0x08-Testing-Tools.md

Testing Tools

To perform security testing different tools are available in order to be able to manipulate requests and responses, decompile Apps, investigate the behavior of running Apps and other test cases and automate them.

The MSTG project has no preference in any of the tools below, or in promoting or selling any of the tools. All tools below have been verified if they are "alive", meaning that updates have been pushed recently. Nevertheless, not all tools have been used/tested by the authors, but they might still be useful when analysing a mobile app. The listing is sorted in alphabetical order. The list is also pointing out commercial tools.

Mobile Application Security Testing Distributions

• Androl4b - A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis
• Android Tamer - Android Tamer is a Debian-based Virtual/Live Platform for Android Security professionals.
• Mobile Security Toolchain - A project used to install many of the tools mentioned in this section, both for Android and iOS at a machine running macOS. The project installs the tools via Ansible.

All-in-One Mobile Security Frameworks

• Appmon - AppMon is an automated framework for monitoring and tampering system API calls of native macOS, iOS and Android apps.
• Mobile Security Framework - MobSF - MobSF is a mobile pen-testing framework, capable of performing static and dynamic analysis.
• objection - objection is a runtime mobile security assessment framework that does not require a jailbroken or rooted device for both iOS and Android, due to the usage of Frida.

Static Source Code Analysis (Commercial Tools)

• Checkmarx - Static Source Code Scanner that also scans source code for Android and iOS.
• Fortify - Static source code scanner that also scans source code for Android and iOS.
• Veracode - Static source code scanner that also scans binaries for Android and iOS.

Dynamic and Runtime Analysis

• Frida - The toolkit works using a client-server model and lets you inject into running processes on Android and iOS.
• Frida CodeShare - The Frida CodeShare project is hosting Frida scripts publicly that can help to bypass client side security controls in mobile apps (e.g. SSL Pinning)
• NowSecure Workstation (Commercial Tool) - Pre-configured hardware and software kit for vulnerability assessment and penetration testing of mobile apps.

Reverse Engineering and Static Analysis

• IDA Pro (Commercial Tool) - IDA is a Windows, Linux or macOS hosted multi-processor disassembler and debugger.
• Radare2 - Radare2 is a unix-like reverse engineering framework and command line tools.

Tools for Android

Reverse Engineering and Static Analysis

• Androguard - Androguard is a python based tool, which can use to disassemble and decompile Android apps.
• Android Backup Extractor - Utility to extract and repack Android backups created with adb backup (ICS+). Largely based on BackupManagerService.java from AOSP.
• Android Debug Bridge - adb - Android Debug Bridge (adb) is a versatile command line tool that lets you communicate with an emulator instance or connected Android device.
• APKTool - A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications.
• android-classyshark - ClassyShark is a standalone binary inspection tool for Android developers.
• ByteCodeViewer - Java 8 Jar and Android APK Reverse Engineering Suite (e.g. Decompiler, Editor and Debugger)
• ClassNameDeobfuscator - Simple script to parse through the .smali files produced by apktool and extract the .source annotation lines.
• FindSecurityBugs - FindSecurityBugs is a extension for SpotBugs which includes security rules for Java applications.
• Jadx - Dex to Java decompiler: Command line and GUI tools for produce Java source code from Android Dex and Apk files.
• Oat2dex - A tool for converting .oat file to .dex files.
• Qark - This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs.
• Sign - Sign.jar automatically signs an apk with the Android test certificate.
• Simplify - A tool for de-obfuscating android package into Classes.dex which can be use Dex2jar and JD-GUI to extract contents of dex file.
• SUPER - SUPER is a command-line application that can be used in Windows, macOS and Linux, that analyzes .apk files in search for vulnerabilities.
• SpotBugs - Static Analysis tool for Java

Dynamic and Runtime Analysis

• Android Tcpdump - A command line packet capture utility for Android.
• Cydia Substrate: Introspy-Android - Blackbox tool to help understand what an Android application is doing at runtime and assist in the identification of potential security issues.
• Drozer - Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
• Inspeckage - Inspeckage is a tool developed to offer dynamic analysis of Android apps. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime.
• logcat-color - A colorful and highly configurable alternative to the adb logcat command from the Android SDK.
• VirtualHook - VirtualHook is a hooking tool for applications on Android ART(>=5.0). It's based on VirtualApp and therefore does not require root permission to inject hooks.
• Xposed Framework - Xposed framework enables you to modify the system or application aspect and behavior at runtime, without modifying any Android application package(APK) or re-flashing.

Bypassing Root Detection and Certificate Pinning

• Cydia Substrate Module: Android SSL Trust Killer - Blackbox tool to bypass SSL certificate pinning for most applications running on a device.
• Cydia Substrate Module: RootCoak Plus - Patch root checking for commonly known indications of root.
• Xposed Module: Just Trust Me - Xposed Module to bypass SSL certificate pinning.
• Xposed Module: SSLUnpinning - Android Xposed Module to bypass SSL Certificate Pinning.

Tools for iOS

Access Filesystem on iDevice

• iFunbox - The File and App Management Tool for iPhone, iPad & iPod Touch.
• iProxy - With iProxy you can connect via SSH to your jailbroken iPhone when it's connected via USB.
• itunnel - Use to forward SSH via USB.

Once you are able to SSH into your jailbroken iPhone you can use an FTP client like the following to browse the file system:

• Cyberduck - Libre FTP, SFTP, WebDAV, S3, Azure & OpenStack Swift browser for Mac and Windows.
• FileZilla - It supports FTP, SFTP, and FTPS (FTP over SSL/TLS).

Reverse Engineering and Static Analysis

• class-dump - A command-line utility for examining the Objective-C runtime information stored in Mach-O files.
• Clutch - Decrypt the application and dump specified bundleID into binary or .ipa file.
• Dumpdecrypted - Dumps decrypted mach-o files from encrypted iPhone applications from memory to disk.
• HopperApp (Commercial Tool) - Hopper is a reverse engineering tool for macOS and Linux, that lets you disassemble, decompile and debug your 32/64bits Intel Mac, Linux, Windows and iOS executables.
• hopperscripts - Hopperscripts can be used to demangle the Swift function name in HopperApp.
• otool - The otool command displays specified parts of object files or libraries.
• Plutil - plutil is a program that can convert .plist files between a binary version and an XML version.
• Weak Classdump - A Cycript script that generates a header file for the class passed to the function. Most useful when you cannot use classdump or dumpdecrypted, when binaries are encrypted etc.

Dynamic and Runtime Analysis

• bfinject - bfinject loads arbitrary dylibs into running App Store apps. It has built-in support for decrypting App Store apps, and comes bundled with iSpy and Cycript.
• BinaryCookieReader - A tool to dump all the cookies from the binary Cookies.binarycookies file.
• Burp Suite Mobile Assistant - A tool to bypass certificate pinning and is able to inject into apps.
• cycript - Cycript allows developers to explore and modify running applications on either iOS or macOS using a hybrid of Objective-C and JavaScript syntax through an interactive console that features syntax highlighting and tab completion.
• Frida-cycript - This is a fork of Cycript in which we replaced its runtime with a brand new runtime called Mjølner powered by Frida. This enables frida-cycript to run on all the platforms and architectures maintained by frida-core.
• Fridpa - An automated wrapper script for patching iOS applications (IPA files) and work on non-jailbroken device.
• gdb - A tool to perform runtime analysis of iOS applications.
• idb - idb is a tool to simplify some common tasks for iOS pentesting and research.
• Introspy-iOS - Blackbox tool to help understand what an iOS application is doing at runtime and assist in the identification of potential security issues.
• keychaindumper - A tool to check which keychain items are available to an attacker once an iOS device has been jailbroken.
• lldb - LLDB debugger by Apple’s Xcode is used for debugging iOS applications.
• Needle - Needle is a modular framework to conduct security assessments of iOS apps including Binary Analysis, Static Code Analysis and Runtime Manipulation.
• Passionfruit - Simple iOS app blackbox assessment tool with Fully web based GUI. Powered by frida.re and vuejs.

Bypassing Jailbreak Detection and SSL Pinning

• SSL Kill Switch 2 - Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and macOS Apps.
• tsProtector - Another tool for bypassing Jailbreak detection.
• Xcon - A tool for bypassing Jailbreak detection.

Tools for Network Interception and Monitoring

• Canape - A network testing tool for arbitrary protocols.
• Mallory - A Man in The Middle Tool (MiTM)) that is used to monitor and manipulate traffic on mobile devices and applications.
• MITM Relay - Intercept and modify non-HTTP protocols through Burp and others with support for SSL and STARTTLS interception
• Tcpdump - A command line packet capture utility.
• Wireshark - An open-source packet analyzer.

Interception Proxies

• Burp Suite - Burp Suite is an integrated platform for performing security testing of applications.
• Charles Proxy - HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.
• Fiddler - Fiddler is an HTTP debugging proxy server application which can captures HTTP and HTTPS traffic and logs it for the user to review.
• OWASP ZAP - The OWASP Zed Attack Proxy (ZAP) is a free security tool which can help you automatically find security vulnerabilities in your web applications and web services.
• Proxydroid - Global Proxy App for Android System.

IDEs

• Android Studio - Android Studio is the official integrated development environment (IDE) for Google's Android operating system, built on JetBrains' IntelliJ IDEA software and designed specifically for Android development.
• IntelliJ - IntelliJ IDEA is a Java integrated development environment (IDE) for developing computer software.
• Eclipse - Eclipse is an integrated development environment (IDE) used in computer programming, and is the most widely used Java IDE.
• Xcode - Xcode is an integrated development environment (IDE) available only for macOS to create apps for iOS, watchOS, tvOS and macOS.

Vulnerable applications

The applications listed below can be used as training materials. Note: only the MSTG apps and Crackmes are tested and maintained by the MSTG project.

Android

• Crackmes - A set of apps to test your Android application hacking skills.
• DVHMA - A hybrid mobile app (for Android) that intentionally contains vulnerabilities.
• Digitalbank - A vulnerable app created in 2015, which can be used on older Android platforms.
• DIVA Android - An app intentionally designed to be insecure which has received updates in 2016 and contains 13 different challenges.
• DodoVulnerableBank - An insecure Android app from 2015.
• InsecureBankv2 - A vulnerable Android app made for security enthusiasts and developers to learn the Android insecurities by testing a vulnerable application. It has been updated in 2018 and contains a lot of vulnerabilities.
• MSTG Android app - Java - A vulnerable Android app with vulnerabilities similar to the test cases described in this document.
• MSTG Android app - Kotlin - A vulnerable Android app with vulnerabilities similar to the test cases described in this document.

iOS

• Crackmes - A set of applications to test your iOS application hacking skills.
• Myriam - A vulnerable iOS app with iOS security challenges.
• DVIA - A vulnerable iOS app, written in Objective-C with a set of vulnerabilities. Additional lessons can be found at the projects website.
• DVIA-v2 - A vulnerable iOS app, written in Swift with over 15 vulnerabilities.
• iGoat - iGoat is a learning tool for iOS developers (iPhone, iPad, etc.) and mobile app pentesters. It was inspired by the WebGoat project, and has a similar conceptual flow to it.