APK son las siglas de Android Aplication Package. Este tipo de archivo contiene el programa o aplicación que queremos instalar de la misma manera que también el instalador. Por tanto diremos que se trata de un archivo instalable concebido para Android.
Para analizar una aplicación, lo primero es conseguir el archivo .APK (Android) o .IPA (iOS). Para descargar el .APK de la PlayStore se puede utilizar el servicio de APKPure. Solo se debe pasar la URL oficial de la PlayStore. Esta herramienta no hace ningún cambio a la aplicación descargada por lo que hasta la fecha es un servicio confiable.
Este repositorio GIT tiene un listado actualizado de herramientas para analizar aplicaciones de Android (APK), al igual que Android Arsenal.
Online Tools
- Mobile Security Framework (MobSF): Es LA herramienta, la que recomiendo abiertamente para el análisis dinámico y estático de apps, independiente de la plataforma (Android o iOS), si vas a realizar el análisis de aplicaciones móviles habitualmente esta herramienta no puede faltar en tu arsenal.
- Quick Android Review Kit o QARK: Es un framework de análisis automatizado de aplicaciones android que tiene poco tiempo de vida, esta enfocado al análisis de aplicaciones android y cuenta con muy buenas funcionalidades.
- SandDroid (informe de ejemplo): Es una de las mejores herramientas online que podemos tener para el análisis automático de aplicaciones android, realiza análisis dinámico y estático, además de darnos un puntaje de riesgo basado en la información que logra recolectar.
- Reverse.it (informe de ejemplo): Es una herramienta que también permite el análisis dinámico y estático de aplicaciones android de forma automatizada, es una especialmente útil cuando buscamos comportamientos anómalos dentro de las aplicaciones móviles.
- Dexter: Para un análisis más detallado podemos usar (previo registro gratuito) esta herramienta, enfocada en el análisis de software que nos permite de forma colaborativa visualizar el funcionamiento de la aplicación con un potente buscador que nos ayudará a encontrar fácilmente funciones interesantes en las cuales centrar nuestra atención.
- JavaDecompilers: Es una herramienta online que nos permite decompilar aplicaciones online abriendo la posibilidad de examinar su código fuente desde un simple navegador, si con Dexter encontraste funciones interesantes que analizar, con javadecompilers puedes examinar sus entrañas para ver su funcionamiento a nivel de código.
Análisis Estático
- Amandroid
- Android Decompiler: not free
- Androwarn: detect and warn the user about potential malicious behaviours developped by an Android application.
- ApkAnalyser
- APKInspector
- CFGScanDroid: Scans and compares CFG against CFG of malicious applications
- ConDroid: Performs a combination of symoblic + concrete execution of the app
- Droid Intent Data Flow Analysis for Information Leakage
- DroidLegacy
- FlowDroid
- Madrolyzer: extracts actionable data like C&C, phone number etc.
- PSCout: A tool that extracts the permission specification from the Android OS source code using static analysis
- Several tools from PSU
- Smali CFG generator
- SmaliSCA: Smali Static Code Analysis
- SPARTA: verifies (proves) that an app satisfies an information-flow security policy; built on the Checker Framework
Análisis Dinamico
- Android DBI frameowork
- Androl4b- A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis
- Android Malware Analysis Toolkit: (linux distro) Earlier it use to be an online analyzer
- Mobile-Security-Framework MobSF: Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static, dynamic analysis and web API testing.
- AppUse – custom build for pentesting
- Cobradroid – custom image for malware analysis
- ViaLab Community Edition
- Droidbox
Mercury- Drozer
- Xposed: equivalent of doing Stub based code injection but without any modifications to the binary
- Inspeckage: Android Package Inspector: dynamic analysis with api hooks, start unexported activities and more. (Xposed Module)
- Android Hooker: Dynamic Java code instrumentation (requires the Substrate Framework)
- ProbeDroid: Dynamic Java code instrumentation
- Android Tamer: Virtual / Live Platform for Android Security Professionals
- DECAF: Dynamic Executable Code Analysis Framework based on QEMU (DroidScope is now an extension to DECAF)
- CuckooDroid: Android extension for Cuckoo sandbox
- Mem: Memory analysis of Android (root required)
- Crowdroid: unable to find the actual tool
- AuditdAndroid: android port of auditd, not under active development anymore
- Android Security Evaluation Framework: not under active development anymore
- Android Reverse Engineering: ARE (android reverse engineering) not under active development anymore
- Aurasium: Practical security policy enforcement for Android apps via bytecode rewriting and in-place reference monitor.
- Android Linux Kernel modules
- Appie: Appie is a software package that has been pre-configured to function as an Android Pentesting Environment.It is completely portable and can be carried on USB stick or smartphone.This is a one stop answer for all the tools needed in Android Application Security Assessment and an awesome alternative to existing virtual machines.
- StaDynA: a system supporting security app analysis in the presence of dynamic code update features (dynamic class loading and reflection). This tool combines static and dynamic analysis of Android applications in order to reveal the hidden/updated behavior and extend static analysis results with this information.
- DroidAnalytics: incomplete
- Vezir Project: Virtual Machine for Mobile Application Pentesting and Mobile Malware Analysis
- MARA: Mobile Application Reverse engineering and Analysis Framework
- NowSecure Lab Automated: Enterprise tool for mobile app security testing both Android and iOS mobile apps. Lab Automated features dynamic and static analysis on real devices in the cloud to return results in minutes.
- Taintdroid: requires AOSP compilation
Tools
- AFLogical: Android forensics tool developed by viaForensics
- Amandroid: Is a static analysis framework for Android apps
- Android backup extractor: Android backup extractor
- Android Loadable Kernel Modules
- Android SDK
- Android4me: J2ME port of Google's Android
- Android-forensics: Open source Android Forensics app and framework
- Android-random: Collection of extended examples for Android developers
- Androwarn: Is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application
- ApkAnalyser: Static, virtual analysis tool
- Apk-extractor: Android Application (.apk) file extractor and Parser for Android Binary XML
- Apkinspector: Powerful GUI tool for analysts to analyze the Android applications
- Apk-recovery: Recover main resources from your .apk file
- Audit tools
- bunq fuzzer: Program for testing a mobile app by sending it semi-random inputs
- Canhazaxs: A tool for enumerating the access to entries in the file system of an Android device
- ConDroid: Symbolic/concolic execution of Android apps
- DDMS: Dalvik Debug Monitor Server
- Decaf-platform: DECAF Binary Analysis Platform
- Device Monitor: Graphical user interface for several Android application debugging and analysis tools
- Dexinfo: A very rudimentary Android DEX file parser
- Dexter: Static android application analysis tool
- Dexterity: Dex manipulation library
- Dextools: Miscellaenous DEX (Dalvik Executable) tools
- DidFail: Uses static analysis to detect potential leaks of sensitive information within a set of Android apps
- Drozer: Comprehensive security audit and attack framework for Android
- FindBugs: Find Bugs in Java Programs
- Find Security Bugs: The FindBugs plugin for security audits of Java web applications.
- FlowDroid: Is a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications
- Heimdall: Cross-platform open-source tool suite used to flash firmware (aka ROMs) onto Samsung mobile devices
- Hidex: Demo application where a method named thisishidden() in class MrHyde is hidden from disassemblers but no called by the app
- Hooker: Automated Dynamic Analysis of Android Applications
- Maldrolyzer: Simple framework to extract "actionable" data from Android malware (C&Cs, phone numbers etc.)
- mbfuzzer (Mobile Application Fuzzer via SSL MITM): Mobile Application Fuzzer via SSL MITM
- PScout: Analyzing the Android Permission Specification
- Scalpel: A surgical debugging tool to uncover the layers under your app
- SPARTA: Is building a toolset to verify the security of mobile phone applications
- Apk Sign: Sign.jar automatically signs an apk with the Android test certificate.
- SIIS Tools: This page contains a list of software tools created by the SIIS lab
- Smali: An assembler/disassembler for Android's dex format
- Smali-CFGs: Smali Control Flow Graph's
- SmaliEx: A wrapper to get dex from oat
- SmaliSCA: Static Code Analysis for Smali files
- Soot: Java Optimization Framework
- STAMP: STatic Analysis of Mobile Programs
- Systrace: Analyze the performance capturing and displaying execution times of your applications and other Android system processes
- TaintDroid: Tracking how apps use sensitive information required
- Traceview: Graphical viewer for execution logs saved by your application
- Undx: Bytecode translator
- XML-apk-parser: Print AndroidManifest.xml directly from apk file
Análisis de Vulnerabilidades
- AndroBugs Framework: Is an efficient Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications. No need to install on Windows.
- Devknox: Autocorrect security issues as you write code
- JAADAS: Joint Advanced Defect assEsment for android applications
- Nogotofail
- QARK: Quick Android Review Kit - This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs.
- Quixxi: Free automated vulnerability test.
- SUPER Android Analyzer: Secure, Unified, Powerful and Extensible Rust Android Analyzer
Crawlers
- Google play crawler (Java)
- Google play crawler (Python)
- Google play crawler (Node): get app details and download apps from official Google Play Store.
- Aptoide downloader (Node): download apps from Aptoide third-party Android market
- Appland downloader (Node): download apps from Appland third-party Android market
Fuzzing
- AndroFuzz: A fuzzing utility for Android that focuses on reporting and delivery portions of the fuzzing process
- An Android port of the melkor ELF fuzzer
- IntentFuzzer: is a tool that can be used on any device using the Google Android operating system (OS)
- Radamsa Fuzzer: An Android port of radamsa fuzzer
- Honggfuzz: Security oriented fuzzer with powerful analysis options
- Media Fuzzing Framework for Android
- Melkor: An Android port of the melkor ELF fuzzer
- MFFA: Media Fuzzing Framework for Android
Unpackers / Deobfuscators
- Android Unpacker: Android Unpacker presented at Defcon 22 - Android Hacker Protection Level 0
- Dehoser: Unpacker for the HoseDex2Jar APK Protection which packs the original file inside the dex header
- Kisskiss: Unpacker for various Android packers/protectors
- Simplify: Generic Android Deobfuscator
- ClassNameDeobfuscator: Simple script to parse through the .smali files produced by apktool and extract the .source annotation lines.
Packers / Obfuscators
- Allatori
- APKfuscator: A generic DEX file obfuscator and munger
- APKProtect
- Bangcle
- DexGuard: Optimizer and obfuscator for Android
- HoseDex2Jar: Adds some instructions to the classes.dex file that Dex2Jar can not process
- ProGuard: Shrinks, optimizes, and obfuscates the code by removing unused code and renaming classes, fields, and methods with semantically obscure names
Reverse Engineering
- AndBug: A Scriptable Android Debugger
- AndroChef: Java Decompiler apk, dex, jar and java class-files
- Androguard: powerful, integrates well with other tools
- Android Framework for Exploitation
- Android OpenDebug: make any application on device debuggable (using cydia substrate)
- APK Studio: Android Reverse Engineering Tool By Vaibhav Pandey a.k.a VPZ
- Apktool– really useful for compilation/decompilation (uses smali)
- ART: GUI for all your decompiling and recompiling needs
- Bypass signature and permission checks for IPCs
- Dare– .dex to .class converter
- Dava: Decompiler for arbitrary Java bytecode
- DecoJer: Java Decompiler
- Dex2Jar: dex to jar converter
- Dex-decomplier: Dex decompiler
- Enjarify: dex to jar converter from Google
- Dedexer: is a disassembler tool for DEX files
- Emacs syntax coloring for smali files
- Fino: Android small footprint inspection tool
- Frida: inject javascript to explore applications and a GUI tool for it
- Indroid– thread injection kit
- IntentSniffer: is a tool that can be used on any device using the Google Android operating system (OS)
- Introspy: Blackbox tool to help understand what an Android application is doing at runtime and assist in the identification of potential security issues
- JAD: Java decompiler
- JADX: Dex to Java decompiler
- JD-GUI: Java decompiler
- JEB Decompiler: The Interactive Android Decompiler
- CFR: Java decompiler
- Krakatau: Java decompiler
- Luyten: Java Decompiler Gui for Procyon
- Procyon: Java decompiler
- FernFlower: Java decompiler
- Redexer– apk manipulation
- Smali viewer
- Simplify Android deobfuscator: Generic Android Deobfuscator
- Bytecode viewer: A Java 8 Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)
- Radare2: Unix-like reverse engineering framework and commandline tools
- Reverse Android: Reverse-engineering tools for Android applications
- Xenotix-APK-Decompiler: APK decompiler powered by dex2jar and JAD
- ZjDroid: Android app dynamic reverse tool based on Xposed framework
Network
Toolkits
- Android Malware Analysis Toolkit
- Android Tamer
- Androl4b
- APK Resource Toolkit
- Appie – Android Pentesting Portable Integrated Environment
- AppUse
- AuditdAndroid
- CobraDroid
- CuckooDroid
- MARA_Framework
- Mem
- MobiSec
- Open Source Android Forensics Toolkit
- ProbeDroid
- Santoku
- Vezir-Project
- viaLab Community Edition
Frameworks
Sandboxes
- Android Sandbox
- AndroTotal
- Anubis
- APK Analyzer
- APP-RAY
- AppCritique
- Appknox
- AVCaesar
- AVC UnDroid
- CopperDroid
- Droidbox
- Eacus - MobiSec Lab
- HackApp
- Mobile Malware Analysis
- Mobile Sandbox
- NVISO ApkScan
- SandDroid
- Tracedroid
- VisualThreat
___________________________________________________________________
Tomado de: http://blog.segu-info.com.ar/2017/03/herramientas-para-analizar-apk-app.html#herramientas-para-analizar-apk-app
Se Respetan Derechos de Autor.