Android SDK

The Android Software Development Kit (SDK) provides a set of core development tools, application programming interface (API) libraries, documentation, and sample Android applications. The SDK, together with the Java Development Kit and Apache Ant, is necessary for building, testing, and debugging Android applications.

The Android emulator, which is based on QEMU (short for “Quick EMUlator”), is also included in the SDK. Developers can test the applications developed using the SDK in an emulated environment without the need for a real Android device.

The Android SDK is available for Linux, Mac OS X, and Windows platforms. You can find it at http://developer.android.com/sdk/index.html.

Android NDK

The Android Native Development Kit (NDK) contains everything needed to develop native applications and libraries using C and C++. The NDK includes a complete toolchain that can cross-compile native code for ARM, MIPS, and x86 platforms on Linux, OS X, or Windows. You can find the Android NDK at http://developer.android.com/tools/sdk/ndk/index.html.

Eclipse

Eclipse is a multilanguage Integrated Development Environment (IDE) that includes an extensible plug-in system, providing a wide variety of features such as version control systems, code debugging,UML, database explorers, etc. It has been the officially supported IDE for Android development since early versions of the Android SDK. You can find Eclipse at www.eclipse.org/.

ADT Plug-In

Android offers a custom Eclipse plug-in, the ADT plug-in, which extends Eclipse's capabilities to facilitate Android development. The ADT plug-in enables developers to set up Android projects. Using the plug-in, developers can design Android user interfaces using a graphical editor, as well as build and debug their applications. You can find the ADT plug-in at http://developer.android.com/sdk/installing/installing-adt.html.

ADT Bundle

The Android Developer Tools (ADT) bundle is a single download that contains everything needed for developers to start creating Android applications. It includes the following:

• The Eclipse IDE with built-in ADT plug-in
• The Android SDK tools including the Android emulator and Dalvik Debug Monitor Server (DDMS)
• The Android platform-tools including the Android Debug Bridge (ADB) and fastboot
• The latest android platform SDK and system image for the emulator

You can download the ADT bundle from http://developer.android.com/sdk/installing/bundle.html.

Android Studio

Android Studio is an IDE based on IntelliJ IDEA. It targets Android development specifically. At the moment of this writing, it is still an early access preview. As such, it still contains some bugs and unimplemented features. It is quickly gaining popularity among Android developers, of which many are switching from the traditionally used Eclipse IDE. Find out more about Android Studio at http://developer.android.com/sdk/installing/studio.html.

Binwalk

When conducting analysis on firmware images in unknown formats, Binwalk is indispensable. It is similar to the file utility, but instead scans for signatures throughout large binaries. It supports several compression algorithms and is able to extract archives and file system images embedded within a firmware blob. You can read more about Binwalk at http://binwalk.org/.

fastboot

The fastboot utility and protocol allows communicating with the boot loader of an Android device connected to a host computer via Universal Serial Bus (USB). Using the fastboot protocol, the fastboot utility is often used to manipulate the contents of the device's flash memory by flashing or erasing full partitions. You can also use it for other tasks, such as booting a custom kernel without flashing it.

All Nexus devices support the fastboot protocol. Android device manufacturers are allowed to choose if they want to support fastboot or implement their own flashing protocol in their device's boot loaders.

The fastboot command-line utility is included with the Android platform tools in the Android SDK.

Samsung

There are several tools for flashing Samsung devices. The format used in Samsung firmware updates is *.tar.md5, which consists basically in a tar archive file with the md5 of the tar archive appended at the end. Each file contained inside the tar.md5 archive corresponds to a raw partition on the device.

NVIDIA

Most Tegra devices have an NVIDIA proprietary recovery mode which enables you to reflash them, independently of which vendor has manufactured the device.

LG

LG devices include an Emergency Download Mode (EDM) used to flash the device firmware. You can usually access it with a device-dependent key combination.

HTC

HTC devices have used various proprietary formats for flashing Android devices. First HTC used signed NBH files that contained raw partitions. Later, HTC started using standard zip files containing the partition images. Most recently, HTC has added encryption to those zip files.

Motorola

This section presents the common tools to extract firmware files and flash Motorola devices.

BusyBox

BusyBox is a single binary that provides simplified versions of multiple UNIX utilities. It has been specially created for systems with limited resources. Using a single binary makes it easy to transport and install. Also, it saves both disk space and memory.

Each application can be accessed by calling the busybox binary in one of two ways. The most typical way is accomplished by creating a symbolic link using the name of each utility supported by the busybox binary. Some versions of BusyBox implement the --install parameter to automate this process. You can also call each utility by passing the application name as the first parameter to the busybox binary.

If you don't want to compile BusyBox yourself, several Android builds are freely available through Google Play store. Visit www.busybox.net/ to find out more.

setpropex

setpropex is a system properties editor very similar to the setprop utility that comes with Android. In addition to the functionality offered by setprop, setpropex also implements changing read-only system properties by attaching to the init process using ptrace. You can download it from https://docs.google.com/open?id=0B8LDObFOpzZqY2E1MTIyNzUtYTkzNS00MTUwLWJmODAtZTYzZGY2MDZmOTg1.

SQLite

A lot of Android applications use the SQLite database engine to manage their own private databases or to store data exposed through a content provider. Having a sqlite3 binary on the device itself makes command-line client access to those databases very convenient. When auditing applications that use SQLite databases, researchers can execute raw SQL statements to inspect or manipulate the database. Visit www.sqlite.org/ to find out more.

strace

strace is a useful diagnostic tool that enables you to monitor and trace the system calls executed by a process. It also shows which signals the program receives and allows saving its output to disk. It is very useful for doing a quick diagnostic and minimal debugging of native programs, especially when source code is not available. You can download strace from http://sourceforge.net/projects/strace/.

ADBI Framework

This Dynamic Binary Instrumentation (DBI) framework, created by Collin Mulliner, enables you to change a process at runtime by injecting your own code into the process. For example, it contains sample instruments used to sniff Near Field Communications (NFC) between the NFC stack process and the NFC chip. You can find out more about ADBI Framework at www.mulliner.org/android/.

ldpreloadhook

The ldpdreloadhook tool facilitates function-level hooking of native programs that are dynamically linked. This is accomplished using the LD_PRELOAD environment variable. Among other things, it allows printing the contents of buffers before they are freed. This is especially useful when reverse-engineering native binaries. Visit https://github.com/poliva/ldpreloadhook for more information.

XPosed Framework

XPosed framework enables you to modify the system or applications aspect and behavior at runtime, without modifying any Android application package (APK) or re-flashing.

This framework is hooked into Zygote by replacing the app_process binary. It allows replacing any method in any class. It is possible to change parameters for the method call, to modify the method's return value, to skip the method call, as well as replace or add resources. This makes it a powerful framework to develop system modifications in runtime that can affect either any application or the Android Framework itself. You can find out more at http://forum.xda-developers.com/showthread.php?t=1574401.

Cydia Substrate

Cydia Substrate for Android enables developers to make changes to existing software with Substrate extensions that are injected into the target process's memory.

Substrate is similar in functionality to XPosed Framework. However, it doesn't replace any system components to work. Further, it allows injecting your own code into every single process. That means it can hook native code as well as Dalvik methods. Substrate provides well-documented core application programming interfaces (APIs) for making modifications to C and Java processes. Read more about Cydia Substrate at www.cydiasubstrate.com/.

Smali and Baksmali

Smali is an assembler for the Dalvik executable (DEX) format. Baksmali is the equivalent disassembler for Dalvik bytecode. Smali supports the full functionality of the DEX format including annotations, debug info, line info, and so on.

Smali syntax is based on Jasmin and dedexer. Jasmin is the de facto standard assembly format for Java. dedexer is another DEX file disassembler that supports Dalvik op-codes. Check out https://code.google.com/p/smali/ for more information.

Androguard

Androguard is an open source reverse-engineering and analysis framework written in Python. It can transform Android's binary extensible markup language (XML) into readable XML and includes a Dalvik decompiler (DAD) that can decompile directly from Dalvik bytecode to Java source.

Androguard can disassemble, decompile, and modify DEX and Optimized Dalvik executable (ODEX) files, and format them into full Python objects. It has been written with modularity in mind and allows for integration into other projects. It provides access to perform static code analysis on objects like basic blocks, instructions, and permissions. Find out more about Androguard at https://code.google.com/p/androguard/.

apktool

apktool is an open source Java tool for reverse-engineering Android applications. It can decode APK files into the original resources contained in them in human-readable XML form. It also produces disassembly output of all classes and methods contained using Smali.

After an application has been decoded with apktool, you can work with the output produced to modify resources or program behavior. For example, you can translate the strings or change the theme of an application by modifying resources. In the Smali code, you can add new functionality or alter the behavior of existing functionality. After you're done with your changes, you can use apktool to build an APK from the already decoded and modified application. Visit https://code.google.com/p/android-apktool/.

dex2jar

dex2jar is an open source project written in Java. It provides a set of tools to work with Android DEX and Java CLASS files.

The main purpose of dex2jar is to convert a DEX/ODEX into the Java Archive (JAR) format. This enables decompilation using any existing Java decompiler, even those not specific to Android bytecode.

Other features of dex2jar include assembling and disassembling class files to and from Jasmin, decrypting strings in place inside a DEX file, and signing APK files. It also supports automatically renaming the package, classes, methods, and fields inside DEX files, which is especially useful when the bytecode has been obfuscated with ProGuard. You can read more at https://code.google.com/p/dex2jar/.

jad

Java Decompiler (jad) is a closed source and currently unmaintained decompiler for the Java programming language. jad provides a command-line interface to produce readable Java source code from CLASS files.

jad is often used with dex2jar to decompile closed source Android applications. You can download jad from http://varaneckas.com/jad/.

JD-GUI

JD-GUI is a closed source Java decompiler that reconstructs Java source code from CLASS files. It provides a graphical interface to browse the decompiled source code.

Combined with dex2jar, you can use JD-GUI to decompile Android applications. It is often used to supplement or complement jad. Sometimes one decompiler produces better output than the other. Find out more at http://jd.benow.ca/#jd-gui.

JEB

JEB is a closed source, commercial Dalvik bytecode decompiler that produces readable Java source code from Android's DEX files.

Similar to Androguard's decompiler DAD, JEB does not need the use of dex2jar conversion to create the Java source. The main advantage of JEB is that it works as an interactive decompiler that enables you to examine cross-references, navigating between code and data, and deal with ProGuard obfuscation by interactively renaming methods, fields, classes, and packages. Visit www.android-decompiler.com/ to find out more about JEB.

Radare2

Radare2 is an open source, portable reverse-engineering framework to manipulate binary files. It is composed of a highly scriptable hexadecimal editor with a wrapped input/output (I/O) layer supporting multiple back ends. It includes a debugger, a stream analyzer, an assembler, a disassembler, code analysis modules, a binary diffing tool, a base converter, a shell-code development helper, a binary information extractor, and a block-based hash utility. Although Radare2 is a multipurpose tool, it is especially useful for disassembling Dalvik bytecode or analyzing proprietary binary blobs when dealing with Android reverse engineering.

As Radare2 supports multiple architectures and platforms, you can run it either on the Android device itself or on your computer. Visit www.radare.org/ to download it.

IDA Pro and Hex-Rays Decompiler

The Interactive Disassembler, commonly known as IDA, is a proprietary disassembler and debugger that is able to handle a variety of binaries and processor types. It offers features such as automated code analysis, an SDK for developing plug-ins, and scripting support. Since version 6.1, IDA includes a Dalvik processor module to disassemble Android bytecode in the Professional Edition.

The Hex-Rays Decompiler is an IDA Pro plug-in that converts the disassembled output of x86 and ARM executables into a human readable C-like pseudo-code. You can read more at https://www.hex-rays.com/.

Drozer (Mercury) Framework

Drozer, formerly known as Mercury, is a framework for hunting for and exploiting vulnerabilities on Android. It automates checking for common things such as exported activities, exported services, exported broadcast receivers, and exported content providers. Further, it tests applications for common weaknesses such as SQL injection, shared user IDs, or leaving the debuggable flag enabled. Go to http://mwr.to/mercury to find out more about Drozer.

iSEC Intent Sniffer and Intent Fuzzer

iSEC Intent Sniffer and Intent Fuzzer, two tools from iSEC Partners, run on the Android device itself and help the security researcher in the process of monitoring and capturing broadcasted intents. They find bugs by fuzzing components such as broadcast receivers, services, or single activities. You can read more about the tools at https://www.isecpartners.com/tools/mobile-security.aspx.

Segger J-Link

Segger's J-Link device is a middle-tier JTAG debug probe. You can use it to interface with a variety of different JTAG-enabled devices. More information is available at http://www.segger.com/debug-probes.html.

JTAGulator

Joe Grand's JTAGulator device saves time when identifying the purpose of unknown test points on a device. It only requires you to connect wires to the test points once and then automatically determines each pin's purpose. You can find more information about JTAGulator at http://www.grandideastudio.com/portfolio/jtagulator/.

OpenOCD

The Open On-Chip Debugger (OpenOCD) software is an open source solution for interfacing with various JTAG-enabled devices. It allows you to use less expensive JTAG adapters and quickly modify the code as needed for your project. Read more about OpenOCd at http://openocd.sourceforge.net/.

Saleae

Salae's logic analyzers enable you to monitor electrical signals in real time. With features like real-time decoding and support for many protocols, a Salae makes monitoring data traversing circuits more fun and easy. Further information is available at http://www.saleae.com/.

Bus Pirate

The Bus Pirate, developed by Dangerous Prototypes, is an open source hardware device that enables you to speak to electronic devices. It supports debugging, programming, and interrogating chips through the use of standard protocols and a command line interface. More information about the Bus Pirate is available at http://dangerousprototypes.com/bus-pirate-manual/.

GoodFET

Travis Goodspeed's GoodFET is an open source flash emulator tool (FET) and JTAG adapter. It is similar to the Bus Pirate in many ways, but is based on different hardware. To learn more about the GoodFET, visit http://goodfet.sourceforge.net/.

Total Phase Beagle USB

Total Phase's line of USB Analyzer products let you monitor data moving across USB connections at a variety of speeds. They come with custom software that makes decoding communications easy, even if custom data formats are used. More information is available at http://www.totalphase.com/protocols/usb/.

Facedancer21

Travis Goodspeed's Facedancer21 is an open source hardware device that allows you to take the role of a USB device or host. Once connected, you write your emulation code in Python and respond to the peer however you like. This enables USB fuzzing as well as emulating just about any USB device imaginable. You can read more about the Facedancer at http://goodfet.sourceforge.net/hardware/facedancer21/ or purchase assembled units at http://int3.cc/products/facedancer21.

Total Phase Beagle I²C

Total Phase's line of I²C Host Adapter products enable communicating with electronics that talk over I²C interfaces. It plugs into your machine using USB and includes custom software to make talking to I²C easy. Further information about this device is available at http://www.totalphase.com/protocols/i2c/.

Chip Quik

Using Chip Quik, you can easily remove surface mount components from a circuit board. Since it has a higher melting point than regular solder, which solidifies almost instantly, it keeps the solder liquefied longer allowing you to separate components. You can read more about Chip Quik at http://www.chipquikinc.com/ and purchase it from just about any electronics supply shop.

Hot air gun

A hot air gun …

Xeltek SuperPro

Xeltek's line of products under the SuperPro moniker enables access to reading and writing many different types of flash memory. Xeltek makes adapters to support many different form factors and provides software to make the process easy. More information about Xeltek's products is available at http://www.xeltek.com/.

IDA

Hex-Rays' Interactive Disassembler (IDA) products let you peer into the inner workings of closed-source software. It is available in a free, limited evaluation version and a Pro version. The Pro version supports many instruction set architectures (ISAs) and binary formats. You can learn more about IDA, and download the free version, from https://www.hex-rays.com/products/ida/index.shtml.