- Blog
- How To's
- Papers
- Books
- Trainings
- Tools
- Labs
- Talks
- Misc
- Bug Bounty & Writeups
- Cheat Sheet
- Checklist
- Bug Bounty Report
- 1-click Exploit in South Korea's biggest mobile chat app
- 20 Security Issues Found in Xiaomi Devices
- Bypass Instagram and Threads SSL pinning on Android
- Reverse Engineering Android game Coin Hunt World and its communication protocol to cheat the app
- Discovering vendor-specific vulnerabilities in Android
- Technical analysis of Alien android malware
- Lock Screen Bypass Exploit of Android Devices (CVE-2022–20006)
- Analysis of Android banking Trojan MaliBot that is based on S.O.V.A banker
- Pending Intents: A Pentester’s view
- Android security checklist: theft of arbitrary files
- Protecting Android users from 0-Day attacks
- Reversing an Android sample which uses Flutter
- Step-by-step guide to reverse an APK protected with DexGuard using Jadx
- Use cryptography in mobile apps the right way
- Android security checklist: WebView
- Common mistakes when using permissions in Android
- Two weeks of securing Samsung devices: Part 2
- Why dynamic code loading could be dangerous for your apps: a Google example
- Two weeks of securing Samsung devices: Part 1
- How to exploit insecure WebResourceResponse configurations + an example of the vulnerability in Amazon apps
- Exploiting memory corruption vulnerabilities on Android + an example of such vulnerability in PayPal apps
- Capture all android network traffic
- Reverse Engineering Clubhouse
- Escape the Chromium sandbox on Android Devices
- Android Penetration Testing: Frida
- Android: Gaining access to arbitrary* Content Providers
- Getting root on a 4G LTE mobile hotspot
- Exploiting new-era of Request forgery on mobile applications
- Deep Dive into an Obfuscation-as-a-Service for Android Malware
- Evernote: Universal-XSS, theft of all cookies from all sites, and more
- Interception of Android implicit intents
- AAPG - Android application penetration testing guide
- TikTok: three persistent arbitrary code executions and one theft of arbitrary files
- Persistent arbitrary code execution in Android's Google Play Core Library: details, explanation and the PoC - CVE-2020-8913
- Android: Access to app protected components
- Android: arbitrary code execution via third-party package contexts
- Android Pentesting Labs - Step by Step guide for beginners
- An Android Hacking Primer
- An Android Security tips
- OWASP Mobile Security Testing Guide
- Security Testing for Android Cross Platform Application
- Dive deep into Android Application Security
- Pentesting Android Apps Using Frida
- Mobile Security Testing Guide
- Android Applications Reversing 101
- Android Security Guidelines
- Android WebView Vulnerabilities
- OWASP Mobile Top 10
- Practical Android Phone Forensics
- Mobile Pentesting With Frida
- Zero to Hero - Mobile Application Testing - Android Platform
- Detecting Dynamic Loading in Android Applications
- Static Analysis for Android and iOS
- Dynamic Analysis for Android and iOS
- Exploring intent-based Android security vulnerabilities on Google Play (part 1/3)
- Hunting intent-based Android security vulnerabilities with Snyk Code (part 2/3)
- Mitigating and remediating intent-based Android security vulnerabilities (part 3/3)
- Strengthening Android Security: Mitigating Banking Trojan Threats
- How to analyze mobile malware: a Cabassous/FluBot Case study
- How to Bypasses Iframe Sandboxing
- How To Configuring Burp Suite With Android Nougat
- How To Bypassing Xamarin Certificate Pinning
- How To Bypassing Android Anti-Emulation
- How To Secure an Android Device
- Android Root Detection Bypass Using Objection and Frida Scripts
- Root Detection Bypass By Manual Code Manipulation.
- Magisk Systemless Root - Detection and Remediation
- How to use FRIDA to bruteforce Secure Startup with FDE-encryption on a Samsung G935F running Android 8
- A systematic analysis of commercial Android packers
- A Large-Scale Study on the Adoption of Anti-Debugging and Anti-Tampering Protections in Android Apps
- Things You May Not Know About Android (Un)Packers
- Happer: Unpacking Android Apps via a Hardware-Assisted Approach
- AndrODet: An adaptive Android obfuscation detector
- GEOST BOTNET - the discovery story of a new Android banking trojan
- Dual-Level Android Malware Detection
- An Investigation of the Android Kernel Patch Ecosystem
- SEI CERT Android Secure Coding Standard
- Android Security Internals
- Android Cookbook
- Android Hacker's Handbook
- Android Security Cookbook
- The Mobile Application Hacker's Handbook
- Android Malware and Analysis
- Android Security: Attacks and Defenses
- Learning Penetration Testing For Android Devices
- Android Hacking 2020 Edition
- SEC575: Mobile Device Security and Ethical Hacking
- Android Reverse Engineering_pt-BR
- Learning-Android-Security
- Advanced Android Development
- Learn the art of mobile app development
- Learning Android Malware Analysis
- Android App Reverse Engineering 101
- MASPT V2
- Android Pentration Testing(Persian)
- BlackDex is an Android unpack(dexdump) tool
- Deoptfuscator - Deobfuscator for Android Application
- Android Reverse Engineering WorkBench for VS Code
- Apktool:A tool for reverse engineering Android apk files
- Defeat Java packers via Frida instrumentation
- quark-engine - An Obfuscation-Neglect Android Malware Scoring System
- DeGuard:Statistical Deobfuscation for Android
- jadx - Dex to Java decompiler
- Amandroid – A Static Analysis Framework
- Androwarn – Yet Another Static Code Analyzer
- Droid Hunter – Android application vulnerability analysis and Android pentest tool
- Error Prone – Static Analysis Tool
- Findbugs – Find Bugs in Java Programs
- Find Security Bugs – A SpotBugs plugin for security audits of Java web applications.
- Flow Droid – Static Data Flow Tracker
- Smali/Baksmali – Assembler/Disassembler for the dex format
- Smali-CFGs – Smali Control Flow Graph’s
- SPARTA – Static Program Analysis for Reliable Trusted Apps
- Gradle Static Analysis Plugin
- Checkstyle – A tool for checking Java source code
- PMD – An extensible multilanguage static code analyzer
- Soot – A Java Optimization Framework
- Android Quality Starter
- QARK – Quick Android Review Kit
- Infer – A Static Analysis tool for Java, C, C++ and Objective-C
- Android Check – Static Code analysis plugin for Android Project
- FindBugs-IDEA Static byte code analysis to look for bugs in Java code
- APK Leaks – Scanning APK file for URIs, endpoints & secrets
- Trueseeing – fast, accurate and resillient vulnerabilities scanner for Android apps
- StaCoAn – crossplatform tool which aids developers, bugbounty hunters and ethical hackers
- APKScanner
- Vulert - Vulert can scan Gradle lockfiles gradle.lockfile to detect the existing vulnerabilities in your dependencies and monitor for future vulnerabilities as new CVEs emerge, this helps keep your Android apps safe from supply chain threats.
- Mobile Audit – Web application for performing Static Analysis and detecting malware in Android APKs
- mariana-trench - Our security focused static analysis tool for Android and Java applications.
- semgrep-rules-android-security
- Mobile-Security-Framework MobSF
- Magisk v23.0 - Root & Universal Systemless Interface
- Runtime Mobile Security (RMS) - is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime
- House: A runtime mobile application analysis toolkit with a Web GUI
- Objection - Runtime Mobile Exploration toolkit, powered by Frida
- NullKia - Mobile security framework supporting 18 manufacturers with baseband exploitation, TEE/TrustZone research, cellular security, and eSIM tools
- Droid-FF - Android File Fuzzing Framework
- Drozer
- Slicer-automate APK Recon
- Inspeckage
- PATDroid - Collection of tools and data structures for analyzing Android applications
- Radare2 - Unix-like reverse engineering framework and commandline tools
- Cutter - Free and Open Source RE Platform powered by radare2
- ByteCodeViewer - Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger)
- MPT - Mobile Pentest Toolkit (MPT) is a must-have solution for your android penetration testing workflows.
- Guardsquare AppSweep
- Oversecured
- Android Observatory APK Scan
- AndroTotal
- VirusTotal
- Scan Your APK
- AVC Undroid
- OPSWAT
- ImmuniWeb Mobile App Scanner
- Ostor Lab
- Quixxi
- TraceDroid
- Visual Threat
- App Critique
- Jotti's malware scan
- kaspersky scanner
- Hudson Rock
- Android APK Decompiler
- Java Decompiler APk
- APK DECOMPILER APP
- DeAPK is an open-source, online APK decompiler
- apk and dex decompilation back to Java source code
- APK Decompiler Tools
- Forensic Analysis for Mobile Apps (FAMA)
- Andriller
- Autopsy
- bandicoot
- Fridump-A universal memory dumper using Frida
- LiME - Linux Memory Extractor
- Damn-Vulnerable-Bank
- OVAA (Oversecured Vulnerable Android App)
- DIVA (Damn insecure and vulnerable App)
- OWASP Security Shepherd
- Damn Vulnerable Hybrid Mobile App (DVHMA)
- OWASP-mstg(UnCrackable Mobile Apps)
- VulnerableAndroidAppOracle
- Android InsecureBankv2
- Purposefully Insecure and Vulnerable Android Application (PIIVA)
- Sieve app(An android application which exploits through android components)
- DodoVulnerableBank(Insecure Vulnerable Android Application that helps to learn hacing and securing apps)
- Digitalbank(Android Digital Bank Vulnerable Mobile App)
- AppKnox Vulnerable Application
- Vulnerable Android Application
- Android Security Labs
- Android-security Sandbox
- VulnDroid(CTF Style Vulnerable Android App)
- FridaLab
- Santoku Linux - Mobile Security VM
- AndroL4b - A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis
- One Step Ahead of Cheaters -- Instrumenting Android Emulators
- Vulnerable Out of the Box: An Evaluation of Android Carrier Devices
- Rock appround the clock: Tracking malware developers by Android
- Chaosdata - Ghost in the Droid: Possessing Android Applications with ParaSpectre
- Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets
- Honey, I Shrunk the Attack Surface – Adventures in Android Security Hardening
- Hide Android Applications in Images
- Scary Code in the Heart of Android
- Fuzzing Android: A Recipe For Uncovering Vulnerabilities Inside System Components In Android
- Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library
- Android FakeID Vulnerability Walkthrough
- Unleashing D* on Android Kernel Drivers
- The Smarts Behind Hacking Dumb Devices
- Overview of common Android app vulnerabilities
- Advanced Android Bug Bounty skills
- Android security architecture
- Get the Ultimate Privilege of Android Phone
- Securing the System: A Deep Dive into Reversing Android Pre-Installed Apps
- Bad Binder: Finding an Android In The Wild 0day
- Deep dive into ART(Android Runtime) for dynamic binary analysis
- PhoneSploit with Metasploit Integration
- Android Malware Adventures
- Android-Reports-and-Resources
- Hands On Mobile API Security
- Android Penetration Testing Courses
- Lesser-known Tools for Android Application PenTesting
- android-device-check - a set of scripts to check Android device security configuration
- apk-mitm - a CLI application that prepares Android APK files for HTTPS inspection
- Andriller - is software utility with a collection of forensic tools for smartphones
- Dexofuzzy: Android malware similarity clustering method using opcode sequence-Paper
- Chasing the Joker
- Side Channel Attacks in 4G and 5G Cellular Networks-Slides
- Shodan.io-mobile-app for Android
- Popular Android Malware 2019
- Popular Android Malware 2020
- Popular Android Malware 2021
- Popular Android Malware 2022
- Mobile Application Penetration Testing Cheat Sheet
- ADB (Android Debug Bridge) Cheat Sheet
- Frida Cheatsheet and Code Snippets for Android