Here in this article, we will introduce the Best Android Application Penetration Testing tools to all our readers. As Android applications are getting complicated both in design and in function we need to use advanced tools to perform the vulnerability assessment. For performing a complete android app penetration testing we first need to setup the environment for that. We need an Android phone with root privilege or need any emulators like Genymotion to emulate and test the application. Here in this tutorial, we will show the tools which will be very helpful in testing Android Applications.
Testing an Android Application, Dynamic Analysis v/s Static Analysis
- Static Analysis
Static Analysis is testing an application in a non-runtime environment. A dynamic analysis tool will check for Coding Issues, Backdoor’s in application, malicious scripts by analysing the code of the application. The advantages of Static analysis over Dynamic are
- It will help in identifying potential security vulnerabilities while coding itself.
- Identifying and Fixing potential security vulnerabilities at the earlier phase of development can help in reducing the cost of fixing.
- It will help us in identifying future errors which cannot be detected in Dynamic analysis
- Dynamic Analysis
Dynamic analysis is performed while a program is in operation. By performing a dynamic analysis we can find out vulnerabilities like Insecure Data Storage, Improper session handling, Injection attacks etc. The Advantages of Dynamic analysis are
- Will help in identifying vulnerabilities which is too difficult for static analysis to detect.
- Will help in identifying logical vulnerabilities like IDOR.
So in order to perform a complete scanning, we need to perform both static and dynamic analysis of a mobile application.
The common vulnerabilities in mobile applications are,
- Insecure Data Storage
- Session Handling Issues
- Injection Attacks
- Unintended data leakages
- Logical Bugs
- Poor Authentication and Authorization
- Cryptographic issues
Tools for Static and Dynamic Analysis
Dynamic Analysis Tools
Mobile Security Framework MobSF
MobSF is an opensource tool which can perform Static and Dynamic Analysis of Android, iOS and Windows mobile applications. This is a completely automated tool with very good vulnerability detection capability. MobSF can also test WebApi’s for common vulnerabilities like XXE, SSRF, IDOR etc. MobSF supports both binaries and zipped source codes. The latest version supports Supports Android ARM Emulator for Android Dynamic Analysis.
You can find the link to MobSF here | Github
Burp Proxy allows manual testers to intercept all requests and responses between the browser and the target application. It can intercept even if the traffic is through HTTPS. Burpsuite can automatically modify Req/Response to facilitate testing. Burp Extender API allows extensions to customize Burp’s behaviour, and lots of such extensions which can help in mobile application penetration testing is available in the Burpsuite. BurpSuite Pro will cost you 349USD per year and the community edition is free.
You can download BrupSuite from here | Burpsuite
Androl4b is a Ubuntu-based Virtual machine which contains several tools and framework to conduct security assessment for android applications. The important tools and frameworks are Frida, Dozer, APKTool, Mara, Quark.
You can download Androl4b here | Github
Xposed – Stub Based injection without modifying the binary
Appie – Is a Software package which can work as an android pentesting environment. It is having lots of inbuilt tools which can help in android app penetration testing. Appie is portable that means you can carry it with you in a pendrive. Tools contained in ppie runs on host machine, not on a Virtual Machine.
Static Analysis Tools
Quark (Quick Android Review Kit) is an easy to setup android static analysis tool which can find out common Android app security vulnerabilities. This tool is capable of creating deployable Proof Of concept APKs. Quark will decompile Android application to initial source code and will analyse it to find security bugs. This tool is capable of finding bugs like Data leakage, Tapjacking, Cryptographic Issues, Previously known WebApi security bugs. The Quark is an open source project and can be downloaded from | GitHub
AndroBug is an open source project which can analyse the code to find out Coding Mispractices and other potential security vulnerabilities. The average scanning range is 2 min that makes it the fastest tool in this category.
You can Download AndroBug Framework here | GitHub
We can use this app to reverse engineer Android application which is Closed, Binary. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug small code step by step. Also, it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc.
You Can Download it Here | GitHub
Drozer : Drozer can identify security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS
SmaliSCA – Static Code Analysing