Appie - Android Pentesting Portable Integrated Environment

Appie is a software package that has been pre-configured to function as an Android Pentesting Environment.It is completely portable and can be carried on USB stick.This is a one stop answer for all the tools needed in Android Application Security Assessment.

Difference between Appie and existing environments ?

• Tools contained in Appie are running on host machine instead of running on virtual machine.
• Less Space Needed(Only 600MB compared to atleast 8GB of Virual Machine)
• As the name suggests it is completely Portable i.e it can be carried on USB Stick or on your own smartphone and your pentesting environment will go wherever you go without any differences.
• Awesome Interface

Which tools are included in Appie ?

• Drozer
• dex2jar
• Androguard
• Introspy-Analyzer
• Jd-Gui
• Android Debug Bridge
• Apktool
• Sublime Text
• Androguard SublimeText Plugin
• Eclipse with Android Developer Tools
• Owasp GoatDroid Project Configured
• Fastboot and sqlite3
• Java Runtime Environment and Python Files.With these you don’t even need to have Python or Java Runtime Environment installed on the computer.
• Nearly all UNIX commands like ls, cat, chmod, cp, find, git, unzip, mkdir, ssh, openssl, keytool ,jarsigner and many others

Download Appie

Read More

Drozer - The Leading Security Assessment Framework for Android

drozer is a comprehensive security audit and attack framework for Android.

With increasing pressure to support mobile working, the ingress of Android into the enterprise is gathering momentum. Have you considered the threat posed by the Android app that supports your business function, or Android devices being used as part of your BYOD strategy?

drozer helps to provide confidence that Android apps and devices being developed by, or deployed across, your organisation do not pose an unacceptable level of risk. By allowing you to interact with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.

drozer provides tools to help you use and share public exploits for Android. For remote exploits, it can generate shellcode to help you to deploy the drozer Agent as a remote administrator tool, with maximum leverage on the device.

Faster Android Security Assessments

drozer helps to reduce the time taken for Android security assessments by automating the tedious and time-consuming.

• Discover and interact with the attack surface exposed by Android apps.
• Execute dynamic Java-code on a device, to avoid the need to compile and install small test scripts.

Test against Real Android Devices

drozer runs both in Android emulators and on real devices. It does not require USB debugging or other development features to be enabled; so you can perform assessments on devices in their production state to get better results.

Automate and Extend

drozer can be easily extended with additional modules to find, test and exploit other weaknesses; this, combined with scripting possibilities, helps you to automate regression testing for security issues.

Test your Exposure to Public Exploits

drozer provides point-and-go implementations of many public Android exploits. You can use these to identify vulnerable devices in your organisation, and to understand the risk that these pose.

Download drozer

Read More

[Drozer] The Leading Security Testing Framework for Android.

drozer enables you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS.

drozer provides tools to help you use and share public Android exploits. It helps you to deploy a drozer agent by using weasel – MWR’s advanced exploitation payload.

For the latest Mercury updates, follow @mwrdrozer.

Features

drozer allows you to use dynamic analysis during an Android security assessment. By assuming the role of an Android app you can:

• find information about installed packages.
• interact with the 4 IPC endpoints – activities, broadcast receivers, content providers and services.
• use a proper shell to play with the underlying Linux OS (from the content of an unprivileged application).
• check an app’s attack surface, and search for known vulnerabilities.
• create new modules to share your latest findings on Android.

drozer’s remote exploitation features provide a unified framework for sharing Android payloads and exploits. It helps to reduce the time needed for vulnerability assessments and mobile red-teaming exercises, and includes the outcome of some of MWR’s cutting-edge research into advanced Android payloads and exploits.

How it Works

drozer does all of this over the network: it does not require ADB.

Download Drozer

Read More