Free Android sec tools, resources and smartphonesdumbapps release

UPDATE: April 2nd – Added new pinning article thanks @an_animal!
UPDATE: Feb 14th – Added (draft, initial) forensics section, Added pinning links, thanks @an_animal for most pinning resources!

Android Security is like IPv6: It will catch you sooner or later :). It is becoming more common for Web Applications to involve a Mobile Application component.  The purpose of this post is to try to get the average infosec person (or competent developer) up to speed asap.

Free Tools

  • OWASP Mobisec ISO: This is a bootable ISO like Backtrack/Samurai WTF but for Mobile testing, including lots of tools, emulators, etc (i.e. saves you a lot of time) Click to explore  (Slides here). NOTE: You can install it on a VM for persistent changes, updates, etc
  • Dan Cornell/DenimGroup’s scripts (Click to explore): I made some small contributions to this new release and Dan added more improvements (released yesterday: Feb 13th!)
  • Android SSL bypass: This is an Android debugging tool that can be used for bypassing SSL, even when certificate pinning is implemented (pinning links below), as well as other debugging tasks: Click to explore (Source here)
  • Java Decompiler: Click to explore

NOTE: You need the Java source to do source code searches for insecure practices. jd-gui is just the best tool for this, unfortunately it’s a GUI tool so you’ll have to manually open the .jar file and then click on File / Save all Sources it to save all the .java files to disk:

Save_All_Sources

Vulnerable Apps

Useful Presentations

  • OWASP Top 10 Mobile Risk (Jack Mannino, Zack Lanier, Mike Zusman) Click to explore
  • Advanced Code Review Tecniques (Prashant Verma, Dinesh Shetty): Click to explore
  • UI Redressing A$acks on Android Devices (Marcus Niemietz): Click to explore (Paper here)
  • Whack-­‐A-­‐Mobile II (Secure Ideas: Kevin Johnson, Tony DeLaGrange): Click to explore
  • Mobile Malfeasance (Jason Haddix) Click to explore
  • Seven Ways to Hang Yourself with Google Android (Yekaterina Tsipenyuk O’Neil and Erika Chin): Click to explore (NOTE: Android Intent Madness explained here!)
  • TEAM JOCH vs. Android: The Ultimate Showdown (Jon Oberheide, Zach Lanier): Click to explore
  • Mobile Threats and OWASP Mobile Top 10 Risks (Securbay): Click to explore
  • Secure Android Applications The OWASP Way (Jack Mannino): Click to explore
  • Mobile Application Security Code Reviews (Dan Cornell/DenimGroup): Click to explore
  • Cracking the Code of Mobile Applications (Sreenarayan Ashokkumar): Click to explore (Slides here)
  • (Italian with lots of English, easy for Spaniards/Valencian-Catalonian speakers :)) – OWASP Top 10 Mobile Risks: Click to explore

On SSL validation and pinning

Forensics

  • FROST: Forensic Recovery Of Scrambled Telephones (full disk encryption bypass via cold boot attacks against new Android 4 devices): Click to explore

Further reading

P.S. If there is something useful I missed above, please let me know and I will update this blog post. Thank you in advance.