This is the mobile security toolchain project. It is loosely based on the MSTG testing tools section (https://github.com/OWASP/owasp-mstg/blob/master/Document/0x08-Testing-Tools.md).
The project is in early beta stage. Feel free to contribute! Note that developments are currently slow as the primary focus is now on developing the MSTG. There are quiet a few bugs when running this on Catalina. We hope to resolve them in 2021 (as Corona outbreak made our work a little harder) unless a volunteer arrives earlier ;-).
Have a Mac OS X based system (needs 10.13.x) with about 4 GB of RAM and 4 GB of free space. Next, install Docker for Mac on it and then:
-
if you want to have both the iOS and Android tools, as well as all the scaffolding, just use
./install.sh -
if you want to have the iOS tools only: install brew and Ansible, then type:
ansible-galaxy install -r requirements.yml ansible-playbook -K ./iOS/generic_items.yml
-
if you want to have the Android tools only: install brew and Ansible, then type:
ansible-playbook ./Android/generic_items.ymlPlease note: the iOS part requires you to install XCode using the Mac App Store (MAS) which will ask you to authenticate with a popup.
Brew, pip and Ansible will be installed first, if not available. Then generic, iOS and Android tools will be installed:
- autoconf
- bash-completion
- dependency-check
- doxygen
- git
- go
- gpg
- httpie
- ideviceinstaller
- libimobiledevice
- mcrypt
- mitmproxy
- nmap
- node
- python #python 3
- testssl.sh
- openssl
- wget
- atom
- burp-suite
- chromedriver
- docker
- dropbox
- firefox
- google-chrome
- java
- owasp-zap
- sequel-pro
- vagrant
- virtualbox
- Frida
- Radare2
- Objection
- MobSF
- Appmon
- zsh //sh -c "$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"
- apktool
- dependency-check
- dex2jar
- ideviceinstaller
- jadx
- libimobiledevice
- mcrypt
- node
- android-studio
- java
- jd-gui
- Nathan
- super analyzer
- Drozer
- Qark
- cmake
- usbmuxd
- libimobiledevice
- qt@4
- class-dump
- itms
- idb
- java
As we are still in development of 1.0, there are the following quirks:
- Some applications might not work the first time as you will first have to start them from your Applications folder, such as: Android Studio (including ADB) & Docker for Mac. After that you have to run the runbooks once more. You should have , after 2 runs of the android runbook (e.g. run android runbook, run android studio, run android runbook, a working adb, given that you use .bash_profile)
- iOS has not been tested on the buildserver (only general and android are, so please test them)
- Some of the output of ansible seems very "drastic": in red/green/yellow. Please wait for it to finish and then see if something failed.
- For iOS you need to run things twice: once to start the installation, while being logged in into the Apple store with your account (actual active state can be achieved by installing any app from the app-store), second time with an active developer account in xCode.
- Lastly, it could be the case when you are testing this on a separate account, which does not have the correct rights for the brew folders. See Issue #30 reported by @TheDauntless. When you are on High Sierra you need to do:
chgrp -R admin /usr/local/*
chmod -R g+w /usr/local/*
and otherwise you can follow this fix.
Does something not work? Create an issue, or even better: create a pull-request!
@clviper (reviewing), @andreaslindeboom for a lot of ansible improvements, @meetinthemiddle-be for testing & @sushi2k for contributing & @hierynomus for fixing travis issues & @RiieCco for motivating me to get the project started. @geerlingguy for creating awesome Ansible roles that speeded up the development tremendously. Xebia, as a company from which I used an private repo to start hacking at the project. My wife for supporting me in doing mobile security open source projects in my spare time.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent