/Awesome-Android-Reverse-Engineering

A curated list of awesome Android Reverse Engineering training, resources, and tools.

MIT LicenseMIT

Awesome Android Reverse Engineering

A curated list of awesome Android Reverse Engineering training, resources, and tools.

Awesome GitHub contributors GitHub Repo stars GitHub watchers GitHub last commit

How to Use

Awesome-Android-Reverse-Engineering is an amazing list for people who work in taking apart Android applications, systems, or components. Simply press ctrl + F to search for a keyword, go through our Contents Menu, or lookout for a '☆' indicating some great and up-to-date resources.

Contents

Training

Courses and Material

Videos

Books

  • ☆ Android Internals: A Confectioner's Cookbook - An in-depth exploration of the inner-workings of Android: In Volume I, we take the perspective of the Power User as we delve into the foundations of Android, filesystems, partitions, boot process, native daemons and services.
  • Blue Fox: Arm Assembly Internals and Reverse Engineering - Provides readers with a solid foundation in Arm assembly internals and reverse-engineering fundamentals as the basis for analysing and securing billions of Arm devices.
  • Android Software Internals Quick Reference - This book focuses on easily digestible, useful, and interesting techniques in Java and the Android system. Including: encryption and obfuscation, debugging, and APK extraction.
  • ☆ Mobile Offensive Security Pocket Guide - Focusing on Android and iOS operating systems, the book contains a series of succinct chapters that highlight key information, approaches, and tooling used by mobile penetration testers and offensive security practitioners.
  • Android Security Internals - Describing Android security architecture from the bottom up, delving into the implementation of major security-related components and subsystems, like Binder IPC, permissions, cryptographic providers, and device administration.
  • Android Malware Detection with Machine Learning - Examine the machine-learning techniques used to detect malicious apps, the types of classification models that defenders can use, and the various features of malware specimens that can become input to these models.

Tools

Static Analysis Tools

  • QARK - An open-source tool developed by LinkedIn for automatic Android app vulnerability scanning, including identifying potential security issues such as SQL injection, insecure data storage, and more.
  • Quark Engine - The goal of Quark Script aims to provide an innovative way for mobile security researchers to analyze or pentest the targets. Based on Quark, we integrate decent tools as Quark Script APIs and make them exchange valuable intelligence to each other.
  • MobSF - An open-source mobile app security testing framework that supports static and dynamic analysis of Android apps for vulnerabilities and privacy issues.
  • AndroBugs Framework - An open-source framework for analysing and scanning Android apps for security issues, including static and dynamic analysis capabilities.
  • ☆ imjtool - Firmware unpacking tool applicable to the widest variety of vendors and formats.
  • Android Studio - Useful if you don’t have a JEB licence and want to open a decompiled (via JADx) app into a proper IDE.
  • ☆ APK Dependency Graph - An APK class dependency visualizer. Useful for attack surface mapping.
  • disarm - A simple command line utility that takes as an argument a 32-bit hexadecimal number, and parses it as an ARM-64 instruction, providing the disassembly.
  • COVA - COVA is a static analysis tool to compute path constraints based on user-defined APIs.
  • DIS{integrity} - A tool for analysing Android APKs and extracting root, integrity, and tamper detection checks.

De-Obfuscation

  • ☆ Obfu[DE]scate - Obfu[DE]scate is a de-obfuscation tool for Android APKs that uses fuzzy comparison logic to identify similarities between functions, even if they have been renamed as part of obfuscation. It compares two versions of an APK and generates a mapping text file and an interactive HTML file as outputs!
  • TinySmaliEmulator - A minimalist smali emulator that could be used to "decrypt" obfuscated strings.
  • simplify - Android virtual machine and deobfuscator.
  • deoptfuscator - Deoptfuscator is a tool for deobfuscating Android applications that have been transformed using control-flow obfuscation mechanisms.

Dynamic Analysis Tools

  • Drozer - An open-source framework for Android security testing that provides a comprehensive set of tools for dynamic analysis, including intercepting, modifying, and analysing app traffic.
  • jtrace - strace for Android - for tracing system-level calls including Binder.
  • sesearch - Command line tool to query SELinux policies.
  • AutoDroid - Tool for mass gathering APKs from a device(s), decompiling, filtering on strings, etc.

Networking

  • ☆ Burp Suite - A popular commercial web security testing tool that can be used for analysing network traffic of Android apps for potential security vulnerabilities.
  • Wireshark - A widely used open-source network protocol analyzer that can capture, analyse, and dissect network traffic generated by Android apps for security analysis.
  • SSLsplit - An open-source tool for intercepting and manipulating SSL/TLS encrypted traffic, which can be used for analysing SSL/TLS communication in Android apps.
  • MITMProxy - An open-source man-in-the-middle proxy that allows for intercepting and analysing network traffic generated by Android apps for security testing and analysis.
  • apk-mitm - A CLI application that automatically prepares Android APK files for HTTPS inspection.

Dynamic Instrumentation

  • ☆ Frida - A dynamic instrumentation toolkit for Android apps that allows for runtime manipulation and analysis of app behaviour.
  • Xposed Framework - A powerful framework for hooking and modifying the behaviour of Android apps at runtime, commonly used for reverse engineering and analysis.
  • ☆ Objection - A runtime mobile exploration tool for Android that provides various features for analysing, manipulating, and bypassing app security controls.
  • RMS Runtime Mobile Security - Frida web interface.
  • ☆ FriDump - A Python script that utilises Frida to dump the memory of a running gadget, such as an app activity.
  • jnitrace - A Frida based tool to trace use of the JNI API in Android apps.
  • ☆ Binder Trace - Binder Trace is a tool for intercepting and parsing Android Binder messages. Think of it as "Wireshark for Binder".

Decompilers

  • ☆ JADX - An open-source tool for decompiling and analysing Android APK files into Java source code for reverse engineering and analysis.
  • Procyon - Procyon is a suite of Java metaprogramming tools, including a rich reflection API, a LINQ-inspired expression tree API for runtime code generation, and a Java decompiler.
  • Cfr - An open-source Java decompiler that supports decompilation of Android APK files into Java source code, including support for newer Java language features.
  • FernFlower - Fernflower is the first actually working analytical decompiler for Java and probably for a high-level programming language in general.
  • ☆ Apktool - A popular open-source tool for decompiling and recompiling Android APK files.
  • DEX2JAR - A tool for converting Android DEX files to JAR files, which can be further analysed using Java decompilers.
  • JDGui - JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files.
  • IDA Pro - A powerful commercial disassembler and debugger for analysing Android native code.
  • ☆ Ghidra - A free and open-source software reverse engineering (SRE) framework developed by the National Security Agency (NSA) that supports Android analysis.
  • JEB Decompiler - A commercial decompiler for Android apps that can decompile APK files into Java source code for analysis.
  • Radare2 - A free and open-source reverse engineering framework that supports Android analysis, including disassembly, debugging, and binary analysis.
  • Androguard - An open-source tool for analysing and reverse engineering Android apps, including decompiling APK files, analysing Dalvik bytecode, and more.
  • apk2gold - CLI tool for decompiling Android apps to Java. Doing both resources and Java (this repo is 9 years old, and so may not work with newer Android versions).
  • AndroidProjectCreator - Convert an APK to an Android Studio Project using multiple open-source decompilers.
  • APK Studio - Open-source, cross platform Qt based IDE for reverse-engineering Android application packages.
  • show-java - An APK (android application), JAR & Dex decompiler for android.
  • ☆ APKLab - APKLab seamlessly integrates Quark-Engine, Apktool, Jadx, uber-apk-signer, apk-mitm and more to VS Code.

Malware Analysis

  • DroidDetective - A machine learning malware analysis framework for Android apps.
  • Cuckoo Droid - CuckooDroid - Automated Android Malware Analysis with Cuckoo Sandbox.
  • androwarn - A static code analyzer for malicious Android applications.

Resources

Documentation

  • Android Security Documentation - Official documentation from Google on Android security, including topics related to reverse engineering.
  • Android Reverse Engineering Challenges - A curated list of Android reverse engineering challenges and CTFs (Capture The Flag) for practice.
  • AndroidXref - Open code search for Android source.
  • APKMirror - Repository of Android APKs from sources such as the Play Store and user uploads.
  • APKPure - Repository of Android APKs from sources such as the Play Store and user uploads.

Case Studies

CTFs and CrackMes

  • ☆ UnCrackable Mobile Apps - A set of OWASP Android app Crackme's. These challenges are used as examples throughout the OWASP MASTG. Of course, you can also solve them for fun.
  • CyberTruckChallenge19 - Android security workshop material taught during the CyberTruck Challenge 2019 (Detroit USA).
  • KGB Messenger - KGB Messenger is an open source CTF practice challenge that aims to help people learn how to reverse engineer Android applications.

Misc

  • LADB - A local ADB shell for Android!
  • Broken Droid Factory - BDF is a Python tool designed to spin-up pseudo random vulnerable Android applications for training when it comes to vulnerability research, ethical hacking, and pen testing on Android apps.
  • uber-apk-signer - A cli tool that helps signing and zip aligning single or multiple Android application packages (APKs) with either debug or provided release certificates. It supports v1, v2 and v3 Android signing scheme has an embedded debug keystore and auto verifies after signing.
  • RUNIC tamper detection demo - Designed to serve as a parallel for understanding more complex Android tamper detection and integrity systems such as Google Play SafetyNet and Huawei Safety Detect.

Contributing

Your contributions are always welcome! Please read the contribution guidelines first. We follow the Contributor Covenant Code of Conduct. Please make sure to review and adhere to this code of conduct when contributing.

Licence GitHub

This project is licensed under the MIT License - see the LICENSE.md file for details.