Penetration Testing of Android apps: Top 10 tools

Mobile applications have started gaining more popularity than the native web application because of many reasons. Say for example, ease of usage. Less memory usage, portability, etc. As the Android OS became more popular and devices became cheaper, people start to depend on Mobile applications more. With Android and iOS applications, almost everything can be achieved that can be done with web application. In highly populated countries such as India, the cheaper data rates also attracts users to move on with Mobile applications. More apps, more users means more vulnerabilities. And that’s why Mobile Application Pentest is necessary. 

Today we are concentrating on Android. Basically an Android application Vulnerability Assessment involves two steps viz Static analysis and Dynamic analysis. Static analysis is where the application code is decompiled and analysed (yes, it’s possible in Android, ). Dynamic analysis is where you configure a transparent proxy between the app and server and do the tests or whatever. Anyway, I am going to list out some of the Android static analysis/Malware analysis/APK scanning tools which I personally use for Vulnerability Analysis.


You need to login to the Ostorlab web console to scan the apk. Once you submit the apk it will start scanning it. A URL will be provided to the registered email once the scanning is completed. The URL can be used to access the detailed test report of the apk static analysis.


MobSF is one of the most comprehensive and regularly updated Penetration testing tool for mobile applications. Android APKs and iOS IPAs can be tested using MobSF. It is a commandline tool. You need to clone the repo and install it locally. MobSF support dynamic analysis with a neat web GUI to report vulnerabilities. I have created a YouTube tutorial to install and work with MobSF with a sample APK. Go ahead and try out.

Nviso APK scanner

No login is required to scan an APK in nviso. However you can specify your Email address so that once the APK analysis is completed nviso will send an email to your inbox.


Qark is an Android static analyser developed by LinkedIn. It is a command-line tool and can be isntalled from github. Qark checks for Private keys embedded in the source, Weak or improper cryptography use, Potentially exploitable WebView configurations, Exported Preference Activities, Tapjacking and many more.

ImmuniWeb Mobile App Scanner

ImmuniWeb Mobile App Scanner is an online tool provided by High-Tech Bridge. It is one of the most comprehensive free APK scanners available online. A unique url will be provided once the scanning is completed which will contain detailed descriptions about the issues. It also has a unique way of reporting the issues with a colourful dashboard and graphical representations. Among the online scanners ImmuniWeb has the best reports I've found.

AVC UnDroid

AVC UnDroid is another Malware scanner similar to Andrototal. Here they make use of several Malware scanning services to generate the final report.

Virus Total

Virus total also scans for Malwares on the uploaded APK. Among the Malware scanners available online, I feel Virus Total does the job in most neat way.


Appcritique needs you to signup to their web application to use the free scanner. They offer paid assessment as well.


Amaas provides with a dashboard once you sign up to their application. Multiple APKs can be scanned and all the details will be stored server side. You can access the report whenever needed by logging into the account. However there is an APK size limit which restrict scanning of larger applications makes it unusable at many cases.

Leave a Comment

View Comments

  • Hey,

    This article on penetration testing for Android apps is a great read, thanks for putting it together. I'm glad to connect with another avid cyber security blogger.

    More grease to your elbow... :)

  • I'd love to see more apps for modifying APKs and/or compiling/building new ones. A decompiler would be great. We can't really get into the nuts and bolts without such tools. That makes it harder to understand how apps work and we can't learn as much as we could if we have access to their base code.

Recent Posts

How to migrate from LastPass to Bitwarden

As a LastPass user, you might have noticed the changes introduced last day. The message… Read More

2 years ago

Amazon AWS network security checklist

This post presents with a few bunches of AWS network security checklist. It is basically… Read More

3 years ago

The long curated web security checklist based on OWASP

What is this web security checklist? Here is a curated web security checklist for developers… Read More

3 years ago

Penetration Testing for dummies – Part 3: Networking basics

In the last part of the blog series we have seen the history of internet… Read More

3 years ago

Penetration Testing for dummies – Part 2: Understanding web applications

Welcome back budding pen-testers. :) In the first part of the blog series we have… Read More

3 years ago

How to enable SSH on Google Cloud Compute Engine

Last day I was riddling with Evilginx, a phishing attack tool. It needs to be… Read More

4 years ago