What are some decent frameworks to test the security of Android applications?
With frameworks I mean either software based to automatically scan these applications or a guide (like OWASP has for webapps) to have a good basis to start scanning.
OWASP has a guide that includes best practices for webapps. Often these are applicable as well to Android apps, but it would be nice if there is a dedicated framework.
Wireshark is a good tool to see if the application is sending sensitive data in cleartext over the network. Also, you can use ssh and adb to look at the data stored on the SD card and the file permissions, to see if sensitive data is being stored in cleartext.
Some free static analysis tools for Android applications:
Comdroid checks for vulnerabilities related to the use of Intents. See this presentation for description of those vulnerabilities, and other pitfalls.
Stowaway checks for overprivilege: i.e., it checks to see if the application requests permissions that its code doesn't seem to use.
Keep in mind that these are research tools. Moreover, they focus only on a very specific set of vulnerabilities. They are not a general-purpose static analysis tool, and are not substitute for a general-purpose security static analysis tool for Android (like Fortify); they are better thought of as a supplement for other tools available to you.
Some security static analysis vendors have support for analyzing Android applications, e.g., Fortify. Expect these to be expensive.
See also the following questions on this site:
Any useful tools for Android source code review? (but beware that many of the tools listed there are merely generic Java code scanners and do not have any knowledge of Android APIs, so are likely to be of limited use for assessing the security of an Android application)
Georgia Weidman published a framework on Android penetration testing here:
https://github.com/georgiaw/Smartphone-Pentest-Framework
She has a forum as well here and there is a nice teaser on vimeo.
There's Mercury from MWR Labs. I've not used it yet, but looks interesting.
There is a nice methodology available at oasam to begin android pen-testing. These days so many tutorials are available to begin android pen-testing in which I prefer the guide from infosec institute by Srinivas and manifestsecurity by Aditya Agrawal.
A big bundle of tools,frameworks and methodologies are listed in mobilesecuritywiki
UPDATE:
AndroBugs is a framework written by Yu-Cheng Lin for security analysis of android apps. It can check for coding bad practices,ssl enforcement of urls,and much more. We can configure it with MongoDB for massive application analysis.
