Essential Android Security Testing Tools: A Comprehensive Guide
This article compiles a thorough list of Android security testing resources, covering online analysis platforms, static and dynamic analysis utilities, vulnerability scanners, reverse‑engineering tools, fuzzers, app‑repackaging detectors, market crawlers, miscellaneous aids, and references to academic publications and bug‑bounty programs.
Online Analysis Tools
AndroTotal
Tracedroid
Visual Threat
Mobile Malware Sandbox
Appknox – paid
IBM Security AppScan Mobile Analyzer – paid
NVISO ApkScan
AVC UnDroid
habo – 10/day
Virustotal – max 128 MB
Fraunhofer App‑ray – paid
AppCritique – free APK upload for security assessment
NowSecure Lab Automated – static & dynamic analysis for Android/iOS, paid
Static Analysis Tools
Androwarn – warns about potentially malicious behaviors in Android apps
ApkAnalyser
APKInspector
Droid Intent Data Flow Analysis for Information Leakage
DroidLegacy
Several tools from PSU
Smali CFG generator
FlowDroid
Android Decompiler – paid
PSCout – extracts ACL from Android source via static analysis
Amandroid
SmaliSCA – static code analysis for Smali
CFGScanDroid – scans and compares CFGs with malicious programs
Madrolyzer – extracts sensitive data such as C&C, phone numbers, etc.
SPARTA – verifies app compliance with security policies
ConDroid – combines symbolic and concrete execution
DroidRA
RiskInDroid – assesses risk based on Android app ACL, provides online demo
SUPER – secure, unified, extensible analysis framework
ClassyShark – binary inspection tool for Android executables
Android Vulnerability Scanning Tools
QARK – LinkedIn’s tool for scanning Android app security issues
AndroBugs
Nogotofail
Devknox – automatically fixes Android security problems
JAADAS – joint intra‑ and inter‑procedural analysis based on Soot and Scala
Dynamic Analysis Tools
Android DBI framework
Androl4b – VM for evaluating Android apps, reverse engineering, malware analysis
Android Malware Analysis Toolkit
Mobile‑Security‑Framework MobSF – automated static, dynamic, and web‑API testing
AppUse
Cobradroid – malware analysis and custom profiling
Droidbox
Drozer
Xposed
Inspeckage
Android Hooker – dynamic Java code detection
ProbeDroid – dynamic Java code detection
Android Tamer
DECAF
CuckooDroid
Mem
Crowdroid
AuditdAndroid – online demo for ACL‑based risk detection
Android Security Evaluation Framework
Android Reverse Engineering
Aurasium
Android Linux Kernel modules
Appie
StaDynA
DroidAnalytics
Vezir Project
MARA
Taintdroid – requires AOSP build
Reverse Engineering Tools
Smali/Baksmali – APK decompilation
Emacs syntax coloring for Smali files
Vim syntax coloring for Smali files
AndBug
Androguard – powerful, integrates well with other tools
Apktool
Android Framework for Exploitation
Bypass signature and permission checks for IPCs
Dare – converts .dex to .class
Dex2Jar – converts .dex to .class
Enjarify – converts .dex to .class (Chrome)
Dedexer
Fino
Frida – GUI‑based
Indroid
IntentSniffer
Introspy
Jad – Java decompilation
JD‑GUI – Java decompilation
CFR – Java decompilation
Krakatau – Java decompilation
Procyon – Java decompilation
FernFlower – Java decompilation
Redexer
Smali viewer
Simplify Android deobfuscator
Bytecode viewer
Radare2
Fuzz Testing Tools
IntentFuzzer
Radamsa Fuzzer
Honggfuzz
Android port of the melkor ELF fuzzer
Media Fuzzing Framework for Android
AndroFuzz
App Repackaging Detection Tools
FSquaDRA – detects repackaged Android apps by comparing resource hashes
Market Crawlers
Google Play crawler (Java)
Google Play crawler (Python)
Google Play crawler (Node) – fetches app details and downloads from Google Play
Aptoide downloader (Node) – downloads apps from the third‑party Aptoide market
Appland downloader (Node) – downloads apps from the third‑party Appland market
Miscellaneous Tools
smalihook
APK‑Downloader
AXMLPrinter2 – converts binary XML to readable XML
adb autocomplete
Dalvik opcodes
Opcodes table for quick reference
ExploitMe Android Labs
GoatDroid
mitmproxy
dockerfile/androguard
Android Vulnerability Test Suite
AppMon
Academic, Research, Publications & Books
Exploit Database
Android security related presentations
Collection of static analysis papers
SEI CERT Android Secure Coding Standard
OWASP Mobile Security Testing Guide Manual
Android Reverse Engineering 101 by Daniele Altomare
doridori/Android‑Security‑Reference
Android app security checklist
Mobile App Pentest Cheat Sheet
Vulnerability Disclosure Resources
AndroidSecurity Bulletins
Android’s reported security vulnerabilities
Android Devices Security Patch Status
AOSP – Issue tracker
OWASP Mobile Top 10 2016
Exploit Database
Vulnerability Google Doc
Google AndroidSecurity Team’s classifications for potentially harmful applications (malware)
Malware Collections
androguard – Database Android Malwares wiki
Android Malware Github repo
Android Malware Genome Project – contains 1 260 malicious samples
Contagio Mobile Malware Mini Dump
VirusTotal Malware Intelligence Service
Admire
Drebin
Bounty Programs
AndroidSecurity Reward Program
How to Submit Vulnerabilities
Android – reporting security issues
Android Reports and Resources
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Software Development Quality
Discussions on software development quality, R&D efficiency, high availability, technical quality, quality systems, assurance, architecture design, tool platforms, test development, continuous delivery, continuous testing, etc. Contact me with any article questions.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.