Awesome Android Application Security

November 26, 2019

Android Application Security

This is a write-up of Android Application Security resources and tools which helps in Android Application pentesting and security research. This write up is a step to provide good quality content on different topics in Android Application Security. Content will be updated from time to time to make sure the quality of  resources and latest updates related to Android Application Security.

Note : This is a compiled write up of Android Application Security resources. We are not promoting these resources in anyway and it is also possible that there would be many more great resources on Android Application Security which we might miss to add to this write up. If you know any good resources let us know by commenting below and we will add it to the write up/List.

Pentesting Environment

Host device

A Windows/Linux/Mac OS device will work absolutely fine to do all the task for Android Pentesting.

Basics setup must Include :

  1. Any one (Windows/Linux/Mac) OS machine.
  2. Wifi-Network
  3. One rooted device or any Android Emulator (like Genymotion and similar )
  4. One Interception Proxy traffic (Like Burp Suite /ZAP etc )

Test Device

If you are testing on a real android physical device. It should be root to have the root privilege to access all the system files and also to install all the required tool on the device for security testing.

If you don’t have an Android rooted phone, you can use Android emulator/virtual device for testing.

Root Access :

For easier pentesting of Android application, having a root privilege on device/emulator is recommended and allows to perform many tasks. The Benefits of rooting your device for pentesting are:

  1. Root access to file system
  2. Allow to install all the security tools
  3. Debugging and analysis capabilities
  4. Access to application runtime

Below mentioned resources can be used to get a full rooted Android device.

Rooting android devices :

Android is built on linux kernel and super user in linux is known as root. Root user can perform any operation on android device and the process of getting super user is called rooting. Rooting an Android device requires

  1. Unlocking the boot loader
  2. Install recovery tool like TWRP and similar tool

Note : Depending on your device configurations you can select the tool with appropriate version.

For more details visit : xda-developers


Below are some tools which are often used in black box testing of Android Application

Analysers :

AVC UnDroid :

Virustotal :

AppCritique :

AMAaas :

Static Analysis Tools :

Androwarn :

ApkAnalyser :

Apkinspector :

Smali CFG generator :

FlowDroid :

Amandroid :

SmaliSCA :

SUPER     :

CFGScanDroid :

Maldrolyzer :


ConDroid :

DroidRA  :

RiskInDroid :

ClassyShark :

StaCoAn :


Quark :

Vulnerability Scanners :

Qark :

AndroBugs :

Nogotofail :

Dynamic Analysis Tools :

Android DBI Framework :

MobSF :

AppUse :

CobraDroid :

DroidBox :

Drozer :

Xposed :

Inspeckage :

Android Hooker :

ProbeDroid :


CuckooDroid :

Mem :

AuditAndroid :

Android Security Evaluation Framework :

Aurasium :

Android Linux Kernel Modules :

Appie :

StaDyna :


Virtual Machine with tools :

Mobexler :

Androl4b :

Android tamer :

Vezir-Project :

Reverse Engineering :

Smali/Baksmali :

emacs syntax coloring for smali files :

vim syntax coloring for smali files :

AndBug :

Androguard :

Apktool :

Android Framework for Exploitation :

Bypass signature and permission checks for IPCs : 

Android OpenDebug :

Dex2Jar  :

Enjarify :

Dedexer :

Fino :

Frida :

Indroid :

IntentSniffer :

Introspy :

Jad :



Krakatau :

Procyon :

FernFlower :

Redexer :

Simplify Android deobfuscator :

Bytecode viewer :

Radare2 :

Jadx :

Dwarf :

Andromeda :

apk-mitm :

Fuzzing Tools :

Intent Fuzzer :

Radamsa Fuzzer :

Honggfuzz :

An Android port of the melkor ELF Fuzzer :

Media Fuzzing framework for Android :

Androfuzz :

Misc Tools :

smalihook :

AXMLPrinter2 :

adb autocomplete :

Dalvik opcodes :

mitmproxy :

Android Vulnerability Test Suite :

AppMon :

Internal Blue :

Labs for practise :

ExploitMe Android Labs :

GoatDroid :

Android InsecureBank :

Crawlers/apk downloaders :

Google play crawler (Java) :

Google play crawler (Python) :

Google play crawler (Node) :

Aptoide downloader (Node) :

Appland downloader (Node) :

Apkpure :

Reports and Resources :

Hardcoded Credentials :

Insecure Deeplinks :

SQL Injection :

Session Theft :

InSecure data storage :

Two-factor Authentication bypass :

Intent Spoofing :

Javascript Injection :

Learning resources :


OWASP Mobile Security Testing Guide (OWASP MSTG)

Android Hacker’s Handbook

Blogs and Articles

Other Android Security Resource Compilations:

Smartphone App Security

Secure Coding for Android Applications  

Android Application collusion demystified

MobileApp pentest cheat sheet

Awesome -mobile-CTF

Secure Mobile Development

Twitter handle to follow :








Did we miss something cool? Drop it in the comment below, and we will add it to the blog post.

checkout other posts related to android security:-