Mobile Application Vetting Tools

If your agency has the expertise in house, you can use the tools listed below to vet an application.

Note: The links below lead to nongovernment websites.

Tool Name/Link Description Operating System How to procure/obtain
Apcerto Risk-rating framework for enabling the vetting of mobile apps for software vulnerabilities. IOS and Android Partner
Appium Web tool that allows for automated testing of web, native or hybrid apps. IOS and Android Open Source
AppVet NIST tool that will bring together multiple app testing tools and manage the vetting process. N/A Open Source
BurpSuite A toolkit for identifying security issues with web applications. Web based Partner/Direct
Coverity A variety of tools that can be downloaded or outsourced to test an app. Languages: C/C++, Java, C#, Javascript, Objective- C Direct/Sole Source/ Open Source for download on some tools
Eggplant Allows you to test mobile apps from your PC. IOS, Android, Windows 8 Partner
HP Fortify A suite of tools offering both static and dynamic analysis. IOS, Android Partners
IBM Security AppScan Scans both web and mobile apps to identify security issues with support available IOS, Android Partners
Klocwork A suite of tools that helps you review code. C, C++, Java and C# code Direct/Sole Source
Kryptowire Automated software tools that look for vulnerabilities. IOS, Android and Windows Direct/Sole Source
Lookout App vetting API that allows for integration into existing systems. Android, IOS Direct/Sole Source
Ranorex Automated testing of apps available directly from the device. IOS, Android, Windows 8 Partner
RedHat Offers an application platform that offers a central control of security and policy management N/A Partners

GIThub.com has a vast collection of tools that can be used, below are some samples of the tools that the government has used for Mobile Application Security.

Mobile Device Operating System
IOS
Tool Name GitHub description of the tool
SSL Kill switch Blackbox tool to disable SSL certificate validation—including certificate pinning—within iOS Apps
dump_keychain A tool to check which keychain items are available to an attacker once an iOS device has been jailbroken
imneos/weak_class-dump Most useful when you cannot class-dump, when binaries are encrypted, etc
intrepidusgroup/trustme Requires a jailbroken device. This tweak disables the SecTrustEvaluate. It should only be used on testing devices
iSECPartners/Introspy-iOS Blackbox tool to help understand what an iOS application is doing at runtime and assist in the identification of potential security issues.
MEMSCAN An iOS tool for memory scan and dump.
Mobile Device Operating System
Droid
Tool Name GitHub description of the tool
honeynet/apkinspector APKinspector is a powerful GUI tool for analysts of Android applications.
androguard/androguard Reverse engineering, Malware and goodware analysis of Android applications.
maaaaz/androwarn Static code analyzer for malicious Android applications.
jackaduma/apk-view-tracer The trigger tool for Android Dynamic Analysis can also be used in black-box testing of Android Development.
pjlantz/droidbox Offers dynamic analysis of Android applications.
Last Reviewed 2016-03-22