5. P.1. Methodology
P.1.2. MSTG
General parts
Mobile App Authentication Architectures
Testing Network Communication
Cryptography in Mobile Apps
Testing Code Quality
Tampering and Reverse Engineering
Testing User Education
https://github.com/OWASP/owasp-mstg
6. P.1. Methodology
P.1.2. MSTG Android specific parts
Platform Overview
Android Basic Security Testing
Data Storage on Android
Android Cryptographic APIs
Local Authentication on Android
Android Network APIs
Android Platform APIs
Code Quality and Build Settings for Android Apps
Tampering and Reverse Engineering on Android
Android Anti-Reversing Defenses
7. P.1. Methodology
P.1.3. MASVS v1 Architecture, Design and Threat Modeling Requirements
v2 Data Storage and Privacy Requirements
v3 Cryptography Requirements
v4 Authentication and Session Management Requirements
v5 Network Communication Requirements
v6 Environmental Interaction Requirements
v7 Code Quality and Build Setting Requirements
v8 Resiliency Against Reverse Engineering Requirements
https://github.com/OWASP/owasp-masvs
9. P.2. Static testing Android-app
P.2.1. MobSF
Mobile Security Framework (MobSF) is an automated, all-in-one mobile
application (Android/iOS/Windows) pen-testing, malware analysis and
security assessment framework capable of performing static and
dynamic analysis.
https://github.com/MobSF/Mobile-Security-Framework-MobSF
11. P.2. Static testing Android-app
P.2.2. Androbugs framework
AndroBugs Framework is an Android vulnerability analysis system that
helps developers or hackers to find the potential security vulnerabilities
in Android applications. No splendid GUI interface, but the most efficient
(less than 2 minutes per scan in average) and more accurate.
https://github.com/AndroBugs/AndroBugs_Framework
13. P.2. Static testing Android-app
P.2.3. QARK
QARK is an easy to use tool capable of finding common security vulnerabilities in Android
applications. Unlike commercial products, it is 100% free to use. QARK features educational
information allowing security reviewers to locate precise, in-depth explanations of the
vulnerabilities. QARK automates the use of multiple decompilers, leveraging their combined
outputs, to produce superior results, when decompiling APKs. Finally, the major advantage
QARK has over traditional tools, that just point you to possible vulnerabilities, is that it can
produce ADB commands, or even fully functional APKs, that turn hypothetical vulnerabilities
into working "POC" exploits.
https://github.com/linkedin/qark
15. P.2. Static testing Android-app
P.2.4. VCG scanner
VCG is an automated code security review tool for C++, C#, VB, PHP,
Java and PL/SQL which is intended to drastically speed up the code
review process by identifying bad/insecure code.
https://sourceforge.net/projects/visualcodegrepp/
20. P.3. Dynamic testing Android-app
P.3.2. Inspeckage
Inspeckage - Android Package Inspector
Inspeckage is a tool developed to offer dynamic analysis of Android applications. By
applying hooks to functions of the Android API, Inspeckage will help you understand
what an Android application is doing at runtime.
● Shared Preferences
● Serialization
● Crypto
● Hash
● SQLite
● HTTP
● FileSystems
● IPC
https://github.com/ac-pm/Inspeckage
https://habr.com/ru/post/432820/
22. P.3. Dynamic testing Android-app
P.3.3. LogCat
https://developer.android.com/studio/command-line/logcat
https://habr.com/ru/post/432820/
Logcat is a command-line tool that dumps a
log of system messages, including stack traces
when the device throws an error and
messages that you have written from your app
with the Log class.
25. P.3. Dynamic testing Android-app
P.3.4. MobSF
Run a Genymotion Android VM before starting MobSF. Everything will be configured
automatically at runtime. MobSF requires Genymotion Android x86 VMs version 4.1 to 9.0 for
dynamic analysis. We recommend using Android 7.0 and above.
HTTPS Proxy
● For Android versions 4.4 - 9.0, global proxy settings are automatically applied at runtime.
● For Android version 4.1 - 4.3, set Android VM proxy as displayed in Dynamic Analysis
page.
27. P.3. Dynamic testing Android-app
P.3.5. Drozer
Drozer (formerly Mercury) is the leading security testing framework for Android.
Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of
an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
Drozer provides tools to help you use, share and understand public Android exploits. It helps you to
deploy a drozer Agent to a device through exploitation or social engineering. Using weasel (MWR's
advanced exploitation payload) drozer is able to maximise the permissions available to it by
installing a full agent, injecting a limited agent into a running process, or connecting a reverse shell
to act as a Remote Access Tool (RAT).
https://github.com/mwrlabs/drozer
https://habr.com/ru/post/352252/
30. P.3. Dynamic testing Android-app
P.3.6. Frida
Frida, as described by its creators as – “ a dynamic code
instrumentation toolkit. It lets you inject snippets of JavaScript or
your own library into native apps on Windows, macOS, Linux, iOS,
Android, and QNX”
https://frida.re
https://www.notsosecure.com/pentesting-android-apps-using-frida/
https://codeshare.frida.re/browse?page=1