Feb 06 2023

75 Best Android Penetration Testing Tools – 2023

Category: Pen Test,Security ToolsDISC @ 10:56 am

Android penetration testing tools are more often used by security industries to test the vulnerabilities in Android applications.

Here you can find the Comprehensive mobile penetration testing tools and resource list that covers Performing Penetration testing Operations in Android Mobiles.

Android is the biggest organized base of any mobile platform and developing fast—every day. Besides, Android is rising as the most extended operating system in this viewpoint because of different reasons.

Android Security Penetration Testing Tools

Online Analyzers

Following are the online analyzers used to pentest the android applications.

ApprayDynamic Analysis Tools for Android and iOS Applications
NowsecureComplete Mobile Security Testing tool for Android & iOS Tools
AppKnoxEfficient Security Testing Tools for Mobile Apps

Static Analysis Tools

AndrowarnDetects and warn the user about potential malicious behaviors developed by an Android application
ApkAnalyserVirtual Analysis Tools for Android Applications
APKInspectorGUI-based Security Analysis
DroidLegacyPentesting Kit
FlowDroidStatic Analysis Tool
Android DecompilerProfessional Reverse Engineering Toolkit
PSCoutA tool that extracts the permission specification from the Android OS source code using static analysis
Amandroidstatic analysis framework
SmaliSCASmali Static Code Analysis
CFGScanDroidScans and compares CFG against CFG of malicious applications
Madrolyzerextracts actionable data like C&C, phone number etc.
SPARTAverifies (proves) that an app satisfies an information-flow security policy; built on the Checker Framework
ConDroidPerforms a combination of symbolic + concrete execution of the app
DroidRAVirtual Analysis
RiskInDroidA tool for calculating the risk of Android apps based on their permissions, with an online demo available.
SUPERSecure, Unified, Powerful, and Extensible Rust Android Analyzer
ClassySharkStandalone binary inspection tool which can browse any Android executable and show important info.

Mobile App Vulnerability Scanner Tools

QARKQARK by LinkedIn is for app developers to scan app for security issues
AndroBugsAndroid vulnerability analysis system
NogotofailNetwork security testing tool
DevknoxAutocorrect Android Security issues as if it was spell check from your IDE
JAADASJoint intraprocedural and inter-procedure program analysis tool to find vulnerabilities in Android apps, built on Soot and Scala

Dynamic Analysis Tools

Androl4bA Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis
Android Malware Analysis Toolkit(Linux distro) Earlier it use to be an online analyzer
Mobile-Security-Framework MobSFMobile Security Framework is an intelligent, all-in-one open-source mobile application (Android/iOS) automated pen-testing framework capable of performing static, dynamic analysis, and web API testing.
AppUsecustom build for pentesting
Cobradroidcustom image for malware analysis
Xposedequivalent of doing Stub based code injection but without any modifications to the binary
InspeckageAndroid Package Inspector – dynamic analysis with api hooks, start unexported activities and more. (Xposed Module)
Android HookerDynamic Java code instrumentation (requires the Substrate Framework)
ProbeDroid Dynamic Java code instrumentation
Android Tamer Virtual / Live Platform for Android Security Professionals
DECAF Dynamic Executable Code Analysis Framework based on QEMU (DroidScope is now an extension to DECAF)
CuckooDroid Android extension for Cuckoo sandbox
Mem Memory analysis of Android Security (root required)
AuditdAndroid Android port of auditd, not under active development anymore
AurasiumPractical security policy enforcement for Android apps via bytecode rewriting and in-place reference monitor.
Appie Appie is a software package that has been pre-configured to function as an Android Pentesting Environment.It is completely portable and can be carried on USB stick or smartphone.This is a one-stop answer for all the tools needed in Android Application Security Assessment and an awesome alternative to existing virtual machines.
StaDynA A system supporting security app analysis in the presence of dynamic code update features (dynamic class loading and reflection). This tool combines static and dynamic analysis of Android applications in order to reveal the hidden/updated behavior and extend static analysis results with this information.
Vezir Project Virtual Machine for Mobile Application Pentesting and Mobile Malware Analysis
MARA Mobile Application Reverse engineering and Analysis Framework
Taintdroid Requires AOSP compilation

Reverse Engineering

Smali/Baksmali apk decompilation
Androguard powerful, integrates well with other tools
Apktool really useful for compilation/decompilation (uses smali)
Android OpenDebugmake any application on device debuggable (using cydia substrate)
Dare .dex to .class converter
Dex2Jar dex to jar converter
Enjarify dex to jar converter from Google
Frida Inject javascript to explore applications and a GUI tool for it
Indroidthread injection kit
Jad Java decompiler
JD-GUIJava decompiler
CFRJava decompiler
KrakatauJava decompiler
ProcyonJava decompiler
FernFlowerJava decompiler
Redexerapk manipulation

Fuzz Testing

IntentFuzzer
Radamsa Fuzzer
Honggfuzz
An Android port of the melkor ELF fuzzer
Media Fuzzing Framework for Android
AndroFuzz

App Repackaging Detectors

FSquaDRAAndroid Security tool for detection of repackaged Android applications based on app resources hash comparison.

Market Crawlers

Google play crawler (Java) searching android applications on GooglePlay,
Google play crawler (Python) browse and download Android apps from Google Play
Google play crawler (Node) get app details and download apps from official Google Play Store
Aptoide downloader (Node) download apps from Aptoide third-party Android market
Appland downloader (Node)download apps from Appland third-party Android market

Misc Tools

smalihookDecompiler
APK-DownloaderDownloader
AXMLPrinter2to convert binary XML files to human-readable XML files
adb autocompleteRepo Downloader
Dalvik opcodesRegistry
Opcodes table for quick referenceRegistry
ExploitMe Android Labsfor practice
GoatDroid for practice
mitmproxyintercepting proxy 
dockerfile/androguardshell environment
Android Vulnerability Test Suite android-vts scans a device for set of vulnerabilities
AppMon–AppMon is an automated framework for monitoring and tampering system API calls of native macOS, iOS and android apps. It is based on Frida.

ANDROID SECURITY BOOK: 10 Simple Ways Billionaires Secure Their Android Devices

Checkout our previous posts on “Security Tools”

Computer Forensics

Building a Cybersecurity Toolkit

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Android Penetration Testing Tools, Android security, Pen testing, Security professionals