Android (and other) Security resources - Get your learning on

[jcase]

Linking to, hinting at, suggesting etc pirated material in this thread, or even this forum, will likely get you a ban from XDA. Some of these resources are not free, in fact some are expensive, but free or cheap alternatives are listed.

This is not an exhaustive list. It is missing things that should be here, even things I have written myself. Please let me know if you have something to add.

Please send me more material to post (no pirated stuff!)

Books:
Android Internals:ower User's View
Android Security Internals
Android Hacker's Handbook

Trainings:
Practical Android Exploitation by Jon 'jcase' Sawyer
RedNaga Training by Tim 'diff' Strazzere, Caleb Fenton and Jon 'jcase' Sawyer

Write Ups:
Foxconn Bootloader Backdoor (Pork Explosion) by Jon 'jcase' Sawyer
Analyzing the WeakSauce Exploit by Jonathan Levin
TrustNone TrustZone Exploit by @beaups
SamDuck Samsung emmc/Bootloader Exploit by @beaups
HTC Desire 310 root backdoor by Tim 'diff' Strazzere and Jon 'jcase' Sawyer

Tools:
Frida - Free
Smali/baksmali - Free
APKTool - Free
JEB - $$
IDA Pro - $$
Binary Ninja - $

 

[autoprime]

Write Up:
bits-please.blogspot.com - @laginimaineb's blog.
Great stuff on TrustZone and more.

Wiki:
droidsec.org/wiki has a ton of resources for Android security.

Hardened Android:
https://github.com/copperhead
https://github.com/copperheados

 

[Android-Andi]

Maybe interesting for you:

https://github.com/android-security
Pure AOSP 4.4 & 5.1 patched until 2016-10-01 android security patch level (3 or 4 commits missing on 4.4 because of some libpng changes, need to take another look on it).

Bunch of kernel CVE fixes http://forum.xda-developers.com/showpost.php?p=69382178&postcount=2

 

[thecoolster]

http://elinux.org/Android_Portal
It is a good website ...please check it out , thanks.
-thecoolster

 

[ukanth]

Another series for Android Security

https://github.com/ashishb/android-security-awesome

 

[Truestark]

Great post. Thanks for resources.

 

[RusherDude]

Awesome post! Thanks!

It's a shame that stuff like IDA Pro is so expensive, if it was more accesible a lot more people will use it and we would get more interesting stuff I think

 

[herrbert74]

What about

https://mobilesecuritywiki.com/

 

[jcase]

Awesome post! Thanks!

It's a shame that stuff like IDA Pro is so expensive, if it was more accesible a lot more people will use it and we would get more interesting stuff I think

IDA Pro has a demo, but you can also look at hopper and binary ninja, both priced far lower.

radare2 is also an option, ive not used it so i havent listed it

 

[REtails]

Thank you for the excellent post jcase!! I have been looking to further my understanding of android security concepts for quite some time now, but never find I have enough time to scour the web for the solid resources I need. I have been engrossed in your 'Practical Android Exploitation' pdf for the past hour now. I hope you know how much this community appreciates your contributions!

Edit: sorry for the misleading comment!~

 

[Matt07211]

Do you guys have any recommend info on reverse engineering, particularly ARM disassembly?
I'll be looking for resources myself but was wondering if you've come across any good info in that area.

 

[Noor369]

Awesome thanks

 

[whirlpool95]

Thanks for the info!

 

[bigsupersquid]

Do you guys have any recommend info on reverse engineering, particularly ARM disassembly?
I'll be looking for resources myself but was wondering if you've come across any good info in that area.

This is a fun tool but not exactly reverse engineering.
https://retdec.com/decompilation/
The official ARM resources are good for basics
http://infocenter.arm.com/help/?topic=/com.arm.doc.dui0068b/CIHEDHIF.html

 

[agathocles11]

Here is some latest collection on - Awesome Android Security (Books, bug bounty, courses, tools, labs, talks, write-ups, cheat sheet, blogs). Might by helpful for someone.
github.com/saeidshirazi/awesome-android-security

 

[galaxys]

^nice collection reference!