ana7r/awesome-android-security

A curated list of Android Security materials and resources For Pentesters and Bug Hunters

Awesome-Android-Security

Table of Contents

• Blog
• How To's
• Papers
• Books
• Trainings
• Tools
  • Static Analysis Tools
  • Dynamic Analysis Tools
  • Online APK Analyzers
  • Online APK Decompiler
  • Forensic Analysis Tools
• Labs
• Talks
• Misc
• Bug Bounty & Writeups
• Cheat Sheet
• Checklist
• Bug Bounty Report

Blogs

• Bypass Instagram and Threads SSL pinning on Android

• Reverse Engineering Android game Coin Hunt World and its communication protocol to cheat the app

• Discovering vendor-specific vulnerabilities in Android

• Technical analysis of Alien android malware

• Lock Screen Bypass Exploit of Android Devices (CVE-2022–20006)

• Analysis of Android banking Trojan MaliBot that is based on S.O.V.A banker

• Pending Intents: A Pentester’s view

• Android security checklist: theft of arbitrary files

• Protecting Android users from 0-Day attacks

• Reversing an Android sample which uses Flutter

• Step-by-step guide to reverse an APK protected with DexGuard using Jadx

• Use cryptography in mobile apps the right way

• Android security checklist: WebView

• Common mistakes when using permissions in Android

• Two weeks of securing Samsung devices: Part 2

• Why dynamic code loading could be dangerous for your apps: a Google example

• Two weeks of securing Samsung devices: Part 1

• How to exploit insecure WebResourceResponse configurations + an example of the vulnerability in Amazon apps

• Exploiting memory corruption vulnerabilities on Android + an example of such vulnerability in PayPal apps

• Capture all android network traffic

• Reverse Engineering Clubhouse

• Escape the Chromium sandbox on Android Devices

• Android Penetration Testing: Frida

• Android: Gaining access to arbitrary* Content Providers

• Getting root on a 4G LTE mobile hotspot

• Exploiting new-era of Request forgery on mobile applications

• Deep Dive into an Obfuscation-as-a-Service for Android Malware

• Evernote: Universal-XSS, theft of all cookies from all sites, and more

• Interception of Android implicit intents

• AAPG - Android application penetration testing guide

• TikTok: three persistent arbitrary code executions and one theft of arbitrary files

• Persistent arbitrary code execution in Android's Google Play Core Library: details, explanation and the PoC - CVE-2020-8913

• Android: Access to app protected components

• Android: arbitrary code execution via third-party package contexts

• Android Pentesting Labs - Step by Step guide for beginners

• An Android Hacking Primer

• An Android Security tips

• OWASP Mobile Security Testing Guide

• Security Testing for Android Cross Platform Application

• Dive deep into Android Application Security

• Pentesting Android Apps Using Frida

• Mobile Security Testing Guide

• Android Applications Reversing 101

• Android Security Guidelines

• Android WebView Vulnerabilities

• OWASP Mobile Top 10

• Practical Android Phone Forensics

• Mobile Pentesting With Frida

• Zero to Hero - Mobile Application Testing - Android Platform

• Detecting Dynamic Loading in Android Applications

• Static Analysis for Android and iOS

• Dynamic Analysis for Android and iOS

• Exploring intent-based Android security vulnerabilities on Google Play (part 1/3)

• Hunting intent-based Android security vulnerabilities with Snyk Code (part 2/3)

• Mitigating and remediating intent-based Android security vulnerabilities (part 3/3)

• Strengthening Android Security: Mitigating Banking Trojan Threats

How To's

• How to analyze mobile malware: a Cabassous/FluBot Case study
• How to Bypasses Iframe Sandboxing
• How To Configuring Burp Suite With Android Nougat
• How To Bypassing Xamarin Certificate Pinning
• How To Bypassing Android Anti-Emulation
• How To Secure an Android Device
• Android Root Detection Bypass Using Objection and Frida Scripts
• Root Detection Bypass By Manual Code Manipulation.
• Magisk Systemless Root - Detection and Remediation
• How to use FRIDA to bruteforce Secure Startup with FDE-encryption on a Samsung G935F running Android 8

Papers

• A systematic analysis of commercial Android packers
• A Large-Scale Study on the Adoption of Anti-Debugging and Anti-Tampering Protections in Android Apps
• Things You May Not Know About Android (Un)Packers
• Happer: Unpacking Android Apps via a Hardware-Assisted Approach
• AndrODet: An adaptive Android obfuscation detector
• GEOST BOTNET - the discovery story of a new Android banking trojan
• Dual-Level Android Malware Detection
• An Investigation of the Android Kernel Patch Ecosystem

Books

• SEI CERT Android Secure Coding Standard
• Android Security Internals
• Android Cookbook
• Android Hacker's Handbook
• Android Security Cookbook
• The Mobile Application Hacker's Handbook
• Android Malware and Analysis
• Android Security: Attacks and Defenses
• Learning Penetration Testing For Android Devices
• Android Hacking 2020 Edition

Trainings

• SEC575: Mobile Device Security and Ethical Hacking
• Android Reverse Engineering_pt-BR
• Learning-Android-Security
• Advanced Android Development
• Learn the art of mobile app development
• Learning Android Malware Analysis
• Android App Reverse Engineering 101
• MASPT V2
• Android Pentration Testing(Persian)

Tools

Static Analysis

• BlackDex is an Android unpack(dexdump) tool
• Deoptfuscator - Deobfuscator for Android Application
• Android Reverse Engineering WorkBench for VS Code
• Apktool:A tool for reverse engineering Android apk files
• Defeat Java packers via Frida instrumentation
• quark-engine - An Obfuscation-Neglect Android Malware Scoring System
• DeGuard:Statistical Deobfuscation for Android
• jadx - Dex to Java decompiler
• Amandroid – A Static Analysis Framework
• Androwarn – Yet Another Static Code Analyzer
• Droid Hunter – Android application vulnerability analysis and Android pentest tool
• Error Prone – Static Analysis Tool
• Findbugs – Find Bugs in Java Programs
• Find Security Bugs – A SpotBugs plugin for security audits of Java web applications.
• Flow Droid – Static Data Flow Tracker
• Smali/Baksmali – Assembler/Disassembler for the dex format
• Smali-CFGs – Smali Control Flow Graph’s
• SPARTA – Static Program Analysis for Reliable Trusted Apps
• Gradle Static Analysis Plugin
• Checkstyle – A tool for checking Java source code
• PMD – An extensible multilanguage static code analyzer
• Soot – A Java Optimization Framework
• Android Quality Starter
• QARK – Quick Android Review Kit
• Infer – A Static Analysis tool for Java, C, C++ and Objective-C
• Android Check – Static Code analysis plugin for Android Project
• FindBugs-IDEA Static byte code analysis to look for bugs in Java code
• APK Leaks – Scanning APK file for URIs, endpoints & secrets
• Trueseeing – fast, accurate and resillient vulnerabilities scanner for Android apps
• StaCoAn – crossplatform tool which aids developers, bugbounty hunters and ethical hackers
• APKScanner
• Mobile Audit – Web application for performing Static Analysis and detecting malware in Android APKs
• mariana-trench - Our security focused static analysis tool for Android and Java applications.
• semgrep-rules-android-security

Dynamic Analysis

• Mobile-Security-Framework MobSF
• Magisk v23.0 - Root & Universal Systemless Interface
• Runtime Mobile Security (RMS) - is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime
• House: A runtime mobile application analysis toolkit with a Web GUI
• Objection - Runtime Mobile Exploration toolkit, powered by Frida
• Droid-FF - Android File Fuzzing Framework
• Drozer
• Slicer-automate APK Recon
• Inspeckage
• PATDroid - Collection of tools and data structures for analyzing Android applications
• Radare2 - Unix-like reverse engineering framework and commandline tools
• Cutter - Free and Open Source RE Platform powered by radare2
• ByteCodeViewer - Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger)

Online APK Analyzers

• Guardsquare AppSweep
• Oversecured
• Android Observatory APK Scan
• AndroTotal
• VirusTotal
• Scan Your APK
• AVC Undroid
• OPSWAT
• ImmuniWeb Mobile App Scanner
• Ostor Lab
• Quixxi
• TraceDroid
• Visual Threat
• App Critique
• Jotti's malware scan
• kaspersky scanner

Online APK Decompiler

• Android APK Decompiler
• Java Decompiler APk
• APK DECOMPILER APP
• DeAPK is an open-source, online APK decompiler
• apk and dex decompilation back to Java source code
• APK Decompiler Tools

Forensic Analysis

• Forensic Analysis for Mobile Apps (FAMA)
• Andriller
• Autopsy
• bandicoot
• Fridump-A universal memory dumper using Frida
• LiME - Linux Memory Extractor

Labs

• Damn-Vulnerable-Bank
• OVAA (Oversecured Vulnerable Android App)
• DIVA (Damn insecure and vulnerable App)
• OWASP Security Shepherd
• Damn Vulnerable Hybrid Mobile App (DVHMA)
• OWASP-mstg(UnCrackable Mobile Apps)
• VulnerableAndroidAppOracle
• Android InsecureBankv2
• Purposefully Insecure and Vulnerable Android Application (PIIVA)
• Sieve app(An android application which exploits through android components)
• DodoVulnerableBank(Insecure Vulnerable Android Application that helps to learn hacing and securing apps)
• Digitalbank(Android Digital Bank Vulnerable Mobile App)
• AppKnox Vulnerable Application
• Vulnerable Android Application
• Android Security Labs
• Android-security Sandbox
• VulnDroid(CTF Style Vulnerable Android App)
• FridaLab
• Santoku Linux - Mobile Security VM
• AndroL4b - A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis

Talks

• One Step Ahead of Cheaters -- Instrumenting Android Emulators
• Vulnerable Out of the Box: An Evaluation of Android Carrier Devices
• Rock appround the clock: Tracking malware developers by Android
• Chaosdata - Ghost in the Droid: Possessing Android Applications with ParaSpectre
• Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets
• Honey, I Shrunk the Attack Surface – Adventures in Android Security Hardening
• Hide Android Applications in Images
• Scary Code in the Heart of Android
• Fuzzing Android: A Recipe For Uncovering Vulnerabilities Inside System Components In Android
• Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library
• Android FakeID Vulnerability Walkthrough
• Unleashing D* on Android Kernel Drivers
• The Smarts Behind Hacking Dumb Devices
• Overview of common Android app vulnerabilities
• Advanced Android Bug Bounty skills
• Android security architecture
• Get the Ultimate Privilege of Android Phone
• Securing the System: A Deep Dive into Reversing Android Pre-Installed Apps
• Bad Binder: Finding an Android In The Wild 0day
• Deep dive into ART(Android Runtime) for dynamic binary analysis

Misc

• Android Malware Adventures
• Android-Reports-and-Resources
• Hands On Mobile API Security
• Android Penetration Testing Courses
• Lesser-known Tools for Android Application PenTesting
• android-device-check - a set of scripts to check Android device security configuration
• apk-mitm - a CLI application that prepares Android APK files for HTTPS inspection
• Andriller - is software utility with a collection of forensic tools for smartphones
• Dexofuzzy: Android malware similarity clustering method using opcode sequence-Paper
• Chasing the Joker
• Side Channel Attacks in 4G and 5G Cellular Networks-Slides
• Shodan.io-mobile-app for Android
• Popular Android Malware 2019
• Popular Android Malware 2020
• Popular Android Malware 2021
• Popular Android Malware 2022

Bug Bounty & Writeups

• Hacker101 CTF: Android Challenge Writeups

• Arbitrary code execution on Facebook for Android through download feature

• RCE via Samsung Galaxy Store App

Cheat Sheet

• Mobile Application Penetration Testing Cheat Sheet
• ADB (Android Debug Bridge) Cheat Sheet
• Frida Cheatsheet and Code Snippets for Android

Checklists

• Android Pentesting Checklist
• OWASP Mobile Security Testing Guide (MSTG)
• OWASP Mobile Application Security Verification Standard (MASVS)

Bug Bounty Reports

• List of Android Hackerone disclosed reports
• How to report security issues