8/1/23, 10:41 AM Awesome-Android-Security

Awesome-Android-Security
Screenshot
Table of Contents
Blog
How To's
Papers
Books
Trainings
Tools
Static Analysis Tools
Dynamic Analysis Tools
Online APK Analyzers
Online APK Decompiler
Forensic Analysis Tools
Labs
Talks
Misc
Bug Bounty & Writeups
Cheat Sheet
Checklist
Bug Bounty Report
Blogs
Bypass Instagram and Threads SSL pinning on Android
Reverse Engineering Android game Coin Hunt World and its communication protocol to cheat the
app
Discovering vendor-specific vulnerabilities in Android
Technical analysis of Alien android malware
https://md2pdf.netlify.app 1/10
8/1/23, 10:41 AM Awesome-Android-Security

Lock Screen Bypass Exploit of Android Devices (CVE-2022–20006)

Analysis of Android banking Trojan MaliBot that is based on S.O.V.A banker
Pending Intents: A Pentester’s view
Android security checklist: theft of arbitrary files
Protecting Android users from 0-Day attacks
Reversing an Android sample which uses Flutter
Step-by-step guide to reverse an APK protected with DexGuard using Jadx
Use cryptography in mobile apps the right way
Android security checklist: WebView
Common mistakes when using permissions in Android
Two weeks of securing Samsung devices: Part 2
Why dynamic code loading could be dangerous for your apps: a Google example
Two weeks of securing Samsung devices: Part 1
How to exploit insecure WebResourceResponse configurations + an example of the vulnerability in
Amazon apps
Exploiting memory corruption vulnerabilities on Android + an example of such vulnerability in
PayPal apps
Capture all android network traffic
Reverse Engineering Clubhouse
Escape the Chromium sandbox on Android Devices
Android Penetration Testing: Frida
Android: Gaining access to arbitrary* Content Providers
Getting root on a 4G LTE mobile hotspot
Exploiting new-era of Request forgery on mobile applications
Deep Dive into an Obfuscation-as-a-Service for Android Malware
https://md2pdf.netlify.app 2/10
8/1/23, 10:41 AM Awesome-Android-Security

Evernote: Universal-XSS, theft of all cookies from all sites, and more
Interception of Android implicit intents
AAPG - Android application penetration testing guide
TikTok: three persistent arbitrary code executions and one theft of arbitrary files
Persistent arbitrary code execution in Android's Google Play Core Library: details, explanation and
the PoC - CVE-2020-8913
Android: Access to app protected components
Android: arbitrary code execution via third-party package contexts
Android Pentesting Labs - Step by Step guide for beginners
An Android Hacking Primer
An Android Security tips
OWASP Mobile Security Testing Guide
Security Testing for Android Cross Platform Application
Dive deep into Android Application Security
Pentesting Android Apps Using Frida
Mobile Security Testing Guide
Android Applications Reversing 101
Android Security Guidelines
Android WebView Vulnerabilities
OWASP Mobile Top 10
Practical Android Phone Forensics
Mobile Pentesting With Frida
Zero to Hero - Mobile Application Testing - Android Platform
Detecting Dynamic Loading in Android Applications
Static Analysis for Android and iOS
https://md2pdf.netlify.app 3/10
8/1/23, 10:41 AM Awesome-Android-Security

Dynamic Analysis for Android and iOS

Exploring intent-based Android security vulnerabilities on Google Play (part 1/3)
Hunting intent-based Android security vulnerabilities with Snyk Code (part 2/3)
Mitigating and remediating intent-based Android security vulnerabilities (part 3/3)
Strengthening Android Security: Mitigating Banking Trojan Threats
How To's
How to analyze mobile malware: a Cabassous/FluBot Case study
How to Bypasses Iframe Sandboxing
How To Configuring Burp Suite With Android Nougat
How To Bypassing Xamarin Certificate Pinning
How To Bypassing Android Anti-Emulation
How To Secure an Android Device
Android Root Detection Bypass Using Objection and Frida Scripts
Root Detection Bypass By Manual Code Manipulation.
Magisk Systemless Root - Detection and Remediation
How to use FRIDA to bruteforce Secure Startup with FDE-encryption on a Samsung G935F
running Android 8
Papers
A systematic analysis of commercial Android packers
A Large-Scale Study on the Adoption of Anti-Debugging and Anti-Tampering Protections in
Android Apps
Things You May Not Know About Android (Un)Packers
Happer: Unpacking Android Apps via a Hardware-Assisted Approach
AndrODet: An adaptive Android obfuscation detector
GEOST BOTNET - the discovery story of a new Android banking trojan
Dual-Level Android Malware Detection
An Investigation of the Android Kernel Patch Ecosystem

https://md2pdf.netlify.app 4/10
Books
8/1/23, 10:41 AM Awesome-Android-Security

SEI CERT Android Secure Coding Standard

Android Security Internals
Android Cookbook
Android Hacker's Handbook
Android Security Cookbook
The Mobile Application Hacker's Handbook
Android Malware and Analysis
Android Security: Attacks and Defenses
Learning Penetration Testing For Android Devices
Android Hacking 2020 Edition
Trainings
SEC575: Mobile Device Security and Ethical Hacking
Android Reverse Engineering_pt-BR
Learning-Android-Security
Advanced Android Development
Learn the art of mobile app development
Learning Android Malware Analysis
Android App Reverse Engineering 101
MASPT V2
Android Pentration Testing(Persian)
Tools
Static Analysis
BlackDex is an Android unpack(dexdump) tool
Deoptfuscator - Deobfuscator for Android Application
Android Reverse Engineering WorkBench for VS Code
Apktool:A tool for reverse engineering Android apk files
Defeat Java packers via Frida instrumentation
quark-engine - An Obfuscation-Neglect Android Malware Scoring System
https://md2pdf.netlify.app 5/10
8/1/23, 10:41 AM Awesome-Android-Security

DeGuard:Statistical Deobfuscation for Android

jadx - Dex to Java decompiler
Amandroid – A Static Analysis Framework
Androwarn – Yet Another Static Code Analyzer
Droid Hunter – Android application vulnerability analysis and Android pentest tool
Error Prone – Static Analysis Tool
Findbugs – Find Bugs in Java Programs
Find Security Bugs – A SpotBugs plugin for security audits of Java web applications.
Flow Droid – Static Data Flow Tracker
Smali/Baksmali – Assembler/Disassembler for the dex format
Smali-CFGs – Smali Control Flow Graph’s
SPARTA – Static Program Analysis for Reliable Trusted Apps
Gradle Static Analysis Plugin
Checkstyle – A tool for checking Java source code
PMD – An extensible multilanguage static code analyzer
Soot – A Java Optimization Framework
Android Quality Starter
QARK – Quick Android Review Kit
Infer – A Static Analysis tool for Java, C, C++ and Objective-C
Android Check – Static Code analysis plugin for Android Project
FindBugs-IDEA Static byte code analysis to look for bugs in Java code
APK Leaks – Scanning APK file for URIs, endpoints & secrets
Trueseeing – fast, accurate and resillient vulnerabilities scanner for Android apps
StaCoAn – crossplatform tool which aids developers, bugbounty hunters and ethical hackers
APKScanner
Mobile Audit – Web application for performing Static Analysis and detecting malware in Android
APKs
mariana-trench - Our security focused static analysis tool for Android and Java applications.
semgrep-rules-android-security
Dynamic Analysis
Mobile-Security-Framework MobSF
Magisk v23.0 - Root & Universal Systemless Interface
Runtime Mobile Security (RMS) - is a powerful web interface that helps you to manipulate Android
and iOS Apps at Runtime
https://md2pdf.netlify.app 6/10
8/1/23, 10:41 AM Awesome-Android-Security

House: A runtime mobile application analysis toolkit with a Web GUI

Objection - Runtime Mobile Exploration toolkit, powered by Frida
Droid-FF - Android File Fuzzing Framework
Drozer
Slicer-automate APK Recon
Inspeckage
PATDroid - Collection of tools and data structures for analyzing Android applications
Radare2 - Unix-like reverse engineering framework and commandline tools
Cutter - Free and Open Source RE Platform powered by radare2
ByteCodeViewer - Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger)
Online APK Analyzers
Guardsquare AppSweep
Oversecured
Android Observatory APK Scan
AndroTotal
VirusTotal
Scan Your APK
AVC Undroid
OPSWAT
ImmuniWeb Mobile App Scanner
Ostor Lab
Quixxi
TraceDroid
Visual Threat
App Critique
Jotti's malware scan
kaspersky scanner
Online APK Decompiler
Android APK Decompiler
Java Decompiler APk
APK DECOMPILER APP
DeAPK is an open-source, online APK decompiler
apk and dex decompilation back to Java source code
https://md2pdf.netlify.app 7/10
8/1/23, 10:41 AM Awesome-Android-Security

APK Decompiler Tools

Forensic Analysis
Forensic Analysis for Mobile Apps (FAMA)
Andriller
Autopsy
bandicoot
Fridump-A universal memory dumper using Frida
LiME - Linux Memory Extractor
Labs
Damn-Vulnerable-Bank
OVAA (Oversecured Vulnerable Android App)
DIVA (Damn insecure and vulnerable App)
OWASP Security Shepherd
Damn Vulnerable Hybrid Mobile App (DVHMA)
OWASP-mstg(UnCrackable Mobile Apps)
VulnerableAndroidAppOracle
Android InsecureBankv2
Purposefully Insecure and Vulnerable Android Application (PIIVA)
Sieve app(An android application which exploits through android components)
DodoVulnerableBank(Insecure Vulnerable Android Application that helps to learn hacing and
securing apps)
Digitalbank(Android Digital Bank Vulnerable Mobile App)
AppKnox Vulnerable Application
Vulnerable Android Application
Android Security Labs
Android-security Sandbox
VulnDroid(CTF Style Vulnerable Android App)
FridaLab
Santoku Linux - Mobile Security VM
AndroL4b - A Virtual Machine For Assessing Android applications, Reverse Engineering and
Malware Analysis
https://md2pdf.netlify.app 8/10
Talks
8/1/23, 10:41 AM Awesome-Android-Security

One Step Ahead of Cheaters -- Instrumenting Android Emulators

Vulnerable Out of the Box: An Evaluation of Android Carrier Devices
Rock appround the clock: Tracking malware developers by Android
Chaosdata - Ghost in the Droid: Possessing Android Applications with ParaSpectre
Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets
Honey, I Shrunk the Attack Surface – Adventures in Android Security Hardening
Hide Android Applications in Images
Scary Code in the Heart of Android
Fuzzing Android: A Recipe For Uncovering Vulnerabilities Inside System Components In Android
Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library
Android FakeID Vulnerability Walkthrough
Unleashing D* on Android Kernel Drivers
The Smarts Behind Hacking Dumb Devices
Overview of common Android app vulnerabilities
Advanced Android Bug Bounty skills
Android security architecture
Get the Ultimate Privilege of Android Phone
Securing the System: A Deep Dive into Reversing Android Pre-Installed Apps
Bad Binder: Finding an Android In The Wild 0day
Deep dive into ART(Android Runtime) for dynamic binary analysis
Misc
Android Malware Adventures
Android-Reports-and-Resources
Hands On Mobile API Security
Android Penetration Testing Courses
Lesser-known Tools for Android Application PenTesting
android-device-check - a set of scripts to check Android device security configuration
apk-mitm - a CLI application that prepares Android APK files for HTTPS inspection
Andriller - is software utility with a collection of forensic tools for smartphones
Dexofuzzy: Android malware similarity clustering method using opcode sequence-Paper
https://md2pdf.netlify.app 9/10
8/1/23, 10:41 AM Awesome-Android-Security

Chasing the Joker

Side Channel Attacks in 4G and 5G Cellular Networks-Slides
Shodan.io-mobile-app for Android
Popular Android Malware 2019
Popular Android Malware 2020
Popular Android Malware 2021
Popular Android Malware 2022
Bug Bounty & Writeups
Hacker101 CTF: Android Challenge Writeups
Arbitrary code execution on Facebook for Android through download feature
RCE via Samsung Galaxy Store App
Cheat Sheet
Mobile Application Penetration Testing Cheat Sheet
ADB (Android Debug Bridge) Cheat Sheet
Frida Cheatsheet and Code Snippets for Android
Checklists
Android Pentesting Checklist
OWASP Mobile Security Testing Guide (MSTG)
OWASP Mobile Application Security Verification Standard (MASVS)
Bug Bounty Reports
List of Android Hackerone disclosed reports
How to report security issues

https://md2pdf.netlify.app 10/10