To perform security testing different tools are available in order to be able to manipulate requests and responses, decompile Apps, investigate the behavior of running Apps and other test cases and automate them.
Mobile Application Security Testing Distributions
- Androl4b - A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis
- Android Tamer - Android Tamer is a Debian-based Virtual/Live Platform for Android Security professionals.
- AppUse - AppUse is a Virtual Machine developed by AppSec Labs.
- Santoku - Santoku is an OS and can be run outside a VM as a standalone operating system.
- Mobile Security Toolchain - A project used to install many of the tools mentioned in this section both for Android and iOS at a machine running Mac OSX. The project installs the tools via Ansible
Static Source Code Analysis
- Checkmarx - Static Source Code Scanner that also scans source code for Android and iOS.
- Fortify - Static source code scanner that also scans source code for Android and iOS.
- Veracode - Static Analysis of iOS and Android binary
All-in-One Mobile Security Frameworks
- Appmon - AppMon is an automated framework for monitoring and tampering system API calls of native macOS, iOS and android apps.
- Mobile Security Framework - MobSF - Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis.
- Needle - Needle is an open source, modular framework to streamline the process of conducting security assessments of iOS apps including Binary Analysis, Static Code Analysis, Runtime Manipulation using Cycript and Frida hooking, and so on.
- objection - objection is a runtime mobile security assessment framework that does not require a jailbroken or rooted device for both iOS and Android, due to the usage of Frida.
Tools for Android
Reverse Engineering and Static Analysis
- Androguard - Androguard is a python based tool, which can use to disassemble and decompile android apps.
- Android Debug Bridge - adb - Android Debug Bridge (adbis a versatile command line tool that lets you communicate with an emulator instance or connected Android device.
- APKInspector - APKinspector is a powerful GUI tool for analysts to analyze the Android applications.
- APKTool - A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications.
- android-classyshark - ClassyShark is a standalone binary inspection tool for Android developers.
- Sign - Sign.jar automatically signs an apk with the Android test certificate.
- Jadx - Dex to Java decompiler: Command line and GUI tools for produce Java source code from Android Dex and Apk files.
- Oat2dex - A tool for converting .oat file to .dex files.
- FindBugs - Static Analysis tool for Java
- FindSecurityBugs - FindSecurityBugs is a extension for FindBugs which include security rules for Java applications.
- Qark - This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs.
- SUPER - SUPER is a command-line application that can be used in Windows, MacOS X and Linux, that analyzes .apk files in search for vulnerabilities. It does this by decompressing APKs and applying a series of rules to detect those vulnerabilities.
- AndroBugs - AndroBugs Framework is an efficient Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications. No need to install on Windows.
- Simplify - A tool for de-obfuscating android package into Classes.dex which can be use Dex2jar and JD-GUI to extract contents of dex file.
- ClassNameDeobfuscator - Simple script to parse through the .smali files produced by apktool and extract the .source annotation lines.
- Android backup extractor - Utility to extract and repack Android backups created with adb backup (ICS+). Largely based on BackupManagerService.java from AOSP.
- VisualCodeGrepper - Static Code Analysis Tool for several programming languages including Java
- ByteCodeViewer - Five different Java Decompiles, Two Bytecode Editors, A Java Compiler, Plugins, Searching, Supports Loading from Classes, JARs, Android APKs and More.
Dynamic and Runtime Analysis
- Cydia Substrate - Cydia Substrate for Android enables developers to make changes to existing software with Substrate extensions that are injected in to the target process's memory.
- Xposed Framework - Xposed framework enables you to modify the system or application aspect and behavior at runtime, without modifying any Android application package(APKor re-flashing.
- logcat-color - A colorful and highly configurable alternative to the adb logcat command from the Android SDK.
- Inspeckage - Inspeckage is a tool developed to offer dynamic analysis of Android applications. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime.
- Frida - The toolkit works using a client-server model and lets you inject in to running processes not just on Android, but also on iOS, Windows and Mac.
- AndBug - AndBug is a debugger targeting the Android platform's Dalvik virtual machine intended for reverse engineers and developers.
- Cydia Substrate: Introspy-Android - Blackbox tool to help understand what an Android application is doing at runtime and assist in the identification of potential security issues.
- Drozer - Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
- VirtualHook - VirtualHook is a hooking tool for applications on Android ART(>=5.0). It's based on VirtualApp and therefore does not require root permission to inject hooks.
Bypassing Root Detection and Certificate Pinning
- Xposed Module: Just Trust Me - Xposed Module to bypass SSL certificate pinning.
- Xposed Module: SSLUnpinning - Android Xposed Module to bypass SSL certificate validation (Certificate Pinning)).
- Cydia Substrate Module: Android SSL Trust Killer - Blackbox tool to bypass SSL certificate pinning for most applications running on a device.
- Cydia Substrate Module: RootCoak Plus - Patch root checking for commonly known indications of root.
- Android-ssl-bypass - an Android debugging tool that can be used for bypassing SSL, even when certificate pinning is implemented, as well as other debugging tasks. The tool runs as an interactive console.
Tools for iOS
Access Filesystem on iDevice
- FileZilla - It supports FTP, SFTP, and FTPS (FTP over SSL/TLS).
- Cyberduck - Libre FTP, SFTP, WebDAV, S3, Azure & OpenStack Swift browser for Mac and Windows.
- itunnel - Use to forward SSH via USB.
- iFunbox - The File and App Management Tool for iPhone, iPad & iPod Touch.
Reverse Engineering and Static Analysis
- otool - The otool command displays specified parts of object files or libraries.
- Clutch - Decrypted the application and dump specified bundleID into binary or .ipa file.
- Dumpdecrypted - Dumps decrypted mach-o files from encrypted iPhone applications from memory to disk. This tool is necessary for security researchers to be able to look under the hood of encryption.
- class-dump - A command-line utility for examining the Objective-C runtime information stored in Mach-O files.
- Flex2 - Flex gives you the power to modify apps and change their behavior.
- Weak Classdump - A Cycript script that generates a header file for the class passed to the function. Most useful when you cannot classdump or dumpdecrypted , when binaries are encrypted etc.
- IDA Pro - IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all.
- HopperApp - Hopper is a reverse engineering tool for OS X and Linux, that lets you disassemble, decompile and debug your 32/64bits Intel Mac, Linux, Windows and iOS executables.
- Radare2 - Radare2 is a unix-like reverse engineering framework and command line tools.
- iRET - The iOS Reverse Engineering Toolkit is a toolkit designed to automate many of the common tasks associated with iOS penetration testing.
- Plutil - plutil is a program that can convert .plist files between a binary version and an XML version.
Dynamic and Runtime Analysis
- iNalyzer - AppSec Labs iNalyzer is a framework for manipulating iOS applications, tampering with parameters and method.
- idb - idb is a tool to simplify some common tasks for iOS pentesting and research.
- snoop-it - A tool to assist security assessments and dynamic analysis of iOS Apps.
- Introspy-iOS - Blackbox tool to help understand what an iOS application is doing at runtime and assist in the identification of potential security issues.
- gdb - A tool to perform runtime analysis of IOS applications.
- lldb - LLDB debugger by Apple’s Xcode is used for debugging iOS applications.
- keychaindumper - A tool to check which keychain items are available to an attacker once an iOS device has been jailbroken.
- BinaryCookieReader - A tool to dump all the cookies from the binary Cookies.binarycookies file.
- Burp Suite Mobile Assistant - A tool to bypass certificate pinning and is able to inject into apps.
Bypassing Root Detection and SSL Pinning
- SSL Kill Switch 2 - Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and OS X Apps.
- iOS TrustMe - Disable certificate trust checks on iOS devices.
- Xcon - A tool for bypassing Jailbreak detection.
- tsProtector - Another tool for bypassing Jailbreak detection.
Tools for Network Interception and Monitoring
- Tcpdump - A command line packet capture utility.
- Wireshark - An open-source packet analyzer.
- Canape - A network testing tool for arbitrary protocols.
- Mallory - A Man in The Middle Tool (MiTM)) that is used to monitor and manipulate traffic on mobile devices and applications.
- Burp Suite - Burp Suite is an integrated platform for performing security testing of applications.
- OWASP ZAP - The OWASP Zed Attack Proxy (ZAPis a free security tools which can help you automatically find security vulnerabilities in your web applications and web services.
- Fiddler - Fiddler is an HTTP debugging proxy server application which can captures HTTP and HTTPS traffic and logs it for the user to review. Fiddler can also be used to modify HTTP traffic for troubleshooting purposes as it is being sent or received.
- Charles Proxy - HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.
- Android Studio - is the official integrated development environment (IDE) for Google's Android operating system, built on JetBrains' IntelliJ IDEA software and designed specifically for Android development.
- IntelliJ - IntelliJ IDEA is a Java integrated development environment (IDE) for developing computer software.
- Eclipse - Eclipse is an integrated development environment (IDE) used in computer programming, and is the most widely used Java IDE.
- Xcode - Xcode is an integrated development environment (IDE) available only for macOS to create apps for iOS, watchOS, tvOS and macOS.