Attacking Android Devices

Table of Contents


Add Security Exception to APK


  • DonkeyGuard allows you a fine-grained tuning of access to your private data. It currently supports 41 restrictions which can be applied for every application. Specifically, it is a Privacy service provider which implements a set of modifications to the Android Framework to allow you to interact with applications which are trying to access your private data.

The Android boot process

Miroslav Stampar - Android: Practical Introduction into the (In)Security

  • This presentation covers the user’s deadly sins of Android (In)Security, together with implied system security problems. Each topic could potentially introduce unrecoverable damage from security perspective. Both local and remote attacks are covered, along with accompanying practical demo of most interesting ones.

End cull


Droidsec - Pretty much should be your first stop

Hacking Your Way Up The Mobile Stack | csploit - "The most complete and advanced IT security professional toolkit on Android."(From their site) | -- Github Link

Mobile Application Penetration Testing Cheat Sheet

Android Internals

Title Link
Dalvik opcodes
Dalvik Bytecode Format docs
The Android boot process from power on
Trustedt Execution Environments(and Android

Securing Android

Title Link
Android (In)Security - Defcamp 2014
Android Forensics Class - Free - This class serves as a foundation for mobile digital forensics, forensics of Android operating systems, and penetration testing of Android applications.
Android Hardening Guide by the TOR developers - This blog post describes the installation and configuration of a prototype of a secure, full-featured, Android telecommunications device with full Tor support, individual application firewalling, true cell network baseband isolation, and optional ZRTP encrypted voice and video support. ZRTP does run over UDP which is not yet possible to send over Tor, but we are able to send SIP account login and call setup over Tor independently. The SIP client we recommend also supports dialing normal telephone numbers if you have a SIP gateway that provides trunking service. Aside from a handful of binary blobs to manage the device firmware and graphics acceleration, the entire system can be assembled (and recompiled) using only FOSS components. However, as an added bonus, we will describe how to handle the Google Play store as well, to mitigate the two infamous Google Play Backdoors.
Android 4.0+ Hardening Guide/Checklist by University of Texas

Mobile self-defense - Karsten Nohl


Title Link

Firewall * Android Firewall(Requires Root)

Xprivacy - The Ultimate Android Privacy Manager(Requires Root

* [Github](
* [Google Play](


Titanium Backup Personal favorite for making backups. Backups are stored locally or automatically to various cloud services. Helium Backup(Root Not Required) * Backs up data locally or to various cloud services. Local client available for backups directly to PC.

  • Android app for easy stunnel usage


Check the Encryption section of the overall guide for more information.

Android Reverse Engineering Defenses


Title Link
List of Android Vulnerabilities

AndroBugs Framework

  • AndroBugs Framework is an Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities in Android applications


Title Link
List of Android Exploits


  • personal site of scotty bauer

Device Analysis

Title Link
android-cluster-toolkit - The Android Cluster Toolkit helps organize and manipulate a collection of Android devices. It was designed to work with a collection of devices connected to the same host machine, either directly or via one or more tiers of powered USB hubs. The tools within can operate on single devices, a selected subset, or all connected devices at once.
privmap - android - A tool for enumerating the effective privileges of processes on an Android device.
canhazaxs - A tool for enumerating the access to entries in the file system of an Android device.
Android Device Testing Framework(DTF) - The Android Device Testing Framework ("dtf") is a data collection and analysis framework to help individuals answer the question: "Where are the vulnerabilities on this mobile device?" Dtf provides a modular approach and built-in APIs that allows testers to quickly create scripts to interact with their Android devices. The default download of dtf comes with multiple modules that allow testers to obtain information from their Android device, process this information into databases, and then start searching for vulnerabilities (all without requiring root privileges). These modules help you focus on changes made to AOSP components such as applications, frameworks, system services, as well as lower-level components such as binaries, libraries, and device drivers. In addition, you'll be able to analyze new functionality implemented by the OEMs and other parties to find vulnerabilities.
drozer - drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.

Application Analysis

Title Link
APK Studio - Android Reverse Engineering - APK Studio is an IDE for decompiling/editing & then recompiling of android application binaries. Unlike initial release being Windows exclusive & also didn't support frameworks, this one is completely re-written using QT for cross-platform support. You can now have multiple frameworks installed & pick a particular one on a per project basis
Smali-CFGs - Smali Control-Flow-Graphs
PID Cat - An update to Jeff Sharkey's excellent logcat color script which only shows log entries for processes from a specific application package. During application development you often want to only display log messages coming from your app. Unfortunately, because the process ID changes every time you deploy to the phone it becomes a challenge to grep for the right thing. This script solves that problem by filtering by application package. Supply the target package as the sole argument to the python script and enjoy a more convenient development process.
AndBug - Scriptable Android Debugger - AndBug is a debugger targeting the Android platform's Dalvik virtual machine intended for reverse engineers and developers. It uses the same interfaces as Android's Eclipse debugging plugin, the Java Debug Wire Protocol (JDWP) and Dalvik Debug Monitor (DDM) to permit users to hook Dalvik methods, examine process state, and even perform changes.
android-lkms - Android Loadable Kernel Modules - mostly used for reversing and debugging on controlled systems/emulators.
Simplify - Simple Android Deobfuscator - Simplify uses a virtual machine to understand what an app does. Then, it applies optimizations to create code that behaves identically, but is easier for a human to understand. Specifically, it takes Smali files as input and outputs a Dex file with (hopefully) identical semantics but less complicated structure.


  • CuckooDroid is an extension of Cuckoo Sandbox the Open Source software for automating analysis of suspicious files, CuckooDroid brigs to cuckoo the capabilities of execution and analysis of android application.

elsim - Elements Similarities

  • Similarities/Differences of applications (aka rip-off indicator)
  • This tool detects and reports: the identical methods; the similar methods; the deleted methods; the new methods; the skipped methods.

Dynamic Analysis

Title Link
APKInspector - APKinspector is a powerful GUI tool for analysts to analyze the Android applications.
DroidBox** - DroidBox is developed to offer dynamic analysis of Android applications. Additionally, two images are generated visualizing the behavior of the package. One showing the temporal order of the operations and the other one being a treemap that can be used to check similarity between analyzed packages.
ddi - Dynamic Dalvik Instrumentation Toolkit - Simple and easy to use toolkit for dynamic instrumentation of Dalvik code. Instrumentation is based on library injection and hooking method entry points (in-line hooking). The actual instrumentation code is written using the JNI interface. The DDI further supports loading additional dex classes into a process. This enables instrumentation code to be partially written in Java and thus simplifies interacting with the instrumented process and the Android framework.
Hooker - Hooker is an opensource project for dynamic analyses of Android applications. This project provides various tools and applications that can be use to automaticaly intercept and modify any API calls made by a targeted application. It leverages Android Substrate framework to intercept these calls and aggregate all their contextual information (parameters, returned values, ...). Collected information can either be stored in a distributed database (e.g. ElasticSearch) or in json files. A set of python scripts is also provided to automatize the execution of an analysis to collect any API calls made by a set of applications.
Android-SSL-TrustKiller - Blackbox tool to bypass SSL certificate pinning for most applications running on a device.
(JustTrustMe - Cert Pinning using Xposed - An xposed module that disables SSL certificate checking. This is useful for auditing an appplication which does certificate pinning. You can read about the practice of cert pinning here(1). There also exists a nice framework built by @moxie to aid in pinning certs in your app: certificate pinning
AndroidPinning - AndroidPinning is a standalone Android library project that facilitates certificate pinning for SSL connections from Android apps, in order to minimize dependence on Certificate Authorities.

AndBug - A Scriptable Android Debugger

  • AndBug is a debugger targeting the Android platform's Dalvik virtual machine intended for reverse engineers and developers. It uses the same interfaces as Android's Eclipse debugging plugin, the Java Debug Wire Protocol (JDWP) and Dalvik Debug Monitor (DDM) to permit users to hook Dalvik methods, examine process state, and even perform changes.


  • GDB fork targetting Android/Fennec development

How to avoid certificate pinning in the latest versions of Android

Static Analysis

Title Link
Disect Android APKs like a Pro - Static code analysis
Androguard - Androguard is mainly a tool written in python to play with: Dex/Odex (Dalvik virtual machine) (.dex) (disassemble, decompilation), APK (Android application) (.apk), Android's binary xml (.xml), Android Resources (.arsc). Androguard is available for Linux/OSX/Windows (python powered).
Dexter - Dexter is a static android application analysis tool.
Static Code Analysis of Major Android Web Browsers
Androwarn - Androwarn is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application. The detection is performed with the static analysis of the application's Dalvik bytecode, represented as Smali. This analysis leads to the generation of a report, according to a technical detail level chosen from the user.
Thresher - Thresher is a static analysis tool that specializes in checking heap reachability properties. Its secret sauce is using a coarse up-front points-to analysis to focus a precise symbolic analysis on the alarms reported by the points-to analysis.
[PAPER]Thresher: Precise Refutations for Heap Reachability
lint - Static Analysis - The Android lint tool is a static code analysis tool that checks your Android project source files for potential bugs and optimization improvements for correctness, security, performance, usability, accessibility, and internationalization.
Flow Droid - Taint Analysis - FlowDroid is a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications.
[PAPER]FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps - In this work we thus present F LOW D ROID , a novel and highly precise static taint analysis for Android applications. A precise model of Android’s lifecycle allows the analysis to properly handle callbacks invoked by the Android framework, while context, flow, field and object-sensitivity allows the analysis to reduce the number of false alarms. Novel on-demand algorithms help F LOW D ROID maintain high efficiency and precision at the same time
dedex - Is a command line tool for disassembling Android DEX files.
DexMac - Is a native OSX application for disassembling Android DEX files.
dexdissasembler - Is a GTK tool for disassembling Android DEX files. }
dex.Net - A Mono/.NET library to parse Android DEX files. Its main purpose is to support utilities for disassembling and presenting the contents of DEX files. (
apk2gold - CLI tool for decompiling Android apps to Java. It does resources! It does Java! Its real easy!
Android Unpacker presented at Defcon 22: Android Hacker Protection Level 0
byte-code viewer - Bytecode Viewer is an Advanced Lightweight Java Bytecode Viewer, GUI Java Decompiler, GUI Bytecode Editor, GUI Smali, GUI Baksmali, GUI APK Editor, GUI Dex Editor, GUI APK Decompiler, GUI DEX Decompiler, GUI Procyon Java Decompiler, GUI Krakatau, GUI CFR Java Decompiler, GUI FernFlower Java Decompiler, GUI DEX2Jar, GUI Jar2DEX, GUI Jar-Jar, Hex Viewer, Code Searcher, Debugger and more. It's written completely in Java, and it's open sourced. It's currently being maintained and developed by Konloch.

Disect Android APKs like a Pro - Static code analysis

Online APK Analyzers

Title Link
Mobile Sandbox - Provide an Android application file (apk-file) and the Mobile-Sandbox will analyze the file for any malicious behaviour.
CopperDroid - Upload an .apk for static analysis
Andrototal - AndroTotal is a free service to scan suspicious APKs against multiple mobile antivirus apps.

Attack Platforms

Title Link
drozer - drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
Android Tamer - Android Tamer is a one stop tool required to perform any kind of operations on Android devices / applications / network VM

Android Malware

Title Link
Rundown of Android Packers
APK File Infection on an Android System
Manifesto - PoC framework for APK obfuscation, used to demonstrate some of the obfuscation examples from It supports plugins (located in processing directory) that can do different obfuscation techniques. Main gist is that you run manifesto on the APK file and it produces an obfuscated APK file.
Android Hacker Protection Level 0 - DEF CON 22 - Tim Strazzere and Jon Sawyer - Obfuscator here, packer there - the Android ecosystem is becoming a bit cramped with different protectors for developers to choose. With such limited resources online about attacking these protectors, what is a new reverse engineer to do? Have no fear, after drinking all the cheap wine two Android hackers have attacked all the protectors currently available for everyones enjoyment! Whether you've never reversed Android before or are a hardened veteran there will be something for you, along with all the glorious PoC tools and plugins for your little heart could ever desire.


  • Python script to inject existing Android applications with a Meterpreter payload.

Reverse Engineering Android

Title Link
APK Studio - Android Reverse Engineering - APK Studio is an IDE for decompiling/editing & then recompiling of android application binaries. Unlike initial release being Windows exclusive & also didn't support frameworks, this one is completely re-written using QT for cross-platform support. You can now have multiple frameworks installed & pick a particular one on a per project basis.
Android apk-tool - It is a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc.
Reversing and Auditing Android’s Proprietary bits
Smali - smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android's Java VM implementation. The syntax is loosely based on Jasmin's/dedexer's syntax, and supports the full functionality of the dex format (annotations, debug info, line info, etc.)
APKinpsector** - APKinspector is a powerful GUI tool for analysts to analyze the Android applications.
Dexter - Dexter is a static android application analysis tool
Reversing Android Apps Slides


  • AndroChef Java Decompiler is Windows XP, Windows 2003, Windows Vista, Windows 7, Windows 8, 8.1 decompiler for Java that reconstructs the original source code from the compiled binary CLASS files. AndroChef Java Decompiler is able to decompile the most complex Java 6 applets and binaries, producing accurate source code. AndroChef successfully decompiles obfuscated Java 6 and Java 7 .class and .jar files. Support Java language features like generics, enums and annotations. According to some studies, AndroChef Java Decompiler is able to decompile 98.04% of Java applications generated with traditional Java compilers- a very high recovery rate. It is simple but powerful tool that allows you to decompile Java and Dalvik bytecode (DEX, APK) into readable Java source. Easy to use.

Instrumenting Android Applications with Frida


  • This software will emulate a smali source file generated by apktool.

ARE - Virtual Machine for Android Reverse Engineering

Android Applications Reversing 101

Android Crackmes

Hacking Android apps with FRIDA I

Want to break some Android apps? - Android Crackmes- Carnal0wnage

Dex Education 201 - Anti-Emulation.pdf

List of Android Crackmes


  • BareDroid allows for bare-metal analysis on Android devices.
  • Paper

Interesting Android Papers

Title Link
List of important whitepapers
Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks
Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications
Rage Against the Droid: Hindering Dynamic analysis of android malware
APKLancet: Tumor Payload Diagnosis and Purification for Android Applications
DroidRay: A Security Evaluation System for CustomizedAndroid Firmwares
VirtualSwindle: An Automated Attack Against In-App Billing on Android
Evading Android Runtime Analysis via Sandbox Detection
Enter Sandbox: Android Sandbox Comparison
Post-Mortem Memory Analysis of Cold-Booted Android Devices
Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating
Exploring Android KitKat Runtime
Analyzing Inter-Application Communication in Android
Automatically Exploiting Potential Component Leaks in Android Applications
I know what leaked in your pocket: uncovering privacy leaks on Android Apps with Static Taint Analysis
Bifocals: Analyzing WebView Vulnerabilities in Android Applications
Analyzing Android Browser Apps for file:// Vulnerabilities
FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps
Detecting privacy leaks in Android Apps
From Zygote to Morula: Fortifying Weakened ASLR on Android
**Apposcopy: Semantics-Based Detection of Android Malware through Static Analysis](
**MAdFraud: Investigating Ad Fraud in Android Applications](
Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security
AsDroid: Detecting Stealthy Behaviors in Android Applications by User Interface and Program Behavior Contradiction
NativeGuard: Protecting Android Applications from Third-Party Native Libraries
Into the Droid: Gaining Access to Android User Data - DEFCON
Android Packers
Xprivacy Android
An Empirical Study of Cryptographic Misuse in Android Applications
PowerSpy: Location Tracking using Mobile Device Power Analysis
Obfuscation in Android malware, and how to fight back

PatchDroid: Scalable Third-Party Security Patches for Android Devices

  • Android is currently the largest mobile platform with around 750 million devices worldwide. Unfortunately, more than 30% of all devices contain publicly known security vulnera- bilities and, in practice, cannot be updated through normal mechanisms since they are not longer supported by the man- ufacturer and mobile operator. This failure of traditional patch distribution systems has resulted in the creation of a large population of vulnerable mobile devices. In this paper, we present PatchDroid, a system to dis- tribute and apply third-party security patches for Android. Our system is designed for device-independent patch cre- ation, and uses in-memory patching techniques to address vulnerabilities in both native and managed code. We created a fully usable prototype of PatchDroid, including a number of patches for well-known vulnerabilities in Android devices. We evaluated our system on different devices from multiple manufacturers and show that we can effectively patch se- curity vulnerabilities on Android devices without impacting performance or usability. Therefore, PatchDroid represents a realistic path towards dramatically reducing the number of exploitable Android devices in the wild.

Dissecting the Android Bouncer

Educational Material

Title Link
OWASP GoatDroid - “OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several feature that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform.”
Insecure Bank v2 - This vulnerable Android application is named "InsecureBankv2" and is made for security enthusiasts and developers to learn the Android insecurities by testing this vulnerable application. Its back-end server component is written in python. The client component i.e. the Android InsecureBank.apk can be downloaded along with the source code.

Put a Sock(et) in it: Understanding and Attacking Sockets on Android

  • You're probably wondering how someone could possibly fill a 45 minute slot talking about the security implications of sockets (after all, there are only TCP and UDP sockets, right?). In reality, there are several unique types of sockets used by an Android device. These range from network sockets (the ones we are all familiar with), to local sockets, and even kernel-level sockets. When used improperly, these sockets can have devastating effects on the overall security of a device. In this talk, I'll discuss several types of Linux-based sockets found on Android devices and how these sockets have historically been used to compromise devices. I'll also provide the tools and techniques necessary to enumerate and interact with these sockets on your own device.

Android apps in sheep's clothing

  • We identified a security weakness in Android's approach of handling UI elements, circumventing parts of Android's sandboxing approach. While this attack is simple from a technical point of view, the impact of exploiting such a vulnerability is significant. It affects Android based devices as well as Blackberry mobile devices running the Android runtime environment.


Title Link
Inside the Android Play Service's magic OAuth flow - Owning google accounts on android devices
Security enhancements in android through its versions
Understanding the Android bytecode - Writeup on reversing/understanding Android Bytecode
ClockLockingBeats - Repo for the DARPA CFT / Clock Locking Beats project. Exploring Android kernel and processor interactions to hide running threads

Hacking Android phone. How deep the rabbit hole goes.

Android Bytecode Obfuscation - Patrick Schulz 2012 Android Pattern Lock Cracker

  • A little Python tool to crack the Pattern Lock on Android devices


Android Hackers Handbook
Android System Security Internals


Title Link
Android-x86 Project - Run Android on Your PC - This is a project to port Android open source project to x86 platform, formerly known as "patch hosting for android x86 support". The original plan is to host different patches for android x86 support from open source community. A few months after we created the project, we found out that we could do much more than just hosting patches. So we decide to create our code base to provide support on different x86 platforms, and set up a git server to host it.
Root Tools - RootTools provides rooted developers a standardized set of tools for use in the development of rooted applications

Protect Your Java Code — Through Obfuscators And Beyond fdroidcl

  • F-Droid desktop client.


  • Heimdall is a cross-platform open-source tool suite used to flash firmware (aka ROMs) onto Samsung Galaxy S devices.


  • Debugger for HTC phones bootloader (HBOOT).


  • Google Play Crawler
Title Link