Original: https://hackersonlineclub.com/mobile-security-penetration-testing/
All-in-One Mobile Security Framework’s mobile security penetration testing checklist, including penetration testing for Android and iOS applications.
Mobile Application Security Testing Environment
1. Appie is a portable package for Android Pentesting, a great alternative to existing virtual machines.
https://manifestsecurity.com/appie
2. Android Tamer is a virtual/real-time platform for Android security professionals.
https://androidtamer.com/
3. AppUse is a VM (virtual machine) developed by AppSec Labs.
4. Androl4b is a virtual machine for assessing Android applications, reverse engineering, and malware analysis.
https://github.com/sh4hin/Androl4b
5. Mobisec is a live environment for mobile security testing.
https://sourceforge.net/projects/mobisec/
6. Santoku is an operating system that can run as a standalone OS outside of the VM.
https://santoku-linux.com/
7. The Vezir project is a mobile application penetration testing and malware analysis environment.
https://github.com/oguzhantopgul/Vezir-Project
All-in-One Mobile Security Framework
1. Mobile Security Framework is an intelligent, integrated open-source mobile application (Android/iOS) automation penetration testing framework capable of performing static and dynamic analysis.
https://github.com/ajinabraham/Mobile-Security-Framework-MobSF
2. Needle is an open-source modular framework that simplifies the process of security assessment for iOS applications, including binary analysis, static code analysis, and runtime operations using Cycript and Frida hooks.
https://github.com/mwrlabs/needle
3. Objection is a runtime mobile exploration toolkit powered by Frida. Its build is designed to help assess mobile applications and their security status without requiring jailbroken or rooted mobile devices.
https://github.com/sensepost/objection
Android Application Penetration Testing
Reverse Engineering and Static Analysis
1. APKinspector is a powerful GUI tool for analysts to analyze Android applications.
https://github.com/honeynet/apkinspector/
2. APKTool can extract resource, dex, manifest, xml, and other files from apk installation packages; it can also modify resource files and rebuild an apk.
https://ibotpeaches.github.io/Apktool/
3. Sign.jar automatically signs apk files using Android test certificates.
https://github.com/appium/sign
4. Dex to Java decompiler: command line and GUI tools for generating Java source code from Android Dex and Apk files.
https://github.com/skylot/jadx
5. Tool to convert .oat files to .dex files.
https://github.com/testwhat/SmaliEx
6. FindSecurityBugs is an extension of FindBugs that includes security rules for Java applications. FindBugs finds bugs in Java code through static analysis, FindBugs:
http://findbugs.sourceforge.net/
FindSecurityBugs:
https://h3xstream.github.io/find-sec-bugs/
7. Qark aims to find multiple security-related vulnerabilities in Android applications, whether in source code or packaged APK.
https://github.com/linkedin/qark
8. SUPER is a command line application that can be used on Windows, MacOS X, and Linux to analyze .apk files for vulnerabilities. It does this by decompressing the APK and applying a series of rules to detect these vulnerabilities.
https://github.com/SUPERAndroidAnalyzer/super
9. The AndroBugs framework is an efficient Android vulnerability scanner that helps developers or hackers discover potential security vulnerabilities in Android applications. No installation on Windows is required.
https://github.com/AndroBugs/AndroBugs_Framework
10. Simplify is a tool that can deobfuscate Android packages into Classes.dex, and can use Dex2jar and JD-GUI to extract the contents of dex files.
https://github.com/CalebFenton/simplify
11. ClassNameDeobfuscator is a simple script for parsing .smali files generated by apktool and extracting .source comment lines.
https://github.com/HamiltonianCycle/ClassNameDeobfuscator
12. Android Backup Extractor.
https://github.com/nelenkov/android-backup-extractor
Dynamic and Runtime Analysis
1. Cydia Substrate is a code modification platform. It can modify the code of any main process, regardless of whether it is written in Java or C/C++ (native code). Xposed only supports HOOKing java functions in app_process, so Cydia Substrate is a powerful and practical HOOK tool.
http://www.cydiasubstrate.com/
2. The Xposed framework allows you to modify the aspects and behaviors of the system or applications at runtime without modifying any Android application package (APK) or refreshing.
https://forum.xda-developers.com/xposed/xposed-installer-versions-changelog-t2714053
3. logcat-color is a colorized and highly configurable alternative to the adb logcat command in the Android SDK.
https://github.com/marshall/logcat-color
4. Inspeckage is a tool developed to provide dynamic analysis for Android applications. By applying hooks to Android API function calls, Inspeckage will help you understand what Android applications are doing at runtime.
https://github.com/ac-pm/Inspeckage
5. The Frida toolkit works on a client-server model, allowing you to inject into running processes not only on Android but also on iOS, Windows, and Mac.
https://www.frida.re/
6. Diff-GUI is a web framework for starting detection using available modules, hooking native methods, and injecting JavaScript using Frida.
https://github.com/antojoseph/diff-gui
7. AndBug is a debugger for the Dalvik virtual machine on the Android platform, aimed at reverse engineers and developers.
https://github.com/swdunlop/AndBug
8. Cydia Substrate: Introspy-Android is a black box tool that helps understand what Android applications are doing at runtime and assists in identifying potential security issues.
https://github.com/iSECPartners/Introspy-Android
9. Drozer allows you to search for security vulnerabilities in applications and devices by impersonating applications and interacting with the Dalvik VM, IPC endpoints of other applications, and the underlying operating system.
https://www.mwrinfosecurity.com/products/drozer/
Network Analysis and Server-Side Testing
1. Tcpdump is a command-line packet capture utility.
http://www.androidtcpdump.com/
2. Wireshark is an open-source packet analyzer.
https://www.wireshark.org/download.html
3. Canape is a network testing tool for arbitrary protocols.
http://www.contextis.com/services/research/canape/
4. Burp Suite is an integrated platform for performing application security testing.
https://portswigger.net/burp/download.html
5. Proxydroid is a global proxy application for Android systems.
https://play.google.com/store/apps/details?id=org.proxydroid
Bypassing Root Detection and SSL Pinning
1. Xposed module bypassing SSL certificate pinning.
https://github.com/Fuzion24/JustTrustMe
2. Android Xposed Module bypassing SSL certificate verification (Certificate Pinning).
https://github.com/ac-pm/SSLUnpinning_Xposed
3. Cydia Substrate module: Android SSL Trust Killer black box tool to bypass SSL certificate locking for most applications running on the device.
https://github.com/iSECPartners/Android-SSL-TrustKiller
4. Cydia Substrate module: RootCoak Plus patches root checks to understand common root indications.
https://github.com/devadvance/rootcloakplus
5. Android-ssl-bypass is an Android debugging tool for bypassing SSL, even when certificate pinning is implemented, as well as other debugging tasks. This tool runs as an interactive console.
https://github.com/iSECPartners/android-ssl-bypass
Security Libraries
1. PublicKey Pinning: Pinning in Android can be done through a custom X509TrustManager. The X509TrustManager should perform regular X509 checks in addition to enforcing pinning configuration.
https://www.owasp.org/images/1/1f/Pubkey-pin-android.zip
2. Android Pinning is a standalone library project for pinning certificates on Android.
https://github.com/moxie0/AndroidPinning
3. Java AES Crypto is a simple Android class for encrypting and decrypting strings, designed to avoid classic errors suffered by most such classes.
https://github.com/tozny/java-aes-crypto
4. ProGuard is a free Java class file shrinker, optimizer, obfuscator, and pre-verifier. It detects and removes unused classes, fields, methods, and attributes.
http://proguard.sourceforge.net/
5. SQLCipher is an open-source extension of SQLite that provides transparent 256-bit AES database file encryption.
https://www.zetetic.net/sqlcipher/sqlcipher-for-android/
6. Secure Preferences: an Android shared preferences wrapper that encrypts the keys and values of shared preferences.
https://github.com/scottyab/secure-preferences
7. Trusted Intents is a library for flexible trusted interactions between Android applications.
https://github.com/guardianproject/TrustedIntents
iOS Application Penetration Testing
Accessing the File System on iDevice
1. FileZilla supports FTP, SFTP, and FTPS (FTP over SSL/TLS).
https://filezilla-project.org/download.php?show_all=1
2. Cyberduck is a Libre FTP, SFTP, WebDAV, S3, Azure, and OpenStack Swift browser for Mac and Windows.
https://cyberduck.io/
3. itunnel is used for forwarding SSH over USB.
https://code.google.com/p/iphonetunnel-usbmuxconnectbyport/downloads/list
4. iFunbox is a file and application management tool for iPhone, iPad, and iPod Touch.
http://www.i-funbox.com/
Reverse Engineering and Static Analysis
1. otool command displays specified sections of target files or libraries.
http://www.unix.com/man-page/osx/1/otool/
2. Clutch decrypts applications and dumps the specified bundleID to binary or .ipa files.
http://cydia.radare.org/
3. Dumpdecrypted dumps decrypted mach-o files from memory to disk in encrypted iPhone applications. This tool is essential for security researchers to gain insight into encryption mechanisms.
https://github.com/stefanesser/dumpdecrypted
4. class-dump is a command-line utility for examining Objective-C runtime information stored in Mach-O files.
http://stevenygard.com/projects/class-dump/
5. Weak Classdump generates header files for classes passed to functions using a Cycript script. Most useful when you cannot classdump or dumpdecrypted, such as when binaries are encrypted.
https://github.com/limneos/weak_classdump
6. IDA is a multi-processor disassembler and debugger hosted on Windows, Linux, or Mac OS X, providing many features that are hard to describe one by one.
https://www.hex-rays.com/products/ida/index.shtml
7. Hopper is a reverse engineering tool for OS X and Linux that allows you to disassemble, decompile, and debug 32/64-bit Intel Mac, Linux, Windows, and iOS executables.
http://hopperapp.com/
8. Hopperscripts can be used to deconstruct Swift function names in HopperApp.
https://github.com/Januzellij/hopperscripts
9. Radare2 is a Unix-like reverse engineering framework and command-line tool.
https://www.radare.org/
10. iRET is an iOS reverse engineering toolkit designed to automate many common tasks associated with iOS penetration testing.
https://www.veracode.com/iret-ios-reverse-engineering-toolkit
Dynamic and Runtime Analysis
1. Cycript allows developers to explore and modify applications running on iOS or Mac OS X using a blend of Objective-C++ and JavaScript syntax in an interactive console with syntax highlighting and tab completion.
http://www.cycript.org/
2. Frida-cycript is a branch of Cycript where we replace its runtime with a new runtime called Mjølner powered by Frida. This allows frida-cycript to run on all platforms and architectures maintained by frida-core.
https://github.com/nowsecure/frida-cycript
3. AppSec Labs iNalyzer is a framework for manipulating iOS applications, tampering with parameters and methods.
https://appsec-labs.com/cydia/
4. Passionfruit is a simple iOS application black box assessment tool with a fully web-based GUI, powered by frida.re and vuejs.
https://github.com/chaitin/passionfruit
5. idb is a tool for simplifying some common tasks in iOS penetration testing and research.
https://github.com/dmayer/idb
6. snoop-it is a tool for assisting iOS application security assessments and dynamic analysis.
http://cydia.radare.org/
7. Introspy-iOS is a black box tool that helps understand what iOS applications are doing at runtime and assists in identifying potential security issues.
https://github.com/iSECPartners/Introspy-iOS
8. gdb is a tool for executing runtime analysis of iOS applications.
http://cydia.radare.org/
9. keychaindumper is a tool for checking which keychain items an attacker can access once an iOS device is jailbroken.
http://cydia.radare.org/
10. BinaryCookieReader is a tool for dumping all cookies from binary Cookies.binarycookies files.
http://securitylearn.net/wp-content/uploads/tools/iOS/BinaryCookieReader.py
11. Scwapper for iOS enumerates application view controllers and allows you to jump between them—effectively allowing clients to bypass, for example, jailbreak detection and avoid payment screens.
https://github.com/psmith-sec/Scwapper
Network Analysis and Server-Side Testing
1. Canape is a network testing tool for arbitrary protocols.
http://www.contextis.com/services/research/canape/
2. Burp Suite is an integrated platform for performing application security testing.
https://portswigger.net/burp/download.html
3. Charles Proxy is an HTTP proxy/HTTP monitor/reverse proxy that allows developers to view all HTTP and SSL/HTTPS traffic between their machines and the Internet.
http://www.charlesproxy.com/
Bypassing Root Detection and SSL Pinning
1. SSL Kill Switch is a black box tool that disables SSL certificate verification (including certificate pinning) in iOS and OS X applications.
https://github.com/nabla-c0d3/ssl-kill-switch2
2. iOS TrustMe disables certificate trust checks on iOS devices.
https://github.com/intrepidusgroup/trustme
3. Xcon is a tool for bypassing jailbreak detection.
http://apt.modmyi.com/
4. tsProtector is another tool for bypassing jailbreak detection.
https://cydia.saurik.com/package/kr.typostudio.tsprotector8/
Security Libraries
1. PublicKey Pinning: iOS pinning is executed through a NSURLConnectionDelegate. The delegate must implement.
https://www.owasp.org/images/9/9a/Pubkey-pin-ios.zip
2. OWASP iMAS is a collaborative research project by MITRE focusing on open-source iOS security controls.
https://project-imas.github.com/
Leave a Comment
Your email address will not be published. Required fields are marked *