Explore Android security: secure app development, reverse engineering, vulnerability testing, and best practices for data protection and encryption.
- Tools
- Academic / Research / Publications / Books
- Exploits / Vulnerabilities / Bugs
- Blogs, Write-ups & Research Feeds
- Communities, Forums & Conferences
| Tool | Notes |
|---|---|
| VirusTotal | Multi-engine scanning, max 128MB per file |
| Koodous | Static/dynamic malware analysis against public & private YARA rules |
| MobSF Cloud / Community Edition | Hosted version of the popular open-source MobSF scanner |
| Oversecured | Enterprise vulnerability scanner for Android & iOS, integrates into CI/CD (paid) |
| AppSweep by Guardsquare | Free, fast automated security testing for developers |
| Appknox | Enterprise mobile app security testing platform (paid) |
| NowSecure | Automated static/dynamic mobile app security testing (paid) |
| Immuniweb Mobile | OWASP Mobile Top 10 test, privacy check, permissions test — free tier available |
| Pithus | Open-source APK analyzer with YARA rule hunting |
- Androguard – powerful reverse engineering and static analysis library, integrates well with other tools
- MobSF (Mobile Security Framework) – all-in-one static, dynamic, and API pentesting framework for Android/iOS
- FlowDroid – precise, context/flow/field/object-sensitive taint analysis for Android apps
- Amandroid – static analysis framework for security vetting of Android apps
- Quark-Engine – obfuscation-neglect Android malware scoring system
- APKLeaks – scans APKs for URIs, endpoints & hardcoded secrets
- Mobile Audit – web app for static analysis & malware detection in APKs
- ClassyShark – standalone binary inspection tool for any Android executable
- StaCoAn – cross-platform static code analysis with GUI guidance
- PSCout – extracts Android permission specification from AOSP source via static analysis
- SUPER – Secure, Unified, Powerful and Extensible Rust Android Analyzer
- Trueseeing – fast, automated, static vulnerability scanner and pentesting workbench for Android apps
- QARK – LinkedIn's tool for scanning apps for security issues
- AndroBugs Framework – efficient Android vulnerability scanner
- MobSF – also functions as a full vulnerability scanner (see above)
- Nogotofail – network traffic security testing tool
- Frida – dynamic instrumentation toolkit for injecting scripts into native apps; the industry-standard hooking/tracing tool
- Objection – Frida-powered runtime mobile exploration toolkit; SSL pinning bypass, filesystem/keychain access, no jailbreak/root required
- MobSF Dynamic Analyzer – dynamic analysis on emulator/device with API monitoring, traffic capture, and Frida integration
- Drozer – security testing framework for Android, assesses apps and devices for vulnerabilities
- Inspeckage – Android package inspector, dynamic analysis with API hooks (Xposed module)
- House – runtime mobile application analysis toolkit with web GUI, powered by Frida
- Runtime Mobile Security (RMS) – web UI for manipulating Android/iOS apps at runtime via Frida
- friTap – intercepts SSL/TLS via Frida, extracts keys and decrypted payload as PCAP in real time
- AppMon – automated framework for monitoring/tampering with system API calls (Frida-based)
- MARA Framework – Mobile Application Reverse Engineering and Analysis Framework
- Xposed Framework – module-based framework for modifying system/app behavior at runtime without touching APKs
- Android_application_analyzer – analyzes local storage content of Android apps
- Androl4b – preconfigured VM for Android app assessment, RE, and malware analysis
- Decompiler.com – online APK and Java decompiler
- Jadx / Jadx-GUI – Dex-to-Java decompiler, the current de facto standard for reading Android bytecode as readable Java
- Apktool – decompiles/rebuilds APK resources and Smali, essential for repackaging and resource-level edits
- Smali/Baksmali – assembler/disassembler for the dex format
- Ghidra – NSA's reverse engineering suite; strong for native (.so) library analysis alongside Java-layer tools
- Dex2Jar – dex to jar converter
- Enjarify – dex to jar converter from Google, handles cases dex2jar struggles with
- Bytecode Viewer – all-in-one Java/Android decompiler GUI (integrates CFR, Procyon, Krakatau, FernFlower, JD-GUI)
- CFR – Java decompiler
- JD-GUI – Java decompiler with GUI
- Krakatau – Java decompiler/assembler
- radare2 – reverse engineering framework, useful for native library analysis
- Simplify – virtual machine-based Android deobfuscator
- Obfuscapk – modular Python tool for obfuscating APKs without source code (useful for testing detection resilience)
- apk-mitm – automatically preps APKs for HTTPS traffic inspection (disables cert pinning, enables user CAs)
- MVT (Mobile Verification Toolkit) – forensic toolkit to identify signs of compromise (e.g. spyware) on Android/iOS devices
- Androguard – also a core RE library (see Static Analysis)
- Dwarf – GUI-based debugger built on Frida for reverse engineering
- Honggfuzz – general-purpose, feedback-driven fuzzer with Android support
- Radamsa – general-purpose mutation fuzzer, usable against Android inputs/interfaces
- FSquaDRA2 – detects repackaged Android applications via resource hash comparison
- PlaystoreDownloader – downloads APKs directly from Google Play by package name
- gplaycli – command-line tool to search/download apps from Google Play
- mitmproxy – interactive HTTPS proxy, standard for inspecting mobile app traffic
- AXMLPrinter2 / apktool built-in decoder – converts binary AndroidManifest.xml to readable XML (now bundled in Apktool)
- Android Vulnerability Test Suite (android-vts) – scans a device for a set of known vulnerabilities
- Genymotion – Android emulator widely used for security testing on virtual devices with root access
- nRF Connect / Bluetooth security tools – InternalBlue: Bluetooth experimentation framework based on RE of Broadcom BT controllers
- Damn Insecure Vulnerable Application (DIVA)
- OWASP MASTG Hacking Playground (mastg-hacking-playground) – official vulnerable apps companion to the OWASP MASTG
- InsecureShop
- Android InsecureBankv2
- Oversecured Vulnerable Android App (OVAA)
- GoatDroid
- Sieve (OWASP MASTG UnCrackable Apps) – classic crackme-style targets for practicing RE and dynamic bypass techniques
- SEI CERT Android Secure Coding Standard
- OWASP Mobile Application Security Testing Guide (MASTG) – the current, actively maintained industry-standard manual for mobile app security testing and reverse engineering (successor to the older MSTG)
- OWASP Mobile Application Security Verification Standard (MASVS) – baseline security requirements checklist that MASTG test cases map to
- doridori/Android-Security-Reference
- b-mueller/android_app_security_checklist
- tanprathan/MobileApp-Pentest-Cheatsheet
- HackTricks – Android App Pentesting – actively updated, practical Android pentesting reference (Frida, Objection, bypass techniques, etc.)
- Android Security Bulletins – official monthly patch and vulnerability disclosures from Google
- Android's reported CVEs (CVE Details)
- OWASP Mobile Top 10 – current version of the standard mobile vulnerability taxonomy
- Exploit Database – Android search
- Google Android Security Team's PHA Classifications – official classification of Potentially Harmful Applications (malware)
- Android Malware Github repo (ashishb/android-malware)
- AndroZoo – large, growing collection of Android apps from multiple sources including Google Play, for research use
- Contagio Mobile Malware Mini Dump
- CIC Android Adware and General Malware Dataset
- Drebin Dataset
- Koodous – community-driven malware sample repository with YARA rule hunting (also listed above as an analyzer)
- Google Play Security Reward Program (GPSRP) – rewards for vulnerabilities found in popular Android apps
- Android and Google Devices Security Reward Program
- Android – reporting security issues
- Google Bug Hunters – Android program
- B3nac/Android-Reports-and-Resources – curated list of disclosed Android HackerOne reports and RE resources
Ongoing sources of technical write-ups, exploit analyses, and industry commentary — far more valuable long-term than any static tool list, since this is where new techniques actually surface first.
- Google Project Zero – in-depth, technical write-ups of real 0-day and n-day exploits, including a recurring "In-the-Wild" series specifically on Android exploit chains
- Android Offensive Security Team Blog – Google's own Android red team publishing deep technical posts on kernel/GPU/Binder exploitation (e.g. Qualcomm KGSL, Binder fuzzing)
- Google Online Security Blog – official announcements on Android platform security, Play Protect, and ecosystem-wide defenses
- Google Bug Hunters Blog – write-ups and reward program updates from Google's vulnerability reward programs, including Android and Google Play
- NCC Group Research Blog – regular mobile app pentest write-ups and tooling releases from a long-running research team
- WithSecure Labs Blog – successor to MWR Labs/F-Secure Labs, frequent Android/mobile research
- Oversecured Blog – frequent, highly technical Android vulnerability-class write-ups (deep-links, exported components, custom permissions, etc.)
- NowSecure Blog – mobile app security research, threat analysis, and testing guidance
- Guardsquare Blog – Android app hardening, obfuscation, and reverse-engineering-resistance research (maintainers of ProGuard/DexGuard)
- MobSF Blog / Docs Updates – release notes and technique write-ups tied to the MobSF framework
- HackTricks – Android App Pentesting – continuously updated practical playbook, more like a living cheat-sheet than a one-off post
- Payatu Blog – Android/IoT pentesting write-ups from the team behind DIVA
- CVE Details – Google Android – browse individual CVEs, many of which link out to the original researcher's write-up
- GitHub topic: android-exploitation – community-maintained PoCs and write-ups for specific Android CVEs
- Exploit-DB – Android – submitted PoC exploits and advisories
- r/AskNetsec and r/netsec – general security discussion, Android write-ups get shared regularly
- XDA Developers Security Forum – long-running community around Android rooting, ROMs, and device-level security
- OWASP MAS Slack / Community – official community channel for the MASVS/MASTG project, good place to ask testing methodology questions
- DEF CON Mobile/Android talks archive – recordings and slides from years of Android-focused DEF CON talks
- Black Hat Briefings Archive – searchable archive of Black Hat talks, many with full Android exploitation papers/slides