22 Open-source Free Android Security and Pentesting Tools for Dynamic and Static APK Analysis - APK Testing: The Frontline of Android Security

Hey there, fellow security enthusiasts! Let's talk about something that's becoming a big deal in our world: APK testing and pentesting. If you're not already on this bandwagon, it's time to hop on.

Why APK Pentesting Matters

Picture this: You're chilling at a café, sipping your overpriced latte, when suddenly your phone buzzes. It's your bank app notifying you of a suspicious transaction. Your heart races as you realize someone's drained your account. Nightmare fuel, right?

This scenario isn't just a bad dream – it's a reality for many victims of malware like Ghimob. This nasty piece of work has been wreaking havoc on Android devices, targeting over 150 financial apps across the globe. We're talking Brazil, Germany, Portugal – nowhere seems safe.

11 Million Android Devices Infected with “Malicious Bots”... Test Your Phone or is it too Late? Necro!!!!! Really!

Researchers have reported finding two new apps that have been downloaded from Google Play 11 million times, infected with the same malware family. Kaspersky researchers believe that the malware development kit for integrating advertising capabilities is once again to blame. Software development kits, known as SDKs, are applications that provide

MEDevel.com: Open-source for Healthcare, and EducationHazem Abbas

Is Your Android Device Compromised? 9 Steps to Ensure Your Safety

How to Check If Your Android Phone Has Been Compromised: A Step-by-Step Guide

MEDevel.com: Open-source for Healthcare, and EducationHazem Abbas

Top 10 Free Malware Scanner for Android - Protect Your Android Device Now, for Daily User and Security Professionals

With over 11 million Android devices affected by malware, protecting your device is more important than ever. Android’s open nature makes it a popular target for cybercriminals who exploit vulnerabilities to access your data, steal personal information, or install malicious software. A reliable malware scanner can help detect and

MEDevel.com: Open-source for Healthcare, and EducationHazem Abbas

APK Testing: Your New Best Friend

So, how do we fight back? Two words: APK testing. It's not just a fancy term to throw around at security conferences. It's our frontline defense against the Ghimobs of the world.

Think about it. Every day, millions of people download Android apps for everything from banking to ordering pizza. Each of these apps is a potential gateway for malware. By diving deep into APK files, we can spot vulnerabilities before the bad guys do.

17 Open-source Free Android RAT (Remote Access Tool) Apps

An Android RAT (Remote Access Tool) is a type of software that allows users to remotely control and manage Android devices. These tools provide functionalities such as executing commands, accessing files, capturing screenshots, and more. Is Your Android Device Compromised? 9 Steps to Ensure Your SafetyHow to Check If Your

MEDevel.com: Open-source for Healthcare, and EducationHazem Abbas

Why Open Source is Your Ally in APK Pentesting

Now, I know what you're thinking. "Can't I just use some fancy proprietary tool for this?" Sure, you could. But here's the deal – open-source tools are where it's at for APK pentesting. Why? Because they're transparent, customizable, and don't come with the risk of hidden trackers or sneaky data leaks.

Plus, let's be real – who doesn't love tinkering with code and making tools work exactly how we want them to?

The Dynamic Duo: Static and Dynamic Analysis

When it comes to APK testing, we've got two heavy hitters in our arsenal: static and dynamic analysis.

Static analysis is like being a code detective. You're combing through the APK file, looking for suspicious patterns or potential weak spots. It's great for catching issues early in the game.

Dynamic analysis, on the other hand, is where things get exciting. You're running the app in a controlled environment, watching how it behaves in real-time. It's like setting a trap and waiting to see what kind of digital critters you catch.

The Bottom Line

Here's the deal, folks. As pentesters, we're the unsung heroes of the digital world. Every time we dive into an APK file, we're potentially saving someone from a massive headache (and an empty bank account).

So, let's embrace APK testing and pentesting. Let's get our hands dirty with open-source tools, run those analyses, and make the Android ecosystem a safer place. After all, in the world of cybersecurity, we're not just breaking things – we're building a safer digital future.

Remember, every APK you test is a potential disaster averted. So fire up those tools, and let's show these malware creators what we're made of!

APK Security Testing Tools

1- Apktool

Apktool is a powerful reverse-engineering tool for Android APK files, allowing users to disassemble, modify, and rebuild Android apps. This tool provides the ability to inspect an app's internals, such as resources, assets, and manifest files, and modify them for purposes like localization, customization, or security research.

Apktool is especially useful for those who need to translate apps, adjust permissions, or analyze malware in Android applications.

Apktool is widely used by developers, security researchers, and enthusiasts who need to modify or inspect Android applications efficiently.

Features

• Disassembly & Reassembly: Converts APK files back into a readable form, allowing modifications and repackaging.
• Modification & Customization: Users can modify resources (e.g., layouts, strings, icons) and rebuild the APK.
• Manifest & Permission Editing: Decodes and makes AndroidManifest.xml and resource files readable and editable.
• Multi-Platform Support: Compatible with Windows, macOS, and Linux.
• Command-Line Interface (CLI): Operated via CLI for easy integration with other tools or workflows.

2- Mobile Security Framework

MobSF is a powerful open-source platform designed for security research on mobile applications across Android, iOS, and Windows Mobile platforms.

It provides robust tools for static and dynamic analysis, allowing security professionals to perform penetration testing, malware detection, privacy analysis, and runtime monitoring. With its ability to handle both source code and binary files (like APK, IPA, and APPX), MobSF simplifies the security testing process.

Additionally, it integrates seamlessly with DevSecOps pipelines through REST APIs and CLI tools, making it an efficient addition to any CI/CD workflow.

MobSF offers a comprehensive solution for mobile security professionals by automating vulnerability detection, malware analysis, and privacy assessment, ensuring apps remain secure throughout the development lifecycle.

Features

• Static Analysis:
  • Supports APK, IPA, APPX, and source code.
  • Identifies vulnerabilities in code and binaries before deployment.
• Dynamic Analysis:
  • Real-time testing and runtime monitoring for Android and iOS apps.
  • Captures network traffic and runtime data for deeper analysis.
• Malware Detection:
  • Scans mobile apps for malicious code and behavior patterns.
• Privacy Analysis:
  • Detects potential data leaks or privacy violations in apps.
• DevSecOps Integration:
  • REST APIs and CLI tools for seamless integration with CI/CD pipelines.
• Multi-Platform Support:
  • Works with Android, iOS, and Windows Mobile apps.

3- Drozer

Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Android Runtime, other apps' IPC endpoints and the underlying OS.

Drozer provides tools to help you use, share and understand public Android exploits.

4- Droidstat-x

This is a free open-source Python tool that generates an Xmind map with all the information gathered and any evidence of possible vulnerabilities identified via static analysis. The map itself is an Android Application Pentesting Methodology component, which assists Pentesters to cover all important areas during an assessment.

The tool also allows to add custom checks in a simple way, to confirm the existence of those patterns in the dalvik bytecode instructions.

5- MEDUSA (Dynamic Analysis)

MEDUSA is an extensible and modularized framework that automates processes and techniques practiced during the dynamic analysis of Android and iOS Applications.

MEDUSA works for macOS, Linux, and Windows. It can be also installed using Docker.

6- Appie

Appie is a software package that has been pre-configured to function as an Android Pentesting Environment on any windows based machine without the need of a Virtual Machine(VM) or dualboot.

It is completely portable and can be carried on USB stick or your smartphone. It is one of its kind Android Security Analysis Tool and is a one stop answer for all the tools needed in Android Application Security Assessment, Android Forensics, Android Malware Analysis.

7- Qark Quick Android Review Kit

This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs. The tool is also capable of creating "Proof-of-Concept" deployable APKs and/or ADB commands, capable of exploiting many of the vulnerabilities it finds.

There is no need to root the test device, as this tool focuses on vulnerabilities that can be exploited under otherwise secure conditions.

8- ApkAnalyser

ApkAnalyser is a static analysis tool for inspecting, modifying, and validating Android applications. Designed to support binary-level modifications, it allows developers to repack, install, and run Android apps, enabling them to verify their changes through logcat outputs. ApkAnalyser also offers resource analysis, including XML decoding and resource reference lookups, helping developers detect and resolve potential issues in their apps.

This tool is a stand-alone J2SE application, fully developed in Java and released under the Apache 2.0 license. Its capabilities make it a comprehensive tool for Android developers seeking to streamline their development and validation processes.

9- APKinspector

APKinspector is a powerful GUI tool for analysts to analyze the Android applications.

10- Amandroid

Argus-Jawa is a static analysis framework designed to work with Jawa, an intermediate representation (IR) language for analyzing Java-like languages, including Java, Java bytecode, and Dalvik bytecode. This framework allows researchers and developers to translate Java-based code into Jawa for in-depth analysis.

Argus-Jawa provides a robust toolset for parsing, building, and analyzing Java-based programs through static code analysis. It can load data from JAR and class files, build Abstract Syntax Trees (AST), and resolve class hierarchies and method relationships. The framework offers advanced analysis capabilities, making it a useful tool for security researchers and software developers.

Argus-Jawa stands out as a comprehensive static analysis tool, offering valuable insights for both performance optimization and security assessments. Its ability to work with Java-based languages through Jawa IR ensures flexibility in handling various bytecodes.

Features

• Code Parsing & Loading:
  • Parse Jawa code from JAR and class files.
  • Build ASTs for classes and methods.
  • Resolve class hierarchies, method overrides, and virtual invocations.
• Graph Construction & Analysis:
  • Generate Call Graphs to trace dependencies.
  • Create Control Flow Graphs (CFG) for intra-/inter-procedural analysis.
  • Build Data Flow Graphs to track data between methods.
• Advanced Static Analyses:
  • Reaching Definition Analysis: Identify reaching code definitions.
  • Points-to Analysis: Track object references.
  • Monotonic Data Flow & Reaching Facts Analysis: Understand program data flow.
• Security & Behavior Analysis:
  • Taint Analysis: Detect untrusted variables.
  • Data Dependence Analysis: Monitor data transformations.
  • Side Effect Analysis: Identify methods with side effects.

11- Redexer

Redexer is a reengineering tool that manipulates Android app binaries. This tool is able to parse a DEX file into an in-memory data structure; to infer with which parameters the app uses certain permissions.

12- SPARTA project

The SPARTA project (Static Program Analysis for Reliable Trusted Apps) is building a toolset to verify the security of mobile phone applications.

SPARTA is a cybersecurity research project funded by DARPA’s Automated Program Analysis for Cybersecurity (APAC) program. It is designed to detect malware in Android applications or verify that an app is malware-free using a type-checking verification approach.

Developers annotate source code with type qualifiers representing security properties, and SPARTA's pluggable type-checker verifies if these qualifiers align correctly, ensuring the app complies with the intended security standards.

In addition to automated type-checking, SPARTA offers tools to assist with manual malware identification:

• Permission analysis: Identifies the permissions required for each API call.
• Suspicious API reporting: Flags the usage of potentially harmful APIs.

These tools provide a comprehensive framework for developers and security researchers to analyze Android apps effectively, ensuring compliance and enhancing malware detection.

13- ConDroid

ConDroid is a tool that performs concolic execution on Android apps, combining symbolic execution (analyzing all potential code paths) with concrete execution (running the app with real inputs). Originally developed for C programs, ConDroid adapts this methodology to Android applications.

The primary goal of ConDroid is to automate the exploration of code paths within an app, enabling it to reach specific locations in the code without manual interaction. This makes it highly effective for dynamic analysis, where it observes behaviors like network traffic and dynamic code loading.

By reducing the need for manual testing, ConDroid helps security researchers efficiently identify malicious behaviors and other “interesting” runtime actions within Android apps.

14- ClassyShark

ClassyShark is a standalone binary inspection tool for Android developers. It can reliably browse any Android executable and show important info such as class interfaces and members, dex counts and dependencies.

ClassyShark supports multiple formats including libraries (.dex, .aar, .so), executables (.apk, .jar, .class) and all Android binary XMLs: AndroidManifest, resources, layouts etc.

15- AndroBugs

AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities in Android applications.

No splendid fancy GUI interface, but the most efficient (less than 2 minutes per scan in average) and more accurate.

Features

• Find security vulnerabilities in an Android app
• Check if the code is missing best practices
• Check dangerous shell commands (e.g. “su”)
• Collect Information from millions of apps
• Check the app’s security protection (marked as <Hacker>, designed for app repackaging hacking)

16- Devknox

DevKnox is a security tool designed for real-time code analysis and quick fixes for Android app development. It identifies vulnerabilities as developers write code, offering one-click solutions to security issues. DevKnox ensures compliance with industry standards like OWASP, HIPAA, and PCI-DSS and integrates smoothly across platforms.

It provides detailed reports, vulnerability tracking, and an interactive dashboard, supporting agile teams of all sizes. This tool streamlines secure coding by making security checks as easy as spell-checking.

17- DroidBox

DroidBox is a dynamic analysis tool designed to examine Android applications and monitor their behavior at runtime.

It provides detailed insights into an app's operations, making it useful for malware analysis and security research. DroidBox highlights data flow, cryptographic operations, file access, and network activity, offering valuable information to researchers.

Features

• Displays package hashes and detects permission bypasses & crypto operations.
• Temporal graph: Shows operation sequence.
• Treemap: Visualizes package similarities.
• Logs network data and tracks file access & information leaks via SMS, files, and network.
• Monitors services, classes, broadcast receivers, and SMS/calls.

18- Inspeckage

Inspeckage is a tool developed to offer dynamic analysis of Android applications. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime.

Features

• Information Gathering:
  • View permissions, shared libraries, activities, and services.
  • Check app version, UID, GIDs, and if the app is debuggable.
• Hooks (Real-Time Monitoring):
  • Monitor shared preferences, crypto operations, HTTP requests, SQLite, and filesystem access.
  • Track clipboard usage, WebView behavior, and inter-process communication (IPC).
  • Dynamically add new hooks.
• Actions via Xposed:
  • Start/stop activities, disable FLAG_SECURE, bypass SSL pinning.
  • Replace parameters and return values in real time.
• Fingerprint & Location Spoofing:
  • Access advertising ID, IMEI, MAC address, and modify GPS location.
• Extras:
  • Download APKs, explore the app directory, capture screens, send text to clipboard.
• Network Analysis:
  • Add proxies to apps, manage ARP table entries, and analyze logs via Logcat.

This concise list summarizes Inspeckage’s core capabilities for app analysis and monitoring using Xposed Framework integration.

19- ProbeDroid

ProbeDroid is a dynamic Java code instrumentation toolkit designed for Android applications, enabling users to trace, profile, and manipulate runtime behavior. It allows developers to hook specific methods in an application and override their behavior using custom "gadgets."

When a hooked method is invoked during runtime, control is diverted to the custom instrumentation tools, giving users the ability to alter input arguments or modify return values.

ProbeDroid is targeted at Android 5.0+ and offers a streamlined deployment without needing to modify the Android framework. Developers can easily download the toolkit from GitHub and build it with minimal setup.

ProbeDroid is ideal for security researchers and developers looking to experiment with runtime behavior, perform security analysis, or debug applications.

Features

• Custom Tools: Create instrumentation tools using Java APIs.
• Method Hooks: Hook into library and app-defined methods.
• Runtime Control: Redirect calls to gadgets; modify inputs/outputs.
• Custom Analysis: Build gadgets for profiling and tracing.
• Simple Deployment: No Android framework changes required; easy build without source tree access.

20- AuditdAndroid

This is a Fork of Auditd geared specifically for running on the Android platform. Includes system applications, AOSP patches, and kernel patches to maximize the audit experience.

21- MARA

MARA is a Mobile Application Reverse engineering and Analysis Framework. It is a toolkit that puts together commonly used mobile application reverse engineering and analysis tools to assist in testing mobile applications against the OWASP mobile security threats.

It enables users to analyze APK, manifest, and reverse engineer APK files.

22- Androwarn

Androwarn is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application.

The detection is performed with the static analysis of the application's Dalvik bytecode, represented as Smali, with the androguard library.

This analysis leads to the generation of a report, according to a technical detail level chosen from the user.

Features

• Telephony identifiers exfiltration: IMEI, IMSI, MCC, MNC, LAC, CID, operator's name...
• Device settings exfiltration: software version, usage statistics, system settings, logs...
• Geolocation information leakage: GPS/WiFi geolocation...
• Connection interfaces information exfiltration: WiFi credentials, Bluetooth MAC address...
• Telephony services abuse: premium SMS sending, phone call composition...
• Audio/video flow interception: call recording, video capture...
• Remote connection establishment: socket open call, Bluetooth pairing, APN settings edit...
• PIM data leakage: contacts, calendar, SMS, mails, clipboard...
• External memory operations: file access on SD card...
• PIM data modification: add/delete contacts, calendar events...
• Arbitrary code execution: native code using JNI, UNIX command, privilege escalation...
• Denial of Service: event notification deactivation, file deletion, process killing, virtual keyboard disable, terminal shutdown/reboot...