10 Open Source Tools For Android Security Assessment
Hi folks, we're researching open-source Android security assessment tools today!
These tools are useful for penetration testing, security assessment, and DevSecOps engagements.
The List
MobSF - It's the most popular tool for security assessment for both Android and iOS platforms. Although the tool is built for Android application analysis - supports static analysis and dynamic analysis with custom Frida scripts. This itself allows you to define your testing scenarios. The tool also has a docker version but it comes without dynamic analysis support. In some cases, it can be used in CI/CD pipeline as a security control - the tool has an API.
Apktool - One of the most popular tools for reverse engineering of Android APK files could decode resources, code, and rebuild them after making some changes. We are actively using it during penetration testing to decompile and disable security mechanisms like SSL Pinning in an application -https://www.cyberlands.io/sslpinningbypassandroid.
XPosed - Xposed is a framework that allows a tester to change the system's behavior without interacting with the APK file. It allows you to examine application behavior in the memory of a mobile device. If you need to roll back, you can just reboot the system, and it does not affect the underlying Operation system and the application.
Pidcat - Small and handy utility, which allows displaying Android logs grouped and highlighted by the application package. It is very useful when you are trying to debug your application or pentesting applications of your client and want to examine log flow.
drozer - drozer allows researchers to discover vulnerabilities in Android apps. drozer can maximize its functionality available to it by installing a full agent, injecting a limited agent into a running process, or connecting a reverse shell to act as a Remote Access Tool.
jadx - The decompiling tool allows to decompile dex code to java code and examine the application code. Application has GUI similar to popular IDEs, so even the developers without experience in reverse engineering can quickly use it.
qark - Is an easy-to-use tool capable of finding common security vulnerabilities in Android applications, it's a common tool to perform basic security checks for an Android application.
Android backup extractor - The tool allows you to work with Android backup files and extract information from them—a good choice for security researchers and forensic investigators. Also, it has repacked functionality for sophisticated researchers.
Inspeckage - The classic tool allows performing dynamic analysis of the application by hooking Android API calls and analyzing the results.
House - Runtime mobile application analysis toolkit with a Web GUI is similar to MobSF and also built on Frida engine with custom scripts. Nice and interesting project. I hope the dev team doesn't stop working on it.
Conclusion
Well, we reviewed the ten most popular tools for Android security assessment - and we applaud all of them because they help us on daily basis.
The list isn't complete and we'll revise it sometimes, if you have some favorite tools you prefer, please tell us in the comments, and we will add them to the review list in the future.
All tools are open-source, so you can modify and commit to them your ideas, but be careful with licensing.
In the next article, we will review the top ten tools for iOS security assessment. So stay safe, and feel free to contact us.