Mobile Application Penetration Testing Cheat Sheet
The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics and checklist, which is mapped OWASP Mobile Risk Top 10 for conducting pentest.
- Mobile Application Security Testing Distributions
- All-in-one Mobile Security Frameworks
- Android Application Penetration Testing
- iOS Application Penetration Testing
- Mobile Penetration Testing Lab
- Contribution
- License
Mobile Application Security Testing Distributions
- Appie - A portable software package for Android Pentesting and an awesome alternative to existing Virtual machines.
- Android Tamer - Android Tamer is a Virtual / Live Platform for Android Security professionals.
- Androl4b - A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis
- Vezir Project - Mobile Application Pentesting and Malware Analysis Environment.
All-in-One Mobile Security Frameworks
- Mobile Security Framework - MobSF - Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis.
python manage.py runserver 127.0.0.1:1337
- Needle - Needle is an open source, modular framework to streamline the process of conducting security assessments of iOS apps including Binary Analysis, Static Code Analysis, Runtime Manipulation using Cycript and Frida hooking, and so on.
- Objection - Objection is a runtime mobile exploration toolkit, powered by Frida. It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device.
Android Application Penetration Testing
Reverse Engineering and Static Analysis
- APKTool - A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications.
- Disassembling Android apk file
apktool d <apk file>
- Rebuilding decoded resources back to binary APK/JAR with certificate signing
apktool b <modified folder>keytool -genkey -v -keystore keys/test.keystore -alias Test -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -validity 10000jarsigner -keystore keys/test.keystore dist/test.apk -sigalg SHA1withRSA -digestalg SHA1 Test
- Disassembling Android apk file
- Bytecode Viewer - Bytecode Viewer is an Advanced Lightweight Java Bytecode Viewer, It's written completely in Java, and it's open sourced.
- Jadx - Dex to Java decompiler: Command line and GUI tools for produce Java source code from Android Dex and Apk files.
- APK Studio - Open-source, cross platform Qt based IDE for reverse-engineering Android application packages.
- Oat2dex - A tool for converting .oat file to .dex files.
- Deoptimize boot classes (The output will be in "odex" and "dex" folders)
java -jar oat2dex.jar boot <boot.oat file>
- Deoptimize application
java -jar oat2dex.jar <app.odex> <boot-class-folder output from above>
- Get odex from oat
java -jar oat2dex.jar odex <oat file>
- Get odex smali (with optimized opcode) from oat/odex
java -jar oat2dex.jar smali <oat/odex file>
- Deoptimize boot classes (The output will be in "odex" and "dex" folders)
- FindBugs + FindSecurityBugs - FindSecurityBugs is a extension for FindBugs which include security rules for Java applications.
- Qark - This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs.
- SUPER - SUPER is a command-line application that can be used in Windows, MacOS X and Linux, that analyzes .apk files in search for vulnerabilities. It does this by decompressing APKs and applying a series of rules to detect those vulnerabilities.
- AndroBugs - AndroBugs Framework is an efficient Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications. No need to install on Windows.
- Simplify - A tool for de-obfuscating android package into Classes.dex which can be use Dex2jar and JD-GUI to extract contents of dex file.
simplify.jar -i "input smali files or folder" -o <output dex file>
- ClassNameDeobfuscator - Simple script to parse through the .smali files produced by apktool and extract the .source annotation lines.
- Android backup extractor - Utility to extract and repack Android backups created with adb backup (ICS+). Largely based on BackupManagerService.java from AOSP.
Tip !! "adb backup" command can also be used for extracting application package with the following command:adb backup <package name>- `dd if=backup.ab bs=1 skip=24