Testing Tools

To perform security testing different tools are available in order to be able to manipulate requests and responses, decompile apps, investigate the behavior of running apps and other test cases and automate them.

The MSTG project has no preference in any of the tools below, or in promoting or selling any of the tools. All tools below have been verified if they are "alive", meaning that updates have been pushed recently. Nevertheless, not all tools have been used/tested by the authors, but they might still be useful when analyzing a mobile app. The listing is sorted in alphabetical order. The list is also pointing out commercial tools. Disclaimer: At the time of writing, we ensure that the tools being used in the MSTG examples are properly working. However, the tools might be broken or not work properly depending on your OS version of both your host computer and your test device. The functioning of the tooling can be further impeded by whether you're using a rooted/jailbroken device, the specific version of the rooting/jailbreak method and/or the version of the tool. The MSTG does not take any responsibility over the working status of the tools. If you find a broken tool or example, please search or file an issue in the tool original page, e.g. in the GitHub issues page.

Mobile Application Security Testing Distributions

  • Androl4b: A virtual machine for assessing Android applications, perform reverse engineering and malware analysis - https://github.com/sh4hin/Androl4b

  • Android Tamer: A Debian-based Virtual/Live Platform for Android Security professionals - https://androidtamer.com/

  • Mobile Security Toolchain: A project used to install many of the tools mentioned in this section, both for Android and iOS at a machine running macOS. The project installs the tools via Ansible - https://github.com/xebia/mobilehacktools

All-in-One Mobile Security Frameworks

Static Source Code Analysis (Commercial Tools)

Dynamic and Runtime Analysis

  • Frida: A dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. It works using a client-server model and allows to inject code into running processes on Android and iOS - https://www.frida.re

  • Frida CodeShare: A project hosting Frida scripts publicly that can help to bypass client side security controls in mobile apps (e.g. SSL Pinning) - https://codeshare.frida.re/

  • NowSecure Workstation (Commercial Tool): Pre-configured hardware and software kit for vulnerability assessment and penetration testing of mobile apps - https://www.nowsecure.com/solutions/power-tools-for-security-analysts/

  • r2frida: A project merging the powerful reverse engineering capabilities of radare2 with the dynamic instrumentation toolkit of Frida https://github.com/nowsecure/r2frida

Reverse Engineering and Static Analysis

  • Binary ninja: A multi-platform software disassembler that can be used against several executable file formats. It is capable of IR (intermediate representation) lifting - https://binary.ninja/

  • Ghidra: An open source software reverse engineering suite of tools developed by the National Security Agency (NSA). Its main capabilities include disassembly, assembly, decompilation, graphing, and scripting - https://ghidra-sre.org/

  • HopperApp (Commercial Tool): A reverse engineering tool for macOS and Linux used to disassemble, decompile and debug 32/64bits Intel Mac, Linux, Windows and iOS executables - https://www.hopperapp.com/

  • IDA Pro (Commercial Tool): A Windows, Linux or macOS hosted multi-processor disassembler and debugger - https://www.hex-rays.com/products/ida/index.shtml

  • radare2: radare2 is a unix-like reverse engineering framework and command line tools - https://www.radare.org/r/

  • Retargetable Decompiler (RetDec): An open source machine-code decompiler based on LLVM. It can be used as a standalone program or as a plugin for IDA Pro or radare2 - https://retdec.com/

Tools for Android

Reverse Engineering and Static Analysis

Dynamic and Runtime Analysis

Bypassing Root Detection and Certificate Pinning

Tools for iOS

Access Filesystem on iDevice

Once you are able to SSH into your jailbroken iPhone you can use an FTP client like the following to browse the file system:

Reverse Engineering and Static Analysis

Dynamic and Runtime Analysis

Bypassing Jailbreak Detection and SSL Pinning

Tools for Network Interception and Monitoring

Interception Proxies


Vulnerable applications

The applications listed below can be used as training materials. Note: only the MSTG apps and Crackmes are tested and maintained by the MSTG project.