Android Security related tools

A lot of work is happening in academia and industry on tools to perform dynamic analysis, static analysis and reverse engineering of android apps.

Following is a collection of few tools that I am aware of.

Online Analyzers

• AMAT http://dunkelheit.com.br/amat/analysis/index_en.php
• Anadroid http://pegasus.cs.utah.edu:8080/ - static analysis
• AndroTotal http://andrototal.org/ - AV scanning

• Comdroid http://www.comdroid.org/

• CopperDroid http://copperdroid.isg.rhul.ac.uk/copperdroid

• Dexter https://dexter.bluebox.com/ - static analysis
• Mobile-Sandbox23 http://mobile-sandbox.com

• MarvinSafe http://marvinsafe.com/ (not working since acquisition by Veracode)

• Sandroid http://sanddroid.xjtu.edu.cn/

• Stowaway http://www.android-permissions.org/

 

Static Analysis Tools

• APKInspector https://github.com/honeynet/apkinspector/

• ApkAnalyser https://github.com/sonyxperiadev/ApkAnalyser

• Smali CFG generator http://code.google.com/p/smali-cfgs/

• Androwarn https://github.com/maaaaz/androwarn/

 

Dynamic Analysis Tools

• Taintdroid http://appanalysis.org/download.html (requires AOSP compilation)

• Droidbox http://code.google.com/p/droidbox/

• Crowdroid http://www.ida.liu.se/labs/rtslab/publications/2011/spsm11-burguera.pdf – unable to find the actual tool

• Mercury http://labs.mwrinfosecurity.com/tools/2012/03/16/mercury/

 

Reverse Engineering

• Apktool http://code.google.com/p/android-apktool/ - really useful for compilation/decompilation

• Smali/Baksmali http://code.google.com/p/smali/ – apk decompilation; coloring for smali files - emacs, vim

• Redexer https://github.com/plum-umd/redexer - apk manipulation

• Androguard http://code.google.com/p/androguard/ – powerful, integrates well with other tools

• dedexer http://dedexer.sourceforge.net

• Dex2Jar http://code.google.com/p/dex2jar/ - converts classes.dex to classes.jar (use jad/jd-gui after that)

• Dare http://siis.cse.psu.edu/dare/index.html – .dex to .class converter

• IntentFuzzer https://www.isecpartners.com/tools/mobile-security/intent-fuzzer.aspx

• IntentSniffer https://www.isecpartners.com/tools/mobile-security/intent-sniffer.aspx

 

Sample sources

• contagio mini dump – http://contagiominidump.blogspot.com

• Open Source database – http://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares

 

Misc Tools/Readings

• smalihook – http://androidcracking.blogspot.com/2011/03/original-smalihook-java-source.html

• APK-Downloader – http://codekiem.com/2012/02/24/apk-downloader/

• AXMLPrinter2 http://code.google.com/p/android4me/downloads/detail?name=AXMLPrinter2.jar - to convert binary XML files to human-readable XML files

• adb autocomplete http://romannurik-code.googlecode.com/git/misc/bash_completion/adb

• Dalvik opcodes – http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html

• Opcodes table for quick reference – http://xchg.info/corkami/opcodes_tables.pdf

• A good collection of static analysis papers - http://tthtlc.wordpress.com/2011/09/01/static-analysis-of-android-applications/
• ExploitMe http://securitycompass.github.io/AndroidLabs/setup.html - for practice
• GoatDroid https://github.com/jackMannino/OWASP-GoatDroid-Project - for practice

 

Note:

1. I am not trying to claim that this page is a comprehensive reference of all such tools – feel free to leave in comments if you would like to see something here.
2. I have tried some but not all of these tools.

3. Acknowledgements: Some of these entries are taken from posts on mobilemalware google group. Some of the them are from Sontaku Linux.

4. Opinions expressed above are mine and not of my employer.

　　转自：http://ashishb.net/security/android-security-related-tools/