diff --git a/README.md b/README.md index 9150fb7..db57fe5 100644 --- a/README.md +++ b/README.md @@ -30,133 +30,136 @@ * [Android WebView Vulnerabilities](https://pentestlab.blog/2017/02/12/android-webview-vulnerabilities/) * [OWASP Mobile Top 10](https://www.owasp.org/index.php/OWASP_Mobile_Top_10) - ### Books +### Books * [SEI CERT Android Secure Coding Standard](https://www.securecoding.cert.org/confluence/display/android/Android+Secure+Coding+Standard) * [Android Security Internals](https://www.oreilly.com/library/view/android-security-internals/9781457185496/) - ### Courses +### Courses * [Learning-Android-Security](https://www.lynda.com/Android-tutorials/Learning-Android-Security/689762-2.html) * [Mobile Application Security and Penetration Testing](https://www.elearnsecurity.com/course/mobile_application_security_and_penetration_testing/) - ### Tools +### Tools - * [Static Analysis](#static) - * [Amandroid – A Static Analysis Framework](http://pag.arguslab.org/argus-saf) - * [Androwarn – Yet Another Static Code Analyzer](https://github.com/maaaaz/androwarn/) - * [APK Analyzer – Static and Virtual Analysis Tool](https://github.com/sonyxperiadev/ApkAnalyser) - * [APK Inspector – A Powerful GUI Tool](https://github.com/honeynet/apkinspector/) - * [Droid Hunter – Android application vulnerability analysis and Android pentest tool](https://github.com/hahwul/droid-hunter) - * [Error Prone – Static Analysis Tool](https://github.com/google/error-prone) - * [Findbugs – Find Bugs in Java Programs](http://findbugs.sourceforge.net/downloads.html) - * [Find Security Bugs – A SpotBugs plugin for security audits of Java web applications.](https://github.com/find-sec-bugs/find-sec-bugs/) - * [Flow Droid – Static Data Flow Tracker](https://github.com/secure-software-engineering/FlowDroid) - * [Smali/Baksmali – Assembler/Disassembler for the dex format](https://github.com/JesusFreke/smali) - * [Smali-CFGs – Smali Control Flow Graph’s](https://github.com/EugenioDelfa/Smali-CFGs) - * [SPARTA – Static Program Analysis for Reliable Trusted Apps](https://www.cs.washington.edu/sparta) - * [Thresher – To check heap reachability properties](https://plv.colorado.edu/projects/thresher/) - * [Vector Attack Scanner – To search vulnerable points to attack](https://github.com/Sukelluskello/VectorAttackScanner) - * [Gradle Static Analysis Plugin](https://github.com/novoda/gradle-static-analysis-plugin) - * [Checkstyle – A tool for checking Java source code](https://github.com/checkstyle/checkstyle) - * [PMD – An extensible multilanguage static code analyzer](https://github.com/pmd/pmd) - * [Soot – A Java Optimization Framework](https://github.com/Sable/soot) - * [Android Quality Starter](https://github.com/pwittchen/android-quality-starter) - * [QARK – Quick Android Review Kit](https://github.com/linkedin/qark) - * [Infer – A Static Analysis tool for Java, C, C++ and Objective-C](https://github.com/facebook/infer) - * [Android Check – Static Code analysis plugin for Android Project](https://github.com/noveogroup/android-check) - * [FindBugs-IDEA Static byte code analysis to look for bugs in Java code](https://plugins.jetbrains.com/plugin/3847-findbugs-idea) +#### Static Analysis + +* [Amandroid – A Static Analysis Framework](http://pag.arguslab.org/argus-saf) +* [Androwarn – Yet Another Static Code Analyzer](https://github.com/maaaaz/androwarn/) +* [APK Analyzer – Static and Virtual Analysis Tool](https://github.com/sonyxperiadev/ApkAnalyser) +* [APK Inspector – A Powerful GUI Tool](https://github.com/honeynet/apkinspector/) +* [Droid Hunter – Android application vulnerability analysis and Android pentest tool](https://github.com/hahwul/droid-hunter) +* [Error Prone – Static Analysis Tool](https://github.com/google/error-prone) +* [Findbugs – Find Bugs in Java Programs](http://findbugs.sourceforge.net/downloads.html) +* [Find Security Bugs – A SpotBugs plugin for security audits of Java web applications.](https://github.com/find-sec-bugs/find-sec-bugs/) +* [Flow Droid – Static Data Flow Tracker](https://github.com/secure-software-engineering/FlowDroid) +* [Smali/Baksmali – Assembler/Disassembler for the dex format](https://github.com/JesusFreke/smali) +* [Smali-CFGs – Smali Control Flow Graph’s](https://github.com/EugenioDelfa/Smali-CFGs) +* [SPARTA – Static Program Analysis for Reliable Trusted Apps](https://www.cs.washington.edu/sparta) +* [Thresher – To check heap reachability properties](https://plv.colorado.edu/projects/thresher/) +* [Vector Attack Scanner – To search vulnerable points to attack](https://github.com/Sukelluskello/VectorAttackScanner) +* [Gradle Static Analysis Plugin](https://github.com/novoda/gradle-static-analysis-plugin) +* [Checkstyle – A tool for checking Java source code](https://github.com/checkstyle/checkstyle) +* [PMD – An extensible multilanguage static code analyzer](https://github.com/pmd/pmd) +* [Soot – A Java Optimization Framework](https://github.com/Sable/soot) +* [Android Quality Starter](https://github.com/pwittchen/android-quality-starter) +* [QARK – Quick Android Review Kit](https://github.com/linkedin/qark) +* [Infer – A Static Analysis tool for Java, C, C++ and Objective-C](https://github.com/facebook/infer) +* [Android Check – Static Code analysis plugin for Android Project](https://github.com/noveogroup/android-check) +* [FindBugs-IDEA Static byte code analysis to look for bugs in Java code](https://plugins.jetbrains.com/plugin/3847-findbugs-idea) - * [Dynamic Analysis](#dynamic) - * [Android Hooker - Opensource project for dynamic analyses of Android applications](https://github.com/AndroidHooker/hooker) - * [AppAudit - Online tool ( including an API) uses dynamic and static analysis](http://appaudit.io/) - * [AppAudit - A bare-metal analysis tool on Android devices](https://github.com/ucsb-seclab/baredroid) - * [CuckooDroid - Extension of Cuckoo Sandbox the Open Source software](https://github.com/idanr1986/cuckoo-droid) - * [DroidBox - Dynamic analysis of Android applications](https://code.google.com/p/droidbox/) - * [Droid-FF - Android File Fuzzing Framework](https://github.com/antojoseph/droid-ff) - * [Drozer](https://www.mwrinfosecurity.com/products/drozer/) - * [Marvin - Analyzes Android applications and allows tracking of an app](https://github.com/programa-stic/marvin-django) - * [Inspeckage](https://github.com/ac-pm/Inspeckage) - * [PATDroid - Collection of tools and data structures for analyzing Android applications](https://github.com/mingyuan-xia/PATDroid) - * [AndroL4b - Android security virtual machine based on ubuntu-mate](https://github.com/sh4hin/Androl4b) - * [Radare2 - Unix-like reverse engineering framework and commandline tools](https://github.com/radareorg/radare2) - * [ByteCodeViewer - Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger)](https://bytecodeviewer.com/) - * [Mobile-Security-Framework MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) - * [CobraDroid - Custom build of the Android operating system geared specifically for application security ](https://thecobraden.com/projects/cobradroid/) +#### Dynamic Analysis + +* [Android Hooker - Opensource project for dynamic analyses of Android applications](https://github.com/AndroidHooker/hooker) +* [AppAudit - Online tool ( including an API) uses dynamic and static analysis](http://appaudit.io/) +* [AppAudit - A bare-metal analysis tool on Android devices](https://github.com/ucsb-seclab/baredroid) +* [CuckooDroid - Extension of Cuckoo Sandbox the Open Source software](https://github.com/idanr1986/cuckoo-droid) +* [DroidBox - Dynamic analysis of Android applications](https://code.google.com/p/droidbox/) +* [Droid-FF - Android File Fuzzing Framework](https://github.com/antojoseph/droid-ff) +* [Drozer](https://www.mwrinfosecurity.com/products/drozer/) +* [Marvin - Analyzes Android applications and allows tracking of an app](https://github.com/programa-stic/marvin-django) +* [Inspeckage](https://github.com/ac-pm/Inspeckage) +* [PATDroid - Collection of tools and data structures for analyzing Android applications](https://github.com/mingyuan-xia/PATDroid) +* [AndroL4b - Android security virtual machine based on ubuntu-mate](https://github.com/sh4hin/Androl4b) +* [Radare2 - Unix-like reverse engineering framework and commandline tools](https://github.com/radareorg/radare2) +* [yteCodeViewer - Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger)](https://bytecodeviewer.com/) +* [Mobile-Security-Framework MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) +* [CobraDroid - Custom build of the Android operating system geared specifically for application security ](https://thecobraden.com/projects/cobradroid/) - * [Android Online APK Analyzers](#online) - * [Android Observatory APK Scan](https://androidobservatory.org/upload) - * [Android APK Decompiler](http://www.decompileandroid.com/) - * [AndroTotal](http://andrototal.org/) - * [NVISO ApkScan](https://apkscan.nviso.be/) - * [VirusTotal](https://www.virustotal.com/#/home/upload) - * [Scan Your APK](https://scanyourapk.com/) - * [AVC Undroid](https://undroid.av-comparatives.org/index.php) - * [OPSWAT](https://metadefender.opswat.com/#!/) - * [ImmuniWeb Mobile App Scanner](https://www.htbridge.com/mobile/) - * [Ostor Lab](https://www.ostorlab.co/scan/mobile/) - * [Quixxi](https://quixxisecurity.com/) - * [TraceDroid](http://tracedroid.few.vu.nl/submit.php) - * [Visual Threat](http://www.visualthreat.com/UIupload.action) - * [App Critique](https://appcritique.boozallen.com/) +#### Android Online APK Analyzers + +* [Android Observatory APK Scan](https://androidobservatory.org/upload) +* [Android APK Decompiler](http://www.decompileandroid.com/) +* [AndroTotal](http://andrototal.org/) +* [NVISO ApkScan](https://apkscan.nviso.be/) +* [VirusTotal](https://www.virustotal.com/#/home/upload) +* [Scan Your APK](https://scanyourapk.com/) +* [AVC Undroid](https://undroid.av-comparatives.org/index.php) +* [OPSWAT](https://metadefender.opswat.com/#!/) +* [ImmuniWeb Mobile App Scanner](https://www.htbridge.com/mobile/) +* [Ostor Lab](https://www.ostorlab.co/scan/mobile/) +* [Quixxi](https://quixxisecurity.com/) +* [TraceDroid](http://tracedroid.few.vu.nl/submit.php) +* [Visual Threat](http://www.visualthreat.com/UIupload.action) +* [App Critique](https://appcritique.boozallen.com/) - ### Labs +### Labs - * [DIVA (Damn insecure and vulnerable App)](https://github.com/payatu/diva-android) - * [SecurityShepherd](https://github.com/OWASP/SecurityShepherd) - * [Damn Vulnerable Hybrid Mobile App (DVHMA)](https://github.com/logicalhacking/DVHMA) - * [OWASP-mstg](https://github.com/OWASP/owasp-mstg/tree/master/Crackmes) - * [VulnerableAndroidAppOracle](https://github.com/dan7800/VulnerableAndroidAppOracle) - * [Android InsecureBankv2](https://github.com/dineshshetty/Android-InsecureBankv2) - * [Purposefully Insecure and Vulnerable Android Application (PIIVA)](https://github.com/htbridge/pivaa) - * [Sieve app](https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk) - * [DodoVulnerableBank](https://github.com/CSPF-Founder/DodoVulnerableBank) - * [Digitalbank](https://github.com/CyberScions/Digitalbank) - * [OWASP GoatDroid](https://github.com/jackMannino/OWASP-GoatDroid-Project) - * [AppKnox Vulnerable Application](https://github.com/appknox/vulnerable-application) - * [Vulnerable Android Application](https://github.com/Lance0312/VulnApp) - * [MoshZuk](https://dl.dropboxusercontent.com/u/37776965/Work/MoshZuk.apk) - * [Hackme Bank](http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx) - * [Android Security Labs](https://github.com/SecurityCompass/AndroidLabs) - * [Android-InsecureBankv2](https://github.com/dineshshetty/Android-InsecureBankv2) - * [Android-security](https://github.com/rafaeltoledo/android-security) +* [DIVA (Damn insecure and vulnerable App)](https://github.com/payatu/diva-android) +* [SecurityShepherd](https://github.com/OWASP/SecurityShepherd) +* [Damn Vulnerable Hybrid Mobile App (DVHMA)](https://github.com/logicalhacking/DVHMA) +* [OWASP-mstg](https://github.com/OWASP/owasp-mstg/tree/master/Crackmes) +* [VulnerableAndroidAppOracle](https://github.com/dan7800/VulnerableAndroidAppOracle) +* [Android InsecureBankv2](https://github.com/dineshshetty/Android-InsecureBankv2) +* [Purposefully Insecure and Vulnerable Android Application (PIIVA)](https://github.com/htbridge/pivaa) +* [Sieve app](https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk) +* [DodoVulnerableBank](https://github.com/CSPF-Founder/DodoVulnerableBank) +* [Digitalbank](https://github.com/CyberScions/Digitalbank) +* [OWASP GoatDroid](https://github.com/jackMannino/OWASP-GoatDroid-Project) +* [AppKnox Vulnerable Application](https://github.com/appknox/vulnerable-application) +* [Vulnerable Android Application](https://github.com/Lance0312/VulnApp) +* [MoshZuk](https://dl.dropboxusercontent.com/u/37776965/Work/MoshZuk.apk) +* [Hackme Bank](http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx) +* [Android Security Labs](https://github.com/SecurityCompass/AndroidLabs) +* [Android-InsecureBankv2](https://github.com/dineshshetty/Android-InsecureBankv2) +* [Android-security](https://github.com/rafaeltoledo/android-security) - ### Talks +### Talks - * [One Step Ahead of Cheaters -- Instrumenting Android Emulators](https://www.youtube.com/watch?v=L3AniAxp_G4) - * [Vulnerable Out of the Box: An Evaluation of Android Carrier Devices](https://www.youtube.com/watch?v=R2brQvQeTvM) - * [Rock appround the clock: Tracking malware developers by Android](https://www.youtube.com/watch?v=wd5OU9NvxjU) - * [Chaosdata - Ghost in the Droid: Possessing Android Applications with ParaSpectre](https://www.youtube.com/watch?v=ohjTWylMGEA) - * [Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets](https://www.youtube.com/watch?v=TDk2RId8LFo) - * [Honey, I Shrunk the Attack Surface – Adventures in Android Security Hardening](https://www.youtube.com/watch?v=EkL1sDMXRVk) - * [Hide Android Applications in Images](https://www.youtube.com/watch?v=hajOlvLhYJY) - * [Scary Code in the Heart of Android](https://www.youtube.com/watch?v=71YP65UANP0) - * [Fuzzing Android: A Recipe For Uncovering Vulnerabilities Inside System Components In Android](https://www.youtube.com/watch?v=q_HibdrbIxo) - * [Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library](https://www.youtube.com/watch?v=s0Tqi7fuOSU) - * [Android FakeID Vulnerability Walkthrough](https://www.youtube.com/watch?v=5eJYCucZ-Tc) - * [Unleashing D* on Android Kernel Drivers](https://www.youtube.com/watch?v=1XavjjmfZAY) - * [The Smarts Behind Hacking Dumb Devices](https://www.youtube.com/watch?v=yU1BrY1ZB2o) - * [Overview of common Android app vulnerabilities](https://www.bugcrowd.com/resources/webinars/overview-of-common-android-app-vulnerabilities/) - * [Android Dev Summit 2019](https://developer.android.com/dev-summit) - * [Android security architecture](https://www.youtube.com/watch?v=3asW-nBU-JU) +* [One Step Ahead of Cheaters -- Instrumenting Android Emulators](https://www.youtube.com/watch?v=L3AniAxp_G4) +* [Vulnerable Out of the Box: An Evaluation of Android Carrier Devices](https://www.youtube.com/watch?v=R2brQvQeTvM) +* [Rock appround the clock: Tracking malware developers by Android](https://www.youtube.com/watch?v=wd5OU9NvxjU) +* [Chaosdata - Ghost in the Droid: Possessing Android Applications with ParaSpectre](https://www.youtube.com/watch?v=ohjTWylMGEA) +* [Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets](https://www.youtube.com/watch?v=TDk2RId8LFo) +* [Honey, I Shrunk the Attack Surface – Adventures in Android Security Hardening](https://www.youtube.com/watch?v=EkL1sDMXRVk) +* [Hide Android Applications in Images](https://www.youtube.com/watch?v=hajOlvLhYJY) +* [Scary Code in the Heart of Android](https://www.youtube.com/watch?v=71YP65UANP0) +* [Fuzzing Android: A Recipe For Uncovering Vulnerabilities Inside System Components In Android](https://www.youtube.com/watch?v=q_HibdrbIxo) +* [Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library](https://www.youtube.com/watch?v=s0Tqi7fuOSU) +* [Android FakeID Vulnerability Walkthrough](https://www.youtube.com/watch?v=5eJYCucZ-Tc) +* [Unleashing D* on Android Kernel Drivers](https://www.youtube.com/watch?v=1XavjjmfZAY) +* [The Smarts Behind Hacking Dumb Devices](https://www.youtube.com/watch?v=yU1BrY1ZB2o) +* [Overview of common Android app vulnerabilities](https://www.bugcrowd.com/resources/webinars/overview-of-common-android-app-vulnerabilities/) +* [Android Dev Summit 2019](https://developer.android.com/dev-summit) +* [Android security architecture](https://www.youtube.com/watch?v=3asW-nBU-JU) - ### Misc. +### Misc. - * [Android-Reports-and-Resources](https://github.com/B3nac/Android-Reports-and-Resources/blob/master/README.md) - * [android-security-awesome](https://github.com/ashishb/android-security-awesome) +* [Android-Reports-and-Resources](https://github.com/B3nac/Android-Reports-and-Resources/blob/master/README.md) +* [android-security-awesome](https://github.com/ashishb/android-security-awesome) ## IOS - ### General - ### Tools - ### Talks - ### Labs - ### Courses - ### Books - ### Misc. +### General +### Tools +### Talks +### Labs +### Courses +### Books +### Misc.