# Mobile

# Defensive Security

# Source Code Obfuscation

  • DexGuard - The full spectrum of protection for Android apps.
  • ProGuard - Shrinks, optimizes, and obfuscates your code by removing unused code and renaming classes.

# Jailbreaking & Rooting

  • canijailbreak - A website which tells you whether you can jailbreak your iOS device.
  • Checkra1n - Jailbreak for iPhone 5s through iPhone X, iOS 12.0 and up.
  • Chimera - iOS 12 jailbreak to not only feature a CoreTrust bypass so that binaries don't need to be resigned, but to also support A12 devices, including iPhone Xs, iPhone Xr, and the newest iPads.
  • Double H3lix - Jailbreak for 64-bit 10.x devices.
  • Etason - Jailbreak for all devices running iOS 8.4.1 32 bit.
  • Evasi0n - Jailbreak iPhone, iPad or iPod touch on iOS 7.0 – iOS 7.0.6.
  • H3lix - Jailbreak for 32-bit 10.x devices.
  • Home Depot - Jailbreak for iOS 9.x devices.
  • IPSW - Download current and previous versions of Apple's iOS, iPadOS, watchOS, tvOS and audioOS firmware and receive notifications when new firmwares are released.
  • Magisk - Magisk is a suite of open source software for customizing Android, supporting devices higher than Android 5.0.
  • Palra1n - Jailbreak for arm64 devices on iOS 15.0+ . last-commit
  • Pangu Jailbreak - Jailbreak for iOS 9.0 - 9.1.
  • Phoenix - Semi-untethered jailbreak for 9.3.5-9.3.6. All 32-bit devices supported.
  • p0sixspwn - iOS Jailbreak for 6.1.X.
  • redsn0w - Jailbreak for iOS 3-5.
  • TaiG - Jailbreak for iOS 8.X.
  • unc0ver - A jail​break tool.

# Offensive Security

# App/File Management

  • adb - Allows you to install packages and evaluate your changes.
  • Airdroid - Transfer files across devices, remote control Android devices, mirror screen, and manage SMS & notification on computer.
  • Android File Transfer - Browse and transfer files between your Mac computer and your Android device.
  • iExplorer - Transfers music, messages, photos, files and everything else.
  • iFunbox - General file management software for iPhone and other Apple products.
  • iMazing - Powerful user-friendly iOS device manager for Mac and PC.

# Bug Bounty Reports

# Dynamic Analysis

  • Bytecode Viewer - A lightweight user friendly Java Bytecode Viewer. last-commit
  • CuckooDroid - Automated Android Malware Analysis with Cuckoo Sandbox. last-commit
  • Cutter - Reverse engineering platform powered by rizin. last-commit
  • DECAF - DECAF (short for Dynamic Executable Code Analysis Framework) is a binary analysis platform based on QEMU. last-commit
  • Diggy - Extract endpoints from apk files. last-commit
  • Droid-FF - The android fuzzing framework. last-commit
  • Drozer - Security testing framework for Android. last-commit
  • Frida - Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. last-commit
  • Hooker - Provides various tools and applications that can be use to automatically intercept and modify any API calls. last-commit
  • House - A runtime mobile application analysis toolkit with a Web GUI, powered by Frida, written in Python. last-commit
  • Inspeckage - Tool developed to offer dynamic analysis of Android applications. last-commit
  • MobSF - An automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. last-commit
  • PATDroid - A collection of tools and data structures for analyzing Android applications and the system itself. last-commit
  • ProbeDroid - A dynamic Java code instrumentation for Android apps. Provides APIs for users to craft their own instrumentation tools. last-commit
  • radare2 - Set of libraries, tools and plugins to ease reverse engineering tasks. last-commit
  • Runtime Mobile Security (RMS) - Powered by FRIDA a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime. last-commit

# Flashing/Sideloading

  • Cydia Impactor - Use this tool to install IPA files on iOS and APK files on Android.
  • Odin - Used to flash a custom recovery firmware image to a Samsung Android device.

# Guides & References

# Labs/Practice

  • DIVA - DIVA (Damn insecure and vulnerable App) is an Android App intentionally designed to be insecure.
  • DVHMA - Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for Android) that intentionally contains vulnerabilities. last-commit
  • Injured Android - A vulnerable Android application that shows simple examples of vulnerabilities in a ctf style. last-commit
  • InsecureBank v2 - Vulnerable Android application for developers and security enthusiasts to learn about Android insecurities. last-commit
  • Oversecured Vulnerable Android App - An Android app that aggregates all the platform's known and popular security vulnerabilities. last-commit
  • UnCrackable Apps - A collection of mobile reverse engineering challenges for iOS and Android. last-commit
  • Vuldroid - Vuldroid is a Vulnerable Android Application made with security issues in order to demonstrate how they can occur in code. last-commit
  • VyAPI - The Modern Cloud-Based Vulnerable Hybrid Android App. last-commit
  • WaTF-Bank - What a Terrible Failure Mobile Banking Application for Android and iOS. last-commit

# Online Services

  • Android APK Decompiler - Online android decompiler
  • Ostorlab - Online static taint analysis, 3rd party fingerprinting, and vulnerability analysis.
  • Oversecured - Android mobile app analyzer vulnerability scanner, designed for DevOps process integration.
  • Quixxi - An intelligent and integrated end-to-end mobile app security solution.

# Post Exploitation (Android)

  • dmesg - Prints Android kernel messages. Already installed on device. last-commit
  • Dumpsys - a tool that runs on Android devices and provides information about system services. Already installed on device.
  • EggShell - iOS/macOS/Linux Remote Administration Tool. last-commit
  • jarsigner - Jar, Android apk, Eclipse RCP signer. last-commit
  • keystore-explorer - GUI replacement for the Java command-line utilities keytool and jarsigner. last-commit
  • MITMProxy - An interactive TLS-capable intercepting HTTP proxy for penetration testers. last-commit
  • Plistsubtractor - Read a plist file, write out any embedded plist files. last-commit
  • ProxyDroid - Global Proxy for Android. last-commit
  • Simplify - Android virtual machine and deobfuscator. last-commit
  • TCPDump - The TCPdump network dissector. last-commit

# Post Exploitation (iOS)

  • BinaryCookieReader - A tool to read the binarycookie format of Cookies on iOS applications. last-commit
  • ClassDumpiOS - iOS port from nygard/class-dump. last-commit
  • Cycript - Explore and modify running applications on either iOS or Mac OS X using a hybrid of Objective-C++ and JavaScript. last-commit
  • DumpDecrypted - Dumps decrypted mach-o files from encrypted iPhone applications from memory to disk. last-commit
  • EggShell - iOS/macOS/Linux Remote Administration Tool. last-commit
  • KTool - Cross-platform MachO/ObjC Static binary analysis tool & library. class-dump + otool + lipo + more. last-commit
  • lipo - Used to thin out un-used code.
  • MITMProxy - An interactive TLS-capable intercepting HTTP proxy for penetration testers. last-commit
  • MobileAssistant - A tool to facilitate testing of iOS apps with Burp Suite.
  • Needle - The iOS Security Testing Framework. last-commit
  • Objection - A lightweight dependency injection framework for Objective-C. last-commit
  • RVICTL - Capture packets sent/received by iOS devices. last-commit
  • Sileo - A fast, beautiful, powerful and efficient APT Package Manager designed for jailbroken device.
  • SSLKillSwitch - Blackbox tool to disable SSL certificate validation. last-commit
  • SSLKillSwitch2 - Blackbox tool to disable SSL certificate validation. last-commit
  • TCPDump - The TCPdump network dissector. last-commit

# Reverse Engineering

  • bfdecrypt - Utility to decrypt App Store apps on jailbroken iOS 11.x last-commit
  • Clutch - Fast iOS executable dumper. last-commit
  • flexdecrypt - Decrypt iOS Apps and Mach-O binaries. last-commit
  • FoulDecrypt - A lightweight and simpling iOS binary decryptor. last-commit
  • r2flutch - Tool to decrypt iOS apps using r2frida. last-commit

# Static Analysis

  • Android Check - Static code analysis plugin for Android project. last-commit
  • Androwarn - Static code analyzer for malicious Android applications. last-commit
  • APKLab - A tool for reverse engineering 3rd party, closed, binary Android apps. last-commit
  • APKLeaks - Scanning APK file for URIs, endpoints & secrets. last-commit
  • APK Studio - The objective of this scanner is to find for misconfiguration, sensitive data and insecure components. last-commit
  • APKTool - Seamlessly integrates the best open-source tools right inside VS Code.
  • Argus-SAF - Static analysis framework. last-commit
  • Checkstyle - A tool for checking Java source code for adherence to a Code Standard or set of validation rules. last-commit
  • DeGuard - Statistical Deobfuscation for Android.
  • Deoptfuscator - Reverse the control-flow obfuscation performed by DexGuard on open-source Android applications. last-commit
  • Droid-Hunter - Android application vulnerability analysis and Android pentest tool. last-commit
  • Error Prone - Error Prone is a static analysis tool for Java that catches common programming mistakes at compile-time. last-commit
  • FindBugs - Uses static analysis to inspect Java bytecode for occurrences of bug patterns.
  • Find Security Bugs - Find Security Bugs is the SpotBugs plugin for security audits of Java web applications. last-commit
  • FlowDroid - Statically computes data flows in Android apps and Java programs. last-commit
  • Gradle - Supports many popular static analysis (Checkstyle, PMD, FindBugs, etc) via a set of built-in plugins. last-commit
  • Infer - Infer is a static analysis tool for Java, C++, Objective-C, and C. Infer is written in OCaml. last-commit
  • JADX - Dex to Java decompiler. last-commit
  • Mobile Audit - SAST and Malware Analysis for Android Mobile APKs. last-commit
  • MobSF - An automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework. last-commit
  • PMD - Finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. last-commit
  • Qark - designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs. last-commit
  • Quark - An Obfuscation-Neglect Android Malware Scoring System. last-commit
  • Smali - An assembler/disassembler for the dex format used by dalvik, Android's Java VM implementation. last-commit
  • Soot - Smali Control Flow Graph's last-commit
  • Sparta - Static program analysis for reliable trusted apps. last-commit
  • StaCoAn - A crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications last-commit
  • Trueseeing - A fast, accurate and resillient vulnerabilities scanner for Android apps. last-commit
  • Yaazhini - A fast, accurate and resillient vulnerabilities scanner for Android apps.

# Video Content

  • B3nac Sec - Dedicated mobile ethical hacking

# Virtualization

  • Android Tamer - Live Platform for Android Security professionals.
  • AppUse - Mobile app security testing, Android and iOS applications. Custom-made tools and scripts created by AppSec Labs.

# Whitepapers