This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Mobile Security Project - Android/References"

From OWASP
Jump to: navigation, search
(Tools)
(Tools)
Line 36: Line 36:
 
** [http://code.google.com/p/dex2jar/ Dex2Jar] :'' "...Android mobile device runs applications which have been converted into a compact Dalvik Executable (.dex) format. Dex2Jar converts .dex files to Java .class files..." ''
 
** [http://code.google.com/p/dex2jar/ Dex2Jar] :'' "...Android mobile device runs applications which have been converted into a compact Dalvik Executable (.dex) format. Dex2Jar converts .dex files to Java .class files..." ''
 
** [http://code.google.com/p/android-apktool/ ApkTool] :'' "...It is a tool for reengineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc..." ''
 
** [http://code.google.com/p/android-apktool/ ApkTool] :'' "...It is a tool for reengineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc..." ''
** [http://java.decompiler.free.fr JD] : Java Decompiler
+
** [http://java.decompiler.free.fr JD-GUI and JD-Eclipse], [http://www.neshkov.com/ DJ] and [http://www.varaneckas.com/jad JAD (mirror)] : Java Decompilers
 +
** [http://code.google.com/p/android4me/downloads/list AXMLPrinter2] - Utility that decodes the Android XML files, such as Manifest.xml ().
 
** [[OWASP O2 Platform]] can be used to review the Android Java source code (create object model of compiled java code, search source-code files, model config files)
 
** [[OWASP O2 Platform]] can be used to review the Android Java source code (create object model of compiled java code, search source-code files, model config files)
 
** Commercial tools (like Fortify, IBM AppScan Source) can parse Java files (the question is "Do they have Android Specific rules")
 
** Commercial tools (like Fortify, IBM AppScan Source) can parse Java files (the question is "Do they have Android Specific rules")
 
** iSec Partners have a number of Android related tools at https://www.isecpartners.com/mobile_application_tools.html
 
** iSec Partners have a number of Android related tools at https://www.isecpartners.com/mobile_application_tools.html
 
  
 
===Media Coverage===
 
===Media Coverage===
 
*  Storing data unencrypted: "Firm finds security holes in mobile bank apps": http://news.cnet.com/8301-27080_3-20021874-245.html  
 
*  Storing data unencrypted: "Firm finds security holes in mobile bank apps": http://news.cnet.com/8301-27080_3-20021874-245.html  
 
* Paypal has issue with lack of SSL in iPhope app: http://online.wsj.com/article/SB10001424052748703506904575592782874885808.html (more to iPhone page)
 
* Paypal has issue with lack of SSL in iPhope app: http://online.wsj.com/article/SB10001424052748703506904575592782874885808.html (more to iPhone page)

Revision as of 18:03, 8 November 2010

Here are a number of references related to Android Security

Official documentation

Android Security Team

Published Research and presentations

Tools

  • Android Development
  • Android Security Review
    • Smart Phones Dumb Apps Presentation about how to unpack, disassemble/decompile, and analyze Android applications. Also has a link to some Perl code to automate parts of this process.
    • Dex2Jar : "...Android mobile device runs applications which have been converted into a compact Dalvik Executable (.dex) format. Dex2Jar converts .dex files to Java .class files..."
    • ApkTool : "...It is a tool for reengineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc..."
    • JD-GUI and JD-Eclipse, DJ and JAD (mirror) : Java Decompilers
    • AXMLPrinter2 - Utility that decodes the Android XML files, such as Manifest.xml ().
    • OWASP O2 Platform can be used to review the Android Java source code (create object model of compiled java code, search source-code files, model config files)
    • Commercial tools (like Fortify, IBM AppScan Source) can parse Java files (the question is "Do they have Android Specific rules")
    • iSec Partners have a number of Android related tools at https://www.isecpartners.com/mobile_application_tools.html

Media Coverage