Skip to content

Resources

Decompilers

skylot/jadx: Dex to Java decompiler (github.com)

NationalSecurityAgency/ghidra: Ghidra is a software reverse engineering (SRE) framework (github.com)

Dynamic Analysis

sensepost/objection: ๐Ÿ“ฑ objection - runtime mobile exploration (github.com)

frida/frida: Clone this repo to build Frida (github.com)

FSecureLABS/drozer: The Leading Security Assessment Framework for Android. (github.com)

Packet Sniffers

emanuele-f/PCAPdroid: Capture the Android devices traffic and export it in PCAP format. No root privileges required. (github.com)

Misc Tools

Java Obfuscator and Android App Optimizer | ProGuard (guardsquare.com)

Realm: Realm is a mobile database: a replacement for SQLite & ORMs. SDKs for Swift, Objective-C, Java, Kotlin, C#, and JavaScript. (github.com)

Cheatsheets

Android Applications Pentesting - HackTricks

Free tutorials

Android App Reverse Engineering 101 | Learn to reverse engineer Android applications! (ragingrock.com)

How to use the Android Keystore to store passwords and other sensitive information - Android Authority

Introduction - Mobile Security Testing Guide (gitbook.io)

CTFs

xtiankisutsa/awesome-mobile-CTF: This is a curated list of mobile based CTFs, write-ups and vulnerable apps. Most of them are android based due to the popularity of the platform. (github.com)

Youtube

maddiestone - YouTube

Blog posts

Man-in-the-Disk: A New Attack Surface for Android Apps - Check Point Software

How to use the Android Keystore to store passwords and other sensitive information - Android Authority

Guide to Network Security Configuration in Android P | NowSecure

How Android Apps are Built and Run ยท dogriffiths/HeadFirstAndroid Wiki (github.com)

Platform Overview - Mobile Security Testing Guide (gitbook.io)

rooting - How Magisk works? - Android Enthusiasts Stack Exchange

How Secure is your Android Keystore Authentication ? (f-secure.com)

Host name verification failed for Host | by Sathya Bandara | Medium

Exploiting Exported activities in Android apps | mzfr's Blog

Bug Bounty Reports

B3nac/Android-Reports-and-Resources: A big list of Android Hackerone disclosed reports and other resources. (github.com)

Common Android app vulnerabilities (LevelUp).pdf - Google Drive

#161710 Possible to steal any protected files on Android (hackerone.com)