Tools to help test the security of Android applications

Wireshark is a good tool to see if the application is sending sensitive data in cleartext over the network. Also, you can use ssh and adb to look at the data stored on the SD card and the file permissions, to see if sensitive data is being stored in cleartext.

Some free static analysis tools for Android applications:

• Comdroid checks for vulnerabilities related to the use of Intents. See this presentation for description of those vulnerabilities, and other pitfalls.

• Stowaway checks for overprivilege: i.e., it checks to see if the application requests permissions that its code doesn't seem to use.

Keep in mind that these are research tools. Moreover, they focus only on a very specific set of vulnerabilities. They are not a general-purpose static analysis tool, and are not substitute for a general-purpose security static analysis tool for Android (like Fortify); they are better thought of as a supplement for other tools available to you.

Some security static analysis vendors have support for analyzing Android applications, e.g., Fortify. Expect these to be expensive.

See also the following questions on this site:

• Any useful tools for Android source code review? (but beware that many of the tools listed there are merely generic Java code scanners and do not have any knowledge of Android APIs, so are likely to be of limited use for assessing the security of an Android application)

• iOS/Android Pen-Test

• Android API/development security pitfalls

• Android/iOS application security testing checklist

Georgia Weidman published a framework on Android penetration testing here:

https://github.com/georgiaw/Smartphone-Pentest-Framework

She has a forum as well here and there is a nice teaser on vimeo.

There's Mercury from MWR Labs. I've not used it yet, but looks interesting.