android渗透测试指导及其工具

## Mobile Application Penetration Testing Cheat Sheet The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics. - [All-in-one Mobile Security Frameworks](#all-in-one-mobile-security-frameworks) - [Android Application Penetration Testing](#android-application-penetration-testing) - [Android Testing Distributions](#android-testing-distributions) - [Reverse Engineering and Static Analysis](#reverse-engineering-and-static-analysis) - [Dynamic and Runtime Analysis](#dynamic-and-runtime-analysis) - [Network Analysis and Server Side Testing](#network-analysis-and-server-side-testing) - [Bypassing Root Detection and SSL Pinning](#bypassing-root-detection-and-ssl-pinning) - [Security Libraries](#security-libraries) - [iOS Application Penetration Testing](#ios-application-penetration-testing) - [Access Filesystem on iDevice](#access-filesystem-on-idevice) - [Reverse Engineering and Static Analysis](#reverse-engineering-and-static-analysis) - [Dynamic and Runtime Analysis](#dynamic-and-runtime-analysis) - [Network Analysis and Server Side Testing](#network-analysis-and-server-side-testing) - [Bypassing Root Detection and SSL Pinning](#bypassing-root-detection-and-ssl-pinning) - [Security Libraries](#security-libraries) - [Contribution](#contribution) - [License](#license) ### All-in-One Mobile Security Frameworks * [Mobile Security Framework - MobSF](https://github.com/ajinabraham/Mobile-Security-Framework-MobSF) - Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. * python manage.py runserver 127.0.0.1:1337 ### Android Application Penetration Testing #### Android Testing Distributions * [Appie](https://manifestsecurity.com/appie) - A portable software package for Android Pentesting and an awesome alternative to existing Virtual machines. * [Android Tamer](https://androidtamer.com/) - Android Tamer is a Virtual / Live Platform for Android Security professionals. * [AppUse](https://appsec-labs.com/AppUse/) - AppUse is a VM (Virtual Machine) developed by AppSec Labs. * [Androl4b](https://github.com/sh4hin/Androl4b) - A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis * [Mobisec](http://sourceforge.net/projects/mobisec/) - Mobile security testing live environment. * [Santoku](https://santoku-linux.com/) - Santoku is an OS and can be run outside a VM as a standalone operating system. #### Reverse Engineering and Static Analysis * [APKInspector](https://github.com/honeynet/apkinspector/) - APKinspector is a powerful GUI tool for analysts to analyze the Android applications. * [APKTool](http://ibotpeaches.github.io/Apktool/) - A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications. * Disassembling Android apk file * apktool d [apk file] * Rebuilding decoded resources back to binary APK/JAR with certificate signing * apktool b [modified folder] * keytool -genkey -v -keystore keys/test.keystore -alias Test -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -validity 10000 * jarsigner -keystore keys/test.keystore dist/test.apk -sigalg SHA1withRSA -digestalg SHA1 Test * [Dex2jar](https://github.com/pxb1988/dex2jar) - A tool for converting .dex file to .class files (zipped as jar). * Converting apt file into jar file * dex2jar [apk file] * [Oat2dex](https://github.com/testwhat/SmaliEx) - A tool for converting .oat file to .dex files. * Deoptimize boot classes (The output will be in "odex" and "dex" folders) * java -jar oat2dex.jar boot [boot.oat file] * Deoptimize application * java -jar oat2dex.jar [app.odex] [boot-class-folder output from above] * Get odex from oat * java -jar oat2dex.jar odex [oat file] * Get odex smali (with optimized opcode) from oat/odex * java -jar oat2dex.jar smali [oat/odex file] * [JD-Gui](http://jd.benow.ca/) - A tool for decompiling and analyzing Java code. * [FindBugs](http://findbugs.sourceforge.net/) + [FindSecurityBugs](http://h3xstream.github.io/find-sec-bugs/) - FindSecurityBugs is a extension for FindBugs which include security rules for Java applications. * [Qark](https://github.com/linkedin/qark) - This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs. * [AndroBugs] (https://github.com/AndroBugs/AndroBugs_Framework) - AndroBugs Framework is an efficient Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications. No need to install on Windows. * [Simplify](https://github.com/CalebFenton/simplify) - A tool for de-obfuscating android package into Classes.dex which can be use Dex2jar and JD-GUI to extract contents of dex file. * simplify.jar -i [input smali files or folder] -o [output dex file] * [ClassNameDeobfuscator](https://github.com/HamiltonianCycle/ClassNameDeobfuscator) - Simple script to parse through the .smali files produced by apktool and extract the .source annotation lines. #### Dynamic and Runtime Analysis * [Introspy-Android](https://github.com/iSECPartners/Introspy-Android) - Blackbox tool to help understand what an Android application is doing at runtime and assist in the identification of potential security issues. * [Cydia Substrate](http://www.cydiasubstrate.com/) - Cydia Substrate for Android enables developers to make changes to existing software with Substrate extensions that are injected in to the target process's memory. * [Xposed Framework](http://forum.xda-developers.com/xposed/xposed-installer-versions-changelog-t2714053) - Xposed framework enables you to modify the system or application aspect and behaviour at runtime, without modifying any Android application package(APK) or re-flashing. * [CatLog](https://github.com/nolanlawson/Catlog) - Graphical log reader for Android. * [Droidbox](https://code.google.com/p/droidbox/) - DroidBox is developed to offer dynamic analysis of Android applications. * [Frida](http://www.frida.re/) - The toolkit works using a client-server model and lets you inject in to running processes not just on Android, but also on iOS, Windows and Mac. * [Drozer](https://www.mwrinfosecurity.com/products/drozer/) - Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS. * Starting a session * adb forward tcp:31415 tcp:31415 * drozer console connect * Retrieving package information * run app.package.list -f [app name] * run app.package.info -a [package name] * Identifying the attack surface * run app.package.attacksurface [package name] * Exploiting Activities * run app.activity.info -a [package name] -u * run app.activity.start --component [package name] [component name] * Exploiting Content Provider * run app.provider.info -a [package name] * run scanner.provider.finduris -a [package name] * run app.provider.query [uri] * run app.provider.update [uri] --selection [conditions] [selection arg] [column] [data] * run scanner.provider.sqltables -a [package name] * run scanner.provider.injection -a [package name] * run scanner.provider.traversal -a [package name] * Exploiting Broadcast Receivers * run app.broadcast.info -a [package name] * run app.broadcast.send --component [package name] [component name] --extra [type] [key] [value] * run app.broadcast.sniff --action [action] * Exploiting Service * run app.service.info -a [package name] * run app.service.start --action [action] --component [package name] [component name] * run app.service.send [package name] [component name] --msg [wh