В данном репозитории собранны материалы по безопасности Android-приложений, различные статьи, исследования, инструменты анализа и полезные библиотеки/инструменты для обеспечения безопасности приложений. Большая часть этого материала приходит из телеграм канала Mobile AppSec World и его подписчиков. Репозиторий регулярно обновляется и пополняется новыми материалами.
- Frida
- Objection
- Pithus (github) - free and open-source platform to analyze Android applications
- CuckooDroid 2.0 - Automated Android Malware Analysis
- QARK - An Obfuscation-Neglect Android Malware Scoring System
- QARK – Quick Android Review Kit
- ProxyDroid
- ADB Toolkit
- InjectFakeSecurityProvider - print the key, key size, algorithm parameters, keystore password in logcat
- MEDUSA
- diffuse
- ApkDiff
- GDA(GJoy Dex Analyzer)
- APKProxyHelper
- APKLab
- RASE - Persistent Rooting Android Studio Emulator
- EdXposed Framework
- fridroid-unpacker - Defeat Java packers via Frida instrumentation
- CheckKarlMarx - Security проверки для релизных сборок
- parserDex
- Androguard
- Amandroid – A Static Analysis Framework
- Androwarn – Yet Another Static Code Analyzer
- APK Analyzer – Static and Virtual Analysis Tool
- APK Inspector – A Powerful GUI Tool
- Droid Hunter – Android application vulnerability analysis and Android pentest tool
- Error Prone – Static Analysis Tool
- Findbugs – Find Bugs in Java Programs
- Find Security Bugs – A SpotBugs plugin for security audits of Java web applications.
- Flow Droid – Static Data Flow Tracker
- Smali/Baksmali – Assembler/Disassembler for the dex format
- Smali-CFGs – Smali Control Flow Graph’s
- SPARTA – Static Program Analysis for Reliable Trusted Apps
- Thresher – To check heap reachability properties
- Vector Attack Scanner – To search vulnerable points to attack
- Gradle Static Analysis Plugin
- Android Check – Static Code analysis plugin for Android Project
- APK Leaks – Scanning APK file for URIs, endpoints & secrets
- fridax
- MOBEXLER
- Generate Malformed QRCodes
- Tool for Injecting Malicious Payloads Into Barcodes
- AFL - american fuzzy lop
- Setup for i0S and Android Application Analysis - This is a cheatsheet to install tools required for i0S and Android application pentesting
- AES Killer (Burpsuite Plugin)
- ReFlutter
- Lief
- Mobile Verification Toolkit
- Jeb2Frida
- Stingray
- Adhrit - Android Security Suite for in-depth reconnaissance and static bytecode analysis based on Ghera benchmarks
- Android Hooker - Opensource project for dynamic analyses of Android applications
- AppAudit - Online tool ( including an API) uses dynamic and static analysis
- AppAudit - A bare-metal analysis tool on Android devices
- DroidBox - Dynamic analysis of Android applications
- Droid-FF - Android File Fuzzing Framework
- Drozer
- Marvin - Analyzes Android applications and allows tracking of an app
- Inspeckage
- PATDroid - Collection of tools and data structures for analyzing Android applications
- AndroL4b - Android security virtual machine based on ubuntu-mate
- Radare2 - Unix-like reverse engineering framework and commandline tools
- Cutter - Free and Open Source RE Platform powered by radare2
- ByteCodeViewer - Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger)
- Mobile-Security-Framework MobSF
- Runtime Mobile Security (RMS) - is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime
- PINkman is a library to help implementing an authentication by a PIN code in a secure manner
- Conbeerlib is an Android library for detecting if an app is running inside a virtual container.
- Secured Proto DataStore
- Allsafe
- InsecureShop
- OWASP: OMTG-Hacking-Playground
- Damn insecure and vulnerable App (DIVA)
- Damn-Vulnerable-Bank
- InjuredAndroid
- Damn Vulnerable Hybrid Mobile App (DVHMA)
- ExploitMe labs by SecurityCompass
- InsecureBankv2
- Sieve (Vulnerable ‘Password Manager’ app)
- sievePWN
- Android Labs
- Digitalbank
- Dodo vulnerable bank
- Oracle android app
- Urdu vulnerable app
- MoshZuk File
- Appknox
- Vuln app
- Damn Vulnerable FirefoxOS Application
- Android security sandbox
- OVAA (Oversecured Vulnerable Android App)
- SecurityShepherd
- OWASP-mstg
- Purposefully Insecure and Vulnerable Android Application (PIIVA)
- Sieve app
- Vulnerable Android Application
- Android-security
- VulnDroid
- FridaLab
- Santoku Linux - Mobile Security VM
- Vuldroid
- DamnVulnerableCryptoApp
- r2-pay
- Android App RE
- Kotlin Goat - insecure mobile application
- Hacker101 CTF: Android Challenge Writeups
- Google CTF 2021
- Google CTF 2020
- HacktivityCon CTF Mobile 2020
- Trend Micro CTF 2020
- KGB Messenger
- ASIS CTF — ShareL Walkthrough
- Android reversing challenges
- Android app for IOT CTF
- CyberTruck Challenge 2019 (Detroit USA)
- Matryoshka-style Android reversing challenge
- Cybertruckchallenge19
- You Shall Not Pass - BSides Canberra 2019
- BSidesSF 2018 CTF
- h1-702-2018-ctf-wu
- THC CTF 2018 - Reverse - Android serial
- Android crack me challenges
- OWASP crack me
- Rednaga Challenges
- Android Hacking Event 2017: AES-Decrypt
- Android Hacking Event 2017: Token-Generator
- Android Hacking Event 2017: Flag-Validator
- Android Hacking Event 2017: You Can Hide – But You Cannot Run
- Android Hacking Event 2017: Why Should I Pay?
- Android Hacking Event 2017: Esoteric
- Android Hacking Event 2016: StrangeCalculator
- Android Hacking Event 2016: ReverseMe
- Android Hacking Event 2016: ABunchOfNative
- Android Hacking Event 2016: DynChallenge
- PicoCTF-2014: Pickle Jar - 30
- PicoCTF-2014: Revenge of the Bleichenbacher
- Android MIT LL CTF 2013
- Evil Planner Bsides Challenge
- Crack-Mes
- GreHack-2012 - GrehAndroidMe
- Hackplayers.com Crackmes (in Spanish so an extra challenge): crackme 1
- Hackplayers.com Crackmes (in Spanish so an extra challenge): crackme 2
- Hack.Lu's CTF 2011 Reverse Engineering 300
- Androidcracking.blogspot.com's Crackme’s: cracker 0
- Androidcracking.blogspot.com's Crackme’s: cracker 1
- Insomnia'hack-2K11
- CSAW-2011: Reversing101
- Defcon-19-quals: Binary_L33tness
- Crack me's
- Anonim1133
- Challenge4ctf
- Ctfpro
- CTFDroid
- Android_ctf
- Robot CTF Android
- Cl.ctfk
- Cryptax
- ECHO - Ethical hacker Order
- hpAndro Vulnerable Application Challenges
- Solving CTF with Frida
- H@cktivityCon 2021 CTF
- Write-up du CTF Android
- Cellebrite 2021 CTF – Investigating Heisenberg’s Android Device
- Cellebrite 2021 CTF – Marsha’s iPhone (FFS and Backup)
- Cellebrite 2021 CTF – Beth’s iPhone
- Cellebrite CTF 2021 Writeup
- H@cktivitycon 2021 — Mobile challenge writeup
- CTF Write-Up: Kryptonite
- NahamCon 2021 Writeups
- BELKASOFT CTF MAY 2021: WRITE-UP
- Trend Micro CTF 2020 — Keybox writeup
- STACK the Flags 2020: Mobile Challenges Write Up
- HacktivityCon CTF Mobile Writeup
- CyberSpaceKenya CTF
- Magnet Virtual Summit 2020 CTF (Anroid)
- Google CTF 2020: Android
- RaziCTF 2020 WriteUp: Chasing a lock
- DFA/CCSC Spring 2020 CTF
- AppSecIL CTF)
- SunshineCTF 2020 write-up
- Reverse engineering and modifying an Android game (.apk) — CTF
- DroidCon, SEC-T CTF 2019
- You Shall Not Pass - BSides Canberra 2019
- CyberTruck Challenge 2019 — Android CTF
- Bsidessf-ctf-2019-mobile-track
- BsidesSF CTF - Challenge
- CTF on a Budget - Magnet User Summit 2019 - Mobile
- H1 202 2018 / H1 202 CTF
- H1-702 CTF (Capture the Flag)
- BSidesSF 2018 CTF — Android Reversing/Forensic Challenge
- Hack the Android4: Walkthrough (CTF Challenge)
- Google CTF Quals 2018
- Ilam CTF: Android Reverse WriteUp
- 8st SharifCTF Android WriteUps:
- ASIS 2018 Finals: Gunshop
- H1-202 CTF - Writeup
- M1Con CTF Write up
- AES decode with Cyberchef
- BSides San Francisco CTF 2017 : pinlock-150
- BSides San Francisco CTF 2017 : flag-receiver-200
- BSidesSF CTF wrap-up
- itsC0rg1's mobile challenge and BSides SF CTF
- Insomni'hack Teaser 2017 : mindreader-250
- 2017_labyREnth: mob1_ezdroid
- 2017_labyREnth: mob2_routerlocker
- 2017_labyREnth: mob3_showmewhatyougot
- 2017_labyREnth: mob4_androidpan
- 2017_labyREnth: mob5_iotctf
- LabyREnth
- 2016_labyREnth: mob1_lastchance
- 2016_labyREnth: mob2_cups
- 2016_labyREnth: mob3_watt
- 2016_labyREnth: mob4_swip3r
- 2016_labyREnth: mob5_ioga
- 2016_labyREnth: mob6_ogmob
- Holiday hack challenge: Part 01
- Holiday hack challenge: Part 02
- Holiday hack challenge: Part 04a
- Holiday hack challenge: Part 04b
- Holiday hack challenge: Part 04c
- Holiday hack challenge: Part 04d
- Holiday hack challenge: Part 04e
- Holiday hack challenge: Part 04f
- Holiday hack challenge: Part 5
- 0ctf-2016
- Google-ctf-2016
- Google-ctf-2016: ill intentions 1
- Google-ctf-2016: ill intentions 2
- Cyber-security-challenge-belgium-2016-qualifiers
- Su-ctf-2016 - android-app-100
- Hackcon-ctf-2016 - you-cant-see-me-150
- RC3 CTF 2016: My Lil Droid
- Cyber Security Challenge 2016: Dexter
- Cyber Security Challenge 2016: Phishing is not a crime
- google-ctf-2016 : little-bobby-application-250
- Rctf-quals-2015
- Insomni-hack-ctf-2015
- 0ctf-2015
- Cyber-security-challenge-2015
- Trend-micro-ctf-2015: offensive-200
- codegate-ctf-2015: dodocrackme2
- Seccon-quals-ctf-2015: reverse-engineering-android-apk-1
- Seccon-quals-ctf-2015 - reverse-engineering-android-apk-2
- Pragyan-ctf-2015
- Volgactf-quals-2015
- Opentoall-ctf-2015: android-oh-no
- 32c3-ctf-2015: libdroid-150
- Polictf 2015: crack-me-if-you-can
- Icectf-2015: Husavik
- Qiwi-ctf-2014: not-so-one-time
- Fdfpico-ctf-2014: droid-app-80
- Su-ctf-quals-2014: commercial_application
- defkthon-ctf 2014: web-300
- secuinside-ctf-prequal-2014: wooyatalk
- Qiwi-ctf-2014: easydroid
- Qiwi-ctf-2014: stolen-prototype
- TinyCTF 2014: Ooooooh! What does this button do?
- 31c3-ctf-2014: Nokia 1337
- Asis-ctf-finals-2014: numdroid
- PicoCTF-2014: Droid App
- NDH2k14-wargames: crackme200-ChunkNorris
- Hack.lu CTF 2013: Robot Plans
- CSAW Quals CTF 2015: Herpderper
- Atast CTF 2012 Bin 300
- Android Broadcast - Безопасность мобильных приложений
- Вопросы новичков о безопасности Android
- Как взламывают android-приложения и что после этого бывает (Workshop)
- Android Broadcast - Безопасность Android приложений
- Хранение ключей API в нативном коде
- Как прикрутить и отломать SSL pinning. CetificatePinner & NSC vs Reverse Engineer
- Открытая лекция: Основы информационной безопасности для мобильных разработчиков
- Динамический анализ мобильных приложений
- По следам Google I/O 2021: Безопасность и приватность
- Securing the System: A Deep Dive into Reversing Android Pre-Installed Apps
- Android App Reverse Engineering Workshop
- Android Code Deobfuscation
- Android Security Symposium 2020. Day 1
- Android Security Symposium 2020. Day 2
- B3nac - Android application exploitation
- Deep Link Route and Validation Bypasses
- Exploiting Android deep links and exported components
- Mobile Hacking Workshop
- Hacking Android Apps with Frida
- Practical security for Android apps
- Modern security for Android Developers
- Modern Android Hacking
- Defending Your Users
- ANDROID APP SECURITY BASICS
- HACKING ANDROID WebViews
- Цикл видосов по Android Reverse Engineering
- Android Exploits 101 Workshop
- Best practices for making your app private by design
- Android Memory Safety Tools
- The most interesting (and unexpected) submissions to the Android Security Bulletin
- Introducing Play Integrity API: Protect your apps and games
- The Mobile Sec Special
- Mobile App Pentesting
- Easy mobile penetration testing with Brida
- The Worst Mobile Apps
- Learn modding Unity apps and games with Frida
- Forging Golden Hammer Against Android App Protections by Georges-Bastien Michel
- Community Podcast #1: Павел Васильев | Bluethooth, NFC и Диффи-Хэллман под эллиптическими кривыми
- Community Podcast #2: Сергей Тошин | Bug Bounty, Oversecured и жопочасы
- Травим баги DAST-ом — Эпизод #3
- Мобильный SSDLC
- Пентест мобильных приложений
- Развитие механизмов безопасности Android (от версии к версии)
- Безопасность мобильного OAuth 2.0
- Android Task Hijacking. Разбираем актуальную технику подмены приложений в Android
- Проверили с помощью PVS-Studio исходные коды Android, или никто не идеален
- Подменяем Runtime permissions в Android
- Как root-права и альтернативные прошивки делают ваш android смартфон уязвимым
- Drozer, эмулятор и эльфийские костыли
- Держи свой трафик в тайне. SSL Pinning — ещё раз о том же самом
- Tiktok data acquisition Frida tutorial, Frida Java Hook detailed explanation: code and example. Part 1
- Tiktok data acquisition Frida tutorial, Frida Java Hook detailed explanation: code and example. Part 2
- Frida. 11x256's Reverse Engineering blog
- Blog about Frida. grepharder blog
- Frida Scripting Guide
- Android Hacking with FRIDA
- How to hook Android Native methods with Frida (Noob Friendly)
- Frida scripting guide for Java
- Reverse Engineering Nike Run Club Android App Using Frida
- Pentesting Android Apps Using Frida
- Android Root Detection Bypass Using Objection and Frida Scripts
- Mobile Pentesting With Frida
- How to use FRIDA to bruteforce Secure Startup with FDE-encryption on a Samsung G935F running Android 8
- Decrypting Mobile App Traffic using AES Killer and Frida
- Learn how to use Frida with Unity app
- Beginning Frida: Learning Frida use on Linux and (just a bit on) Wintel and Android systems with Python and JavaScript (Frida. hooking, and other tools)
- Подборка дисклозов с HackerOne
- Подробнейшая инструкция по настройке рабочего окружения
- Android Security Workshop
- OWASP Top 10: Static Analysis of Android Application & Tools Used
- Android security checklist: WebView
- Use cryptography in mobile apps the right way
- Why dynamic code loading could be dangerous for your apps: a Google example
- Arbitrary code execution on Facebook for Android through download feature
- Android Webview Exploited
- Android: Gaining access to arbitrary* Content Providers
- Exploiting memory corruption vulnerabilities on Android
- Two weeks of securing Samsung devices: Part 1
- Two weeks of securing Samsung devices: Part 2
- Evernote: Universal-XSS, theft of all cookies from all sites, and more
- Interception of Android implicit intents
- TikTok: three persistent arbitrary code executions and one theft of arbitrary files
- Oversecured automatically discovers persistent code execution in the Google Play Core Library
- Persistent arbitrary code execution in Android's Google Play Core Library: details, explanation and the PoC - CVE-2020-8913
- Android: Access to app protected components
- Android: arbitrary code execution via third-party package contexts
- 24,000 Android apps expose user data through Firebase blunders
- The wolf is back - Android malware modification
- Modern Security in Android. Part 1
- Modern Security in Android. Part 2
- Modern Security in Android. Part 3
- Android IPC: Part 1 – Introduction
- Android IPC: Part 2 – Binder and Service Manager Perspective
- StrandHogg 2
- Towards Discovering and Understanding Task Hijacking in Android
- Aarogya setu spyware analisys
- Playing Around With The Fuchsia Operating System Security
- Intercepting traffic from Android Flutter applications
- SafetyNet’s dreaded hardware attestation
- System hardening in Android 11
- Snapchat detection on Android
- Reversing an Android app Protector, Part 1 – Code Obfuscation & RASP
- Reversing an Android app Protector, Part 2 – Assets and Code Encryption
- Reversing an Android app Protector, Part 3 – Code Virtualization
- Structured fuzzing Android's NFC
- MMS Exploit Part 1: Introduction to the Samsung Qmage Codec and Remote Attack Surface
- DJI ANDROID GO 4 APPLICATION SECURITY ANALYSIS
- B3nac - Android application exploitation
- Dynamic analysis of apps inside Android Cloning apps
- Tik-Tok App Analisys
- Exploiting Android Messengers with WebRTC
- Android Pentesting Labs - Step by Step guide for beginners
- An Android Hacking Primer
- Secure an Android Device
- Security tips
- OWASP Mobile Security Testing Guide
- Security Testing for Android Cross Platform Application
- Dive deep into Android Application Security
- Mobile Security Testing Guide
- Mobile Application Penetration Testing Cheat Sheet
- Android Applications Reversing 101
- Android Security Guidelines
- Android WebView Vulnerabilities
- OWASP Mobile Top 10
- Practical Android Phone Forensics
- Mobile Reverse Engineering Unleashed
- quark-engine - An Obfuscation-Neglect Android Malware Scoring System
- Root Detection Bypass By Manual Code Manipulation.
- GEOST BOTNET - the discovery story of a new Android banking trojan
- Magisk Systemless Root - Detection and Remediation
- AndrODet: An adaptive Android obfuscation detector
- Hands On Mobile API Security
- Zero to Hero - Mobile Application Testing - Android Platform
- Android Malware Adventures
- AAPG - Android application penetration testing guide
- Bypassing Android Anti-Emulation
- Bypassing Xamarin Certificate Pinning
- Configuring Burp Suite With Android Nougat
- Inspecting Android HTTP with a fake VPN
- Outlook for Android XSS
- Universal XSS in Android WebView
- Mobile Blackhat Asia 2020
- Lockscreen and Authentication Improvements in Android 11
- Firefox: How a website could steal all your cookies
- Exploiting a Single Instruction Race Condition in Binder
- An iOS hacker tries Android
- Hack crypto secrets from heap memory to exploit Android application
- A Special Attack Surface of the Android System (1): Evil Dialog Box
- Launching Internal & Non-Exported Deeplinks On Facebook
- Reverse engineering Flutter for Android
- Persistant Arbitrary code execution in mattermost android
- Common mistakes when using permissions in Android
- The art of exploiting UAF by Ret2bpf in Android kernel
- Re route Your Intent for Privilege Escalation (A Universal Way to Exploit Android PendingIntents in High profile and System Apps)
- A Deep Dive into Privacy Dashboard of Top Android Vendors
- Android Component Security | The Four Horsemen
- Android Application Testing Using Windows 11 and Windows Subsystem for Android
- Android Awesome Security
- Forensic guide to iMessage, WhatsApp, Telegram, Signal and Skype data acquisition
- Malware uses Corporate MDM as attack vector
- Mobexler Checklist
- Ad Fraud Spotted in Barcode Reader Malware Analysis
- Researching Confide Messenger Encryption
- Reverse Engineering Snapchat (Part I): Obfuscation Techniques
- Reverse Engineering Snapchat (Part II): Deobfuscating the Undeobfuscatable
- Firebase Cloud Messaging Service Takeover
- Saying Goodbye to my Favorite 5 Minute P1
- Reverse engineering Flutter apps (Part 1)
- How I Hacked facebook Again!
- Instagram_RCE: Code Execution Vulnerability in Instagram App for Android and iOS
- How to use Ghidra to Reverse Engineer Mobile Application
- React Native Application Static Analysis
- Pentesting Non-Proxy Aware Mobile Applications Without Root/Jailbreak
- 2 click Remote Code execution in Evernote Android
- Android 13 deep dive: Every change up to DP2, thoroughly documented
- When Equal is Not, Another WebView Takeover Story
- Bypassing SSL pinning on Android Flutter Apps with Ghidra
- WhatsApp Bug Bounty: Bypassing biometric authentication using voip
- Intercepting Android Emulator SSL traffic with burp using magisk
- How Android updates work: A peek behind the curtains from an insider
- Obfuscated obfuscation. Analysing application under DexGuard
- Decrypting "Secret Calculator Photo Vault"
- Facebook BugBounty Writeups