User Experience on mobile might not be great yet, but I'm working on it.

Your first time on this page? Allow me to give some explanations.

Awesome Android Security

A collection of android security related resources

Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.

Last Update: Dec. 2, 2020, 9:05 a.m.

Thank you ashishb & contributors
View Topic on GitHub:
ashishb/android-security-awesome

Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.

Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.

Online Analyzers

VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners.

Static Analysis Tools

Yet another static code analyzer for malicious Android applications

333
125
10m
LGPL-3.0
931
253
7y 8m
n/a

APKinspector is a powerful GUI tool for analysts to analyze the Android applications.

708
244
7y 9m
n/a

Smali Control Flow Graph's

100
50
6y 5m
n/a

Static Code Analysis for Smali files

268
74
1y 61d
n/a

Control Flow Graph Scanning for Android

41
9
5y 6m
GPL-2.0

Simple framework to extract "actionable" data from Android malware (C&Cs, phone numbers etc.)

88
26
5y 7m
MIT

Symbolic/concolic execution of Android apps

39
14
4y 9m
n/a

Taming Reflection to Support Whole-Program Analysis of Android Apps

38
27
9m
LGPL-2.1

A tool for quantitative risk analysis of Android applications based on machine learning techniques

44
12
7m
MIT

Secure, Unified, Powerful and Extensible Rust Android Analyzer

318
55
96d
GPL-3.0

Analyze any Android/Java based app or game

6.49K
835
4m
Apache-2.0

StaCoAn is a crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications.

672
121
1y 6m
MIT

Joint Advanced Defect assEsment for android applications

280
103
3y 7m
GPL-3.0

Malware (Analysis | Scoring System)

425
51
2d
GPL-3.0

One-Step APK Decompilation With Multiple Backends

133
21
67d
n/a

App Vulnerability Scanners

Tool to look for several security related Android application vulnerabilities

2.31K
535
114d
n/a

AndroBugs Framework is an efficient Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications. No need to install on Windows.

802
285
1y 7m
GPL-3.0

An on-path blackbox network traffic security testing tool

2.63K
394
104d
Apache-2.0

copyright: - A mobile app vulnerability scanner, designed for security researchers and bug bounty hackers. It also allows integrations into the DevOps process for businesses.

Dynamic Analysis Tools

A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis

883
239
4m
n/a

A runtime mobile application analysis toolkit with a Web GUI, powered by Frida, written in Python.

776
131
6m
MIT

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

6.62K
1.8K
87d
GPL-3.0

Dynamic analysis of Android apps

551
198
6m
n/a

The Leading Security Assessment Framework for Android.

2.28K
596
6m
n/a

Android Package Inspector - dynamic analysis with api hooks, start unexported activities and more. (Xposed Module)

1.93K
421
8m
Apache-2.0

Hooker is an opensource project for dynamic analyses of Android applications. This project provides various tools and applications that can be use to automaticaly intercept and modify any API calls made by a targeted application.

375
115
4y 116d
GPL-3.0

A SDK for the creation of analysis tools without obtaining app source code in order to profile runtime performance, examine code coverage, and track high-risk behaviors of a given app on Android 5.0 and above.

182
39
1y 11m
MIT

DECAF (short for Dynamic Executable Code Analysis Framework) is a binary analysis platform based on QEMU. This is also the home of the DroidScope dynamic Android malware analysis platform. DroidScope is now an extension to DECAF.

597
166
9m
GPL-3.0

CuckooDroid - Automated Android Malware Analysis with Cuckoo Sandbox.

485
123
2y 4m
n/a

Tool used for dumping memory from Android devices

50
10
5y 5m
MIT

A Fork of Auditd geared specifically for running on the Android platform. Includes system applications, AOSP patches, and kernel patches to maximize the audit experience.

36
10
7y 6m
GPL-2.0

Practical security policy enforcement for Android apps via bytecode rewriting and in-place reference monitor

33
16
5y 10m
GPL-3.0

Android Loadable Kernel Modules - mostly used for reversing and debugging on controlled systems/emulators

155
63
6y 84d
GPL-2.0

StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications

17
7
9m
n/a

linux version (rewrite in Python)

25
18
5y 6m
n/a

Yet Another Linux Virtual Machine for Mobile Application Pentesting and Mobile Malware Analysis

79
18
4y 7m
n/a

MARA is a Mobile Application Reverse engineering and Analysis Framework. It is a toolkit that puts together commonly used mobile application reverse engineering and analysis tools to assist in testing mobile applications against the OWASP mobile security threats.

439
141
1y 4m
LGPL-3.0

Android Malware Sandbox

154
21
98d
Apache-2.0

A framework for automated extraction of static and dynamic features from Android applications

169
38
5m
n/a

Runtime Mobile Security (RMS) 📱🔥 - is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime

854
140
96d
GPL-3.0

Reverse Engineering

smali/baksmali

4.55K
885
8m
n/a

Smali/Baksmali mode for Emacs

28
9
1y 10m
GPL-3.0

Android Debugging Library

540
207
4y 4m
GPL-3.0

Reverse engineering, Malware and goodware analysis of Android applications ... and more (ninja !)

3.29K
827
8d
Apache-2.0

Android Framework for Exploitation, is a framework for exploiting android based devices

166
87
5y 68d
GPL-3.0

Bypass signature and permission checks for IPCs

67
30
6y 11m
GPL-2.0

Make any application debuggable

113
39
6y 11m
GPL-2.0

Tools to work with android .dex and java .class files

8.17K
1.57K
1y 89d
Apache-2.0
2.52K
485
1y 27d
Apache-2.0

Android small footprint inspection tool

87
36
6y 40d
MIT

Security profiling for blackbox Android

426
145
6y 10m
GPL-2.0

A standalone Java Decompiler GUI

9.35K
1.78K
11m
GPL-3.0

Java decompiler, assembler, and disassembler

1.25K
148
5m
GPL-3.0

Unofficial mirror of FernFlower Java decompiler (All pulls should be submitted upstream)

1.91K
418
116d
n/a

The Redexer binary instrumentation framework for Dalvik bytecode

133
32
4m
n/a

Android virtual machine and deobfuscator

3.43K
348
89d
n/a

A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)

11.71K
838
4m
GPL-3.0

UNIX-like reverse engineering framework and command-line toolset

13.49K
2.35K
3d
LGPL-3.0

Dex to Java decompiler

24.27K
2.95K
1d
Apache-2.0

Full featured multi arch/os debugger built on top of PyQt5 and frida

827
112
5m
GPL-3.0

Andromeda - Interactive Reverse Engineering Tool for Android Applications

617
70
8m
Apache-2.0

🤖 A CLI application that automatically prepares Android APK files for HTTPS inspection

661
90
116d
MIT

Simple Android application sandbox file browser tool. Powered by frida.re.

35
7
5m
MIT

CFR

Another java decompiler by @LeeAtBenf.

Fuzz Testing

An Android port of radamsa fuzzer

55
17
11m
MIT

Security oriented software fuzzer. Supports evolutionary, feedback-driven fuzzing based on code coverage (SW and HW based)

1.99K
410
93d
Apache-2.0

An Android port of the melkor ELF fuzzer

55
12
6y 105d
GPL-3.0

Media Fuzzing Framework for Android

294
109
4y 8m
GPL-2.0

A fuzzing utility for Android that focuses on reporting and delivery portions of the fuzzing process

32
6
6y 91d
MIT

App Repackaging Detectors

Fast detection of repackaged Android applications based on the comparison of resource files included into the package.

59
20
3y 94d
n/a

Market Crawlers

Play with Google Play API :)

484
190
1y 9m
n/a

Google Play Unofficial Python API - This project was a PoC and is not maintained anymore. Please feel free to fork it and improve it in any way.

819
380
3y 6m
n/a

Get details and download apps from https://play.google.com by emulating an Android (Nexus 5X) device by default. For a rust version of this library check out https://github.com/dweinstein/rs-google-play

244
76
4m
MIT

aptoide app store APK download

16
5
5y 4m
n/a

appland client

12
2
5y 4m
n/a

Misc Tools

Bash completion for "adb" from the Google Android SDK

208
54
4y 4m
n/a

An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

20.78K
2.67K
3d
MIT

docker file for use with androguard python android app analysis tool

33
14
1y 35d
n/a

Android Vulnerability Test Suite - In the spirit of open data collection, and with the help of the community, let's take a pulse on the state of Android security. NowSecure presents an on-device app to test for recent device vulnerabilities.

984
285
1y 4m
n/a

Documentation:

1.04K
216
5m
Apache-2.0

Bluetooth experimentation framework for Broadcom and Cypress chips.

303
37
90d
n/a

Vulnerable Applications for practice

DIVA Android - Damn Insecure and vulnerable App for Android

526
169
1y 9m
GPL-3.0

Vuldroid is a Vulnerable Android Application made with security issues in order to demonstrate how they can occur in code

9
2
92d
n/a

This project is no longer maintained OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several feature that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform. Download the built version here: https://github.com/jackMannino/OWASP-GoatDroid-Project/downloads

203
81
6y 4m
n/a

Vulnerable Android application for developers and security enthusiasts to learn about Android insecurities

753
260
1y 8d
MIT

Research Papers

Books

Others

The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.

6.69K
1.42K
11d
CC-BY-SA-4.0

A W.I.P Android Security Ref

695
101
4m
n/a

Android App Security Checklist

564
148
2y 10m
n/a

The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics.

2.4K
837
94d
n/a

List

Malware

Bounty Programs

How to report Security issues

A big list of Android Hackerone disclosed reports and other resources.

498
146
92d
n/a