Mobile Security Toolchain

This is the mobile security toolchain project. It is loosely based on the MSTG testing tools section (https://github.com/OWASP/owasp-mstg/blob/master/Document/0x08-Testing-Tools.md).

Current status

The project is in early beta stage. Feel free to contribute! Note that developments are currently slow as the primary focus is now on developing the MSTG. There are quiet a few bugs when running this on Catalina. We hope to resolve them in 2021 (as Corona outbreak made our work a little harder) unless a volunteer arrives earlier ;-).

Pre-requisites

Have a Mac OS X based system (needs 10.13.x) with about 4 GB of RAM and 4 GB of free space. Next, install Docker for Mac on it and then:

if you want to have both the iOS and Android tools, as well as all the scaffolding, just use ./install.sh

if you want to have the iOS tools only: install brew and Ansible, then type:

ansible-galaxy install -r requirements.yml
ansible-playbook -K ./iOS/generic_items.yml

if you want to have the Android tools only: install brew and Ansible, then type:

  ansible-playbook ./Android/generic_items.yml

Please note: the iOS part requires you to install XCode using the Mac App Store (MAS) which will ask you to authenticate with a popup.

Tools

Brew, pip and Ansible will be installed first, if not available. Then generic, iOS and Android tools will be installed:

Generic Tools

autoconf
bash-completion
dependency-check
doxygen
git
go
gpg
httpie
ideviceinstaller
libimobiledevice
mcrypt
mitmproxy
nmap
node
python #python 3
testssl.sh
openssl
wget
atom
burp-suite
chromedriver
docker
dropbox
firefox
google-chrome
java
owasp-zap
sequel-pro
vagrant
virtualbox
Frida
Radare2
Objection
MobSF
Appmon
zsh //sh -c "$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"

Tools for Android

apktool
dependency-check
dex2jar
ideviceinstaller
jadx
libimobiledevice
mcrypt
node
android-studio
java
jd-gui
Nathan
super analyzer
Drozer
Qark

Tools for iOS

cmake
usbmuxd
libimobiledevice
qt@4
class-dump
itms
idb
java

Quirks

As we are still in development of 1.0, there are the following quirks:

Some applications might not work the first time as you will first have to start them from your Applications folder, such as: Android Studio (including ADB) & Docker for Mac. After that you have to run the runbooks once more. You should have , after 2 runs of the android runbook (e.g. run android runbook, run android studio, run android runbook, a working adb, given that you use .bash_profile)
iOS has not been tested on the buildserver (only general and android are, so please test them)
Some of the output of ansible seems very "drastic": in red/green/yellow. Please wait for it to finish and then see if something failed.
For iOS you need to run things twice: once to start the installation, while being logged in into the Apple store with your account (actual active state can be achieved by installing any app from the app-store), second time with an active developer account in xCode.
Lastly, it could be the case when you are testing this on a separate account, which does not have the correct rights for the brew folders. See Issue #30 reported by @TheDauntless. When you are on High Sierra you need to do:

  chgrp -R admin /usr/local/*
  chmod -R g+w /usr/local/*

and otherwise you can follow this fix.

Contribution

Does something not work? Create an issue, or even better: create a pull-request!

Special thanks to

@clviper (reviewing), @andreaslindeboom for a lot of ansible improvements, @meetinthemiddle-be for testing & @sushi2k for contributing & @hierynomus for fixing travis issues & @RiieCco for motivating me to get the project started. @geerlingguy for creating awesome Ansible roles that speeded up the development tremendously. Xebia, as a company from which I used an private repo to start hacking at the project. My wife for supporting me in doing mobile security open source projects in my spare time.

xebia / mobilehacktools

readme