Skip to content

Latest commit

 

History

History
113 lines (97 loc) · 14.1 KB

0x08-Testing-Tools.md

File metadata and controls

113 lines (97 loc) · 14.1 KB

Testing Tools

To perform security testing different tools are available in order to be able to manipulate requests and responses, decompile Apps, investigate the behaviour of running Apps and other test cases and automate them.

Mobile Application Security Testing Distributions

Static Source Code Analysis

All-in-One Mobile Security Frameworks

  • Mobile Security Framework - MobSF - https://github.com/ajinabraham/Mobile-Security-Framework-MobSF - Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOSautomated pen-testing framework capable of performing static and dynamic analysis.
  • Needle - https://github.com/mwrlabs/needle - Needle is an open source, modular framework to streamline the process of conducting security assessments of iOS apps including Binary Analysis, Static Code Analysis, Runtime Manipulation using Cycript and Frida hooking, and so on.

Tools for Android

Reverse Engineering and Static Analysis

Dynamic and Runtime Analysis

  • Cydia Substrate - http://www.cydiasubstrate.com/ - Cydia Substrate for Android enables developers to make changes to existing software with Substrate extensions that are injected in to the target process's memory.
  • Xposed Framework - http://forum.xda-developers.com/xposed/xposed-installer-versions-changelog-t2714053 - Xposed framework enables you to modify the system or application aspect and behaviour at runtime, without modifying any Android application package(APKor re-flashing.
  • logcat-color - https://github.com/marshall/logcat-color - A colorful and highly configurable alternative to the adb logcat command from the Android SDK.
  • Inspeckage - https://github.com/ac-pm/Inspeckage - Inspeckage is a tool developed to offer dynamic analysis of Android applications. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime.
  • Frida - http://www.frida.re/ - The toolkit works using a client-server model and lets you inject in to running processes not just on Android, but also on iOS, Windows and Mac.
  • Diff-GUI - https://github.com/antojoseph/diff-gui - A Web framework to start instrumenting with the avaliable modules, hooking on native, inject JavaScript using Frida.
  • AndBug - https://github.com/swdunlop/AndBug- AndBug is a debugger targeting the Android platform's Dalvik virtual machine intended for reverse engineers and developers.
  • Cydia Substrate: Introspy-Android - https://github.com/iSECPartners/Introspy-Android - Blackbox tool to help understand what an Android application is doing at runtime and assist in the identification of potential security issues.
  • Drozer - https://www.mwrinfosecurity.com/products/drozer/ - Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
  • VirtualHook - https://github.com/rk700/VirtualHook - VirtualHook is a hooking tool for applications on Android ART(>=5.0). It's based on VirtualApp and therefore does not require root permission to inject hooks.

Bypassing Root Detection and SSL Pinning

Tools for iOS

Access Filesystem on iDevice

Reverse Engineering and Static Analysis

Dynamic and Runtime Analysis

Bypassing Root Detection and SSL Pinning

Tools for Network Interception and Monitoring

Interception Proxies

  • Burp Suite - https://portswigger.net/burp/download.html - Burp Suite is an integrated platform for performing security testing of applications.
  • OWASP ZAP - https://github.com/zaproxy/zaproxy - The OWASP Zed Attack Proxy (ZAPis a free security tools which can help you automatically find security vulnerabilities in your web applications and web services.
  • Fiddler - http://www.telerik.com/fiddler - Fiddler is an HTTP debugging proxy server application which can captures HTTP and HTTPS traffic and logs it for the user to review. Fiddler can also be used to modify HTTP traffic for troubleshooting purposes as it is being sent or received.
  • Charles Proxy - http://www.charlesproxy.com - HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.

IDEs

  • IntelliJ - https://www.jetbrains.com/idea/download/ - IntelliJ IDEA is a Java integrated development environment (IDEfor developing computer software.
  • Eclipse - https://eclipse.org/ - Eclipse is an integrated development environment (IDEused in computer programming, and is the most widely used Java IDE.