Penetration Testing of Android apps: Top 10 tools
Mobile applications have started gaining more popularity than the native web application because of many reasons. Say for example, ease of usage. Less memory usage, portability, etc. As the Android OS became more popular and devices became cheaper, people start to depend on Mobile applications more. With Android and iOS applications, almost everything can be achieved that can be done with web application. In highly populated countries such as India, the cheaper data rates also attracts users to move on with Mobile applications. More apps, more users means more vulnerabilities. And that’s why Mobile Application Pentest is necessary.
Today we are concentrating on Android. Basically an Android application Vulnerability Assessment involves two steps viz Static analysis and Dynamic analysis. Static analysis is where the application code is decompiled and analysed (yes, it’s possible in Android, ). Dynamic analysis is where you configure a transparent proxy between the app and server and do the tests or whatever. Anyway, I am going to list out some of the Android static analysis/Malware analysis/APK scanning tools which I personally use for Vulnerability Analysis.
Ostorlab
You need to login to the Ostorlab web console to scan the apk. Once you submit the apk it will start scanning it. A URL will be provided to the registered email once the scanning is completed. The URL can be used to access the detailed test report of the apk static analysis.
MobSF
MobSF is one of the most comprehensive and regularly updated Penetration testing tool for mobile applications. Android APKs and iOS IPAs can be tested using MobSF. It is a commandline tool. You need to clone the repo and install it locally. MobSF support dynamic analysis with a neat web GUI to report vulnerabilities. I have created a YouTube tutorial to install and work with MobSF with a sample APK. Go ahead and try out.
Nviso APK scanner
No login is required to scan an APK in nviso. However you can specify your Email address so that once the APK analysis is completed nviso will send an email to your inbox.
Qark
Qark is an Android static analyser developed by LinkedIn. It is a command-line tool and can be isntalled from github. Qark checks for Private keys embedded in the source, Weak or improper cryptography use, Potentially exploitable WebView configurations, Exported Preference Activities, Tapjacking and many more.
ImmuniWeb Mobile App Scanner
ImmuniWeb Mobile App Scanner is an online tool provided by High-Tech Bridge. It is one of the most comprehensive free APK scanners available online. A unique url will be provided once the scanning is completed which will contain detailed descriptions about the issues. It also has a unique way of reporting the issues with a colourful dashboard and graphical representations. Among the online scanners ImmuniWeb has the best reports I've found.
AVC UnDroid
AVC UnDroid is another Malware scanner similar to Andrototal. Here they make use of several Malware scanning services to generate the final report.
Virus Total
Virus total also scans for Malwares on the uploaded APK. Among the Malware scanners available online, I feel Virus Total does the job in most neat way.
APPCRITIQUE
Appcritique needs you to signup to their web application to use the free scanner. They offer paid assessment as well.
Amaas
Amaas provides with a dashboard once you sign up to their application. Multiple APKs can be scanned and all the details will be stored server side. You can access the report whenever needed by logging into the account. However there is an APK size limit which restrict scanning of larger applications makes it unusable at many cases.