A compilation of commonly used Mobile Application Testing Tools, broken down by tool and denoted by Platform (Android or iOS).
MobSF – Platform: Android, iOS
MobSF is as close as you’ll likely get to free, Open-Source Vulnerability Scanning for Android and iOS Applications. Extremely intuitive to use. To scan an application, upload the respective .apk (Android) or .ipa (iOS) to the web application after installation.
- Github: https://mobsf.github.io/docs/#/
Burpsuite – Platform: Android, iOS
Burpsuite will still be a very integral part of your toolkit. There are a few caveats to successfully intercepting traffic between a physical (or emulated) device and your machine, but there are plenty of resources available. Stay tuned and one will pop up here too!
- Configuring Android Device to Work with Burp: https://portswigger.net/support/configuring-an-android-device-to-work-with-burp
- Configuring iOS Device to Work with Burp: https://portswigger.net/support/configuring-an-ios-device-to-work-with-burp
Apktool – Platform: Android
Apktool allows you to disassemble Android Package (.apk) files to near original form, allowing for closer analysis of application source code and resources (including resources.arsc, classes.dex, XMLs).
- Installation Instructions: https://ibotpeaches.github.io/Apktool/install/
- Usage: https://ibotpeaches.github.io/Apktool/documentation/
Dex2jar (d2j) and jd-GUI – Platform: Android
Both d2j and jd-GUI are used in tandem to assist with your review of the application source code. Dex2jar is used to decompile an APK into jar format, while jd-GUI is the interface which you’ll use to be able to easily review and navigate everything.
To convert .apk to .jar, run the script relevant (found in resources below) to your OS (Windows or Linux):
## Windows: d2j-dex2jar.bat myapplication.apk ## Linux: d2j-dex2jar.sh myapplication.apk
Once complete, open jd-GUI (downloadable from resources below) and select your .jar file.
- d2j + jd-GUI Usage: https://www.yeahhub.com/decompile-android-application-dex2jar-jd-gui/
- d2j download: https://github.com/pxb1988/dex2jar
- jd-GUI download: http://java-decompiler.github.io/
Android Debug Bridge (ADB)
ADB is the primary way of connecting and working on your Android device. You’ll use this extremely often for a variety of purposes, some examples include:
- Viewing local storage information
- Viewing application logs (using logcat)
- Uploading or downloading files to/from the device (push/pull)
- Running Android-level intents (e.g., opening file explorer, camera)
- Used during the rooting process (recovery, fastboot)
ADB can be used across both Windows and Linux, so pick whichever you’re most comfortable with. I use Linux if I’m working with a physical USB-connected device, and Windows if I’m emulating.
- ADB Cheat Sheet: https://www.automatetheplanet.com/wp-content/uploads/2019/08/Cheat_sheet_ADB.pdf
- ADB Installation: https://xda-developers.com/install-adb-windows-macos-linux/
I’ll continue to add further tooling as regularly as I can. More coming soon!
How to Install ADB on Windows, macOS, and Linux – XDA
Phone Setup. Launch the Settings application on your phone. Tap the About Phone option generally near the bottom of the list. Then tap the Build Number option 7 times to enable Developer Mode.
Android Debug Bridge (ADB) Cheat Sheet – Automate The Planet
Title: Most Complete ADB Cheat Sheet Author: Automate The Planet Created Date: 20210210091827Z
Most Complete ADB Cheat Sheet – Automate The Planet
The next article from the mobile test automation series will be dedicated to the ADB. All you need to to know- the most basic operations to the most advanced configurations. ADB, Android Debug Bridge, is a command-line utility included with Google’s …
The “Java Decompiler project” aims to develop tools in order to decompile and analyze Java 5 “byte code” and the later versions. JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstruc…
pxb1988/dex2jar: Tools to work with android .dex and java .class files – GitHub
Tools to work with android .dex and java .class files. dex-reader/writer: Read/write the Dalvik Executable (.dex) file. It has a light weight API similar with ASM.; d2j-dex2jar: Convert .dex file to .class files (zipped as jar)
Decompile an Android Application with Dex2jar and Jd-GUI
For decompiling an android application, the open source tool which we’ll use is “dex2jar“.. Download Link – Dex2jar.zip (Extract in any location) Sample Application – yeahhub.apk (Download & Extract/Move into dex2jar folder) About the yeahhub.apk App…
Apktool – Documentation – GitHub Pages
The decode option on Apktool can be invoked either from d or decode like shown below. $ apktool d foo.jar // decodes foo.jar to foo.jar.out folder $ apktool decode foo.jar // decodes foo.jar to foo.jar.out folder $ apktool d bar.apk // decodes bar.ap…
Apktool – How to Install – GitHub Pages
Install Instructions Quick Check. Is at least Java 1.8 installed? Does executing java -version on command line / command prompt return 1.8 or greater?; If not, please …
Configuring an iOS Device to Work With Burp – PortSwigger
Application Security Testing See how our software enables the world to secure the web. DevSecOps Catch critical bugs; ship more secure software, more quickly. Penetration Testing Accelerate penetration testing – find more bugs, more quickly. Automate…
Configuring an Android Device to Work With Burp
Configuring an Android Device to Work With Burp To test web applications using an Android device you need to configure your Burp Proxy listener to accept …
Mobile Security Framework – MobSF Documentation. Getting Started. Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of perfor…