Scan
• Android APK Decompiler
• AndroTotal
• NVISO ApkScan
• VirusTotal
• Scan Your APK
• AVC Undroid
• OPSWAT
• ImmuniWeb Mobile App Scanner
• Ostor Lab
• Quixxi
• TraceDroid
• Visual Threat
• App Critique

Labs

• DIVA (Damn insecure and vulnerable App)
• SecurityShepherd
• Damn Vulnerable Hybrid Mobile App (DVHMA)
• OWASP-mstg
• VulnerableAndroidAppOracle
• Android InsecureBankv2
• Purposefully Insecure and Vulnerable Android Application (PIIVA)
• Sieve app
• DodoVulnerableBank
• Digitalbank
• OWASP GoatDroid
• AppKnox Vulnerable Application
• Vulnerable Android Application
• MoshZuk
• Hackme Bank
• Android Security Labs
• Android-InsecureBankv2
• Android-security

Talks

• One Step Ahead of Cheaters -- Instrumenting Android Emulators
• Vulnerable Out of the Box: An Evaluation of Android Carrier Devices
• Rock appround the clock: Tracking malware developers by Android
• Chaosdata - Ghost in the Droid: Possessing Android Applications with ParaSpectre
• Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets
• Honey, I Shrunk the Attack Surface – Adventures in Android Security Hardening
• Hide Android Applications in Images
• Scary Code in the Heart of Android
• Fuzzing Android: A Recipe For Uncovering Vulnerabilities Inside System Components In Android
• Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library
• Android FakeID Vulnerability Walkthrough
• Unleashing D* on Android Kernel Drivers
• The Smarts Behind Hacking Dumb Devices
• Overview of common Android app vulnerabilities
• Android Dev Summit 2019
• Android security architecture

Misc.

• Android-Reports-and-Resources
• android-security-awesome
• Android Penetration Testing Courses

iOS

General

• iOS Security
• Basic iOS Apps Security Testing lab
• IOS Application security – Setting up a mobile pentesting platform
• Collection of the most common vulnerabilities found in iOS applications
• IOS_Application_Security_Testing_Cheat_Sheet
• OWASP iOS Basic Security Testing
• Dynamic analysis of iOS apps w/o Jailbreak

Books

• Hacking and Securing iOS Applications: Stealing Data, Hijacking Software, and How to Prevent It
• iOS Penetration Testing
• iOS App Security, Penetration Testing, and Development
• IOS Hacker's Handbook
• iOS Hacker′s Handbook
• Hacking iOS Applications a detailed testing guide
• Develop iOS Apps (Swift)
• iOS Programming Cookbook

Courses

• Pentesting iOS Applications
• Reverse Engineering iOS Applications
• App Design and Development for iOS

Tools

• Cydia Impactor
• idb - iOS App Security Assessment Tool
• Frida
• Objection - mobile exploration toolkit by Frida
• Bfinject
• iFunbox
• Libimobiledevice - library to communicate with the services of the Apple ios devices
• iRET (iOS Reverse Engineering Toolkit) - includes oTool, dumpDecrypted, SQLite, Theos, Keychain_dumper, Plutil
• Myriam iOS
• iWep Pro - wireless suite of useful applications used to turn your iOS device into a wireless network diagnostic tool
• Burp Suite
• Cycript
• needle - The iOS Security Testing Framework

Labs

• OWASP iGoat
• Damn Vulnerable iOS App (DVIA) v2
• Damn Vulnerable iOS App (DVIA) v1
• iPhoneLabs
• iOS-Attack-Defense

Talks

• Behind the Scenes of iOS Security
• Modern iOS Application Security
• Demystifying the Secure Enclave Processor
• HackPac Hacking Pointer Authentication in iOS User Space
• Analyzing and Attacking Apple Kernel Drivers
• Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox
• Reverse Engineering iOS Mobile Apps
• iOS 10 Kernel Heap Revisited

Misc.

• Most usable tools for iOS penetration testing
• iOS-Security-Guides
• osx-security-awesome - OSX and iOS related security tools