└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # awesome-mobile-security ![awesome](https://awesome.re/badge.svg)
  2 | 
  3 | 
  4 | Maintained by [@vaib25vicky](https://twitter.com/vaib25vicky) with contributions from the security and developer communities.
  5 |  
  6 | 
  7 | ## Android
  8 | 
  9 | ### General - Blogs, Papers, How To's
 10 | 
 11 | * [Android: Gaining access to arbitrary* Content Providers](https://blog.oversecured.com/Gaining-access-to-arbitrary-Content-Providers/)
 12 | * [Evernote: Universal-XSS, theft of all cookies from all sites, and more](https://blog.oversecured.com/Evernote-Universal-XSS-theft-of-all-cookies-from-all-sites-and-more/)
 13 | * [Interception of Android implicit intents](https://blog.oversecured.com/Interception-of-Android-implicit-intents/)
 14 | * [TikTok: three persistent arbitrary code executions and one theft of arbitrary files](https://blog.oversecured.com/Oversecured-detects-dangerous-vulnerabilities-in-the-TikTok-Android-app/)
 15 | * [Persistent arbitrary code execution in Android's Google Play Core Library: details, explanation and the PoC - CVE-2020-8913](https://blog.oversecured.com/Oversecured-automatically-discovers-persistent-code-execution-in-the-Google-Play-Core-Library/)
 16 | * [Android: Access to app protected components](https://blog.oversecured.com/Android-Access-to-app-protected-components/)
 17 | * [Android: arbitrary code execution via third-party package contexts](https://blog.oversecured.com/Android-arbitrary-code-execution-via-third-party-package-contexts/)
 18 | * [Android Pentesting Labs - Step by Step guide for beginners](https://medium.com/bugbountywriteup/android-pentesting-lab-4a6fe1a1d2e0)
 19 | * [An Android Hacking Primer](https://medium.com/swlh/an-android-hacking-primer-3390fef4e6a0)
 20 | * [Secure an Android Device](https://source.android.com/security)
 21 | * [Security tips](https://developer.android.com/training/articles/security-tips)
 22 | * [OWASP Mobile Security Testing Guide](https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide)
 23 | * [Security Testing for Android Cross Platform Application](https://3xpl01tc0d3r.blogspot.com/2019/09/security-testing-for-android-app-part1.html)
 24 | * [Dive deep into Android Application Security](https://blog.0daylabs.com/2019/09/18/deep-dive-into-Android-security/)
 25 | * [Pentesting Android Apps Using Frida](https://www.notsosecure.com/pentesting-android-apps-using-frida/)
 26 | * [Mobile Security Testing Guide](https://mobile-security.gitbook.io/mobile-security-testing-guide/)
 27 | * [Mobile Application Penetration Testing Cheat Sheet](https://github.com/sh4hin/MobileApp-Pentest-Cheatsheet)
 28 | * [Android Applications Reversing 101](https://www.evilsocket.net/2017/04/27/Android-Applications-Reversing-101/#.WQND0G3TTOM.reddit)
 29 | * [Android Security Guidelines](https://developer.box.com/en/guides/security/)
 30 | * [Android WebView Vulnerabilities](https://pentestlab.blog/2017/02/12/android-webview-vulnerabilities/)
 31 | * [OWASP Mobile Top 10](https://www.owasp.org/index.php/OWASP_Mobile_Top_10)
 32 | * [Practical Android Phone Forensics](https://resources.infosecinstitute.com/practical-android-phone-forensics/)
 33 | * [Mobile Reverse Engineering Unleashed](http://www.vantagepoint.sg/blog/83-mobile-reverse-engineering-unleashed)
 34 | * [Android Root Detection Bypass Using Objection and Frida Scripts](https://medium.com/@GowthamR1/android-root-detection-bypass-using-objection-and-frida-scripts-d681d30659a7)
 35 | * [quark-engine - An Obfuscation-Neglect Android Malware Scoring System](https://github.com/quark-engine/quark-engine)
 36 | * [Root Detection Bypass By Manual Code Manipulation.](https://medium.com/@sarang6489/root-detection-bypass-by-manual-code-manipulation-5478858f4ad1)
 37 | * [Application and Network Usage in Android](https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1528491463.pdf)
 38 | * [GEOST BOTNET - the discovery story of a new Android banking trojan](http://public.avast.com/research/VB2019-Garcia-etal.pdf)
 39 | * [Mobile Pentesting With Frida](https://drive.google.com/file/d/1JccmMLi6YTnyRrp_rk6vzKrUX3oXK_Yw/view)
 40 | * [Magisk Systemless Root - Detection and Remediation](https://www.mobileiron.com/en/blog/magisk-android-rooting)
 41 | * [AndrODet: An adaptive Android obfuscation detector](https://arxiv.org/pdf/1910.06192.pdf)
 42 | * [Hands On Mobile API Security](https://hackernoon.com/hands-on-mobile-api-security-get-rid-of-client-secrets-a79f111b6844)
 43 | * [Zero to Hero - Mobile Application Testing - Android Platform](https://nileshsapariya.blogspot.com/2016/11/zero-to-hero-mobile-application-testing.html)
 44 | * [How to use FRIDA to bruteforce Secure Startup with FDE-encryption on a Samsung G935F running Android 8](https://github.com/Magpol/fridafde)
 45 | * [Android Malware Adventures](https://docs.google.com/presentation/d/1pYB522E71hXrp4m3fL3E3fnAaOIboJKqpbyE5gSsOes/edit)
 46 | * [AAPG - Android application penetration testing guide](https://nightowl131.github.io/AAPG/)
 47 | * [Bypassing Android Anti-Emulation](https://www.juanurs.com/Bypassing-Android-Anti-Emulation-Part-I/)
 48 | * [Bypassing Xamarin Certificate Pinning](https://www.gosecure.net/blog/2020/04/06/bypassing-xamarin-certificate-pinning-on-android/)
 49 | * [Configuring Burp Suite With Android Nougat](https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/)
 50 | 
 51 |     
 52 | ### Books
 53 | 
 54 |  * [SEI CERT Android Secure Coding Standard](https://www.securecoding.cert.org/confluence/display/android/Android+Secure+Coding+Standard)
 55 |  * [Android Security Internals](https://www.oreilly.com/library/view/android-security-internals/9781457185496/)
 56 |  * [Android Cookbook](https://androidcookbook.com/)
 57 |  * [Android Hacker's Handbook](https://www.amazon.com/Android-Hackers-Handbook-Joshua-Drake/dp/111860864X)
 58 |  * [Android Security Cookbook](https://www.packtpub.com/in/application-development/android-security-cookbook)
 59 |  * [The Mobile Application Hacker's Handbook](https://www.amazon.in/Mobile-Application-Hackers-Handbook-ebook/dp/B00TSA6KLG)
 60 |  * [Android Malware and Analysis](https://www.oreilly.com/library/view/android-malware-and/9781482252200/)
 61 |  * [Android Security: Attacks and Defenses](https://www.crcpress.com/Android-Security-Attacks-and-Defenses/Misra-Dubey/p/book/9780367380182)
 62 |  
 63 | ### Courses
 64 |  
 65 | * [Learning-Android-Security](https://www.lynda.com/Android-tutorials/Learning-Android-Security/689762-2.html)
 66 | * [Mobile Application Security and Penetration Testing](https://www.elearnsecurity.com/course/mobile_application_security_and_penetration_testing/)
 67 | * [Advanced Android Development](https://developer.android.com/courses/advanced-training/overview)
 68 | * [Learn the art of mobile app development](https://www.edx.org/professional-certificate/harvardx-computer-science-and-mobile-apps)
 69 | * [Learning Android Malware Analysis](https://www.linkedin.com/learning/learning-android-malware-analysis)
 70 | * [Android App Reverse Engineering 101](https://maddiestone.github.io/AndroidAppRE/)
 71 | * [Android Pentesting for Beginners](https://manifestsecurity.com/android-application-security/)
 72 |   
 73 | ### Tools
 74 |      
 75 | #### Static Analysis
 76 | 
 77 | * [Amandroid – A Static Analysis Framework](http://pag.arguslab.org/argus-saf)
 78 | * [Androwarn – Yet Another Static Code Analyzer](https://github.com/maaaaz/androwarn/)
 79 | * [APK Analyzer – Static and Virtual Analysis Tool](https://github.com/sonyxperiadev/ApkAnalyser)
 80 | * [APK Inspector – A Powerful GUI Tool](https://github.com/honeynet/apkinspector/)
 81 | * [Droid Hunter – Android application vulnerability analysis and Android pentest tool](https://github.com/hahwul/droid-hunter)
 82 | * [Error Prone – Static Analysis Tool](https://github.com/google/error-prone)
 83 | * [Findbugs – Find Bugs in Java Programs](http://findbugs.sourceforge.net/downloads.html)
 84 | * [Find Security Bugs – A SpotBugs plugin for security audits of Java web applications.](https://github.com/find-sec-bugs/find-sec-bugs/)
 85 | * [Flow Droid – Static Data Flow Tracker](https://github.com/secure-software-engineering/FlowDroid)
 86 | * [Smali/Baksmali – Assembler/Disassembler for the dex format](https://github.com/JesusFreke/smali)
 87 | * [Smali-CFGs – Smali Control Flow Graph’s](https://github.com/EugenioDelfa/Smali-CFGs)
 88 | * [SPARTA – Static Program Analysis for Reliable Trusted Apps](https://www.cs.washington.edu/sparta)
 89 | * [Thresher – To check heap reachability properties](https://plv.colorado.edu/projects/thresher/)
 90 | * [Vector Attack Scanner – To search vulnerable points to attack](https://github.com/Sukelluskello/VectorAttackScanner)
 91 | * [Gradle Static Analysis Plugin](https://github.com/novoda/gradle-static-analysis-plugin)
 92 | * [Checkstyle – A tool for checking Java source code](https://github.com/checkstyle/checkstyle)
 93 | * [PMD – An extensible multilanguage static code analyzer](https://github.com/pmd/pmd)
 94 | * [Soot – A Java Optimization Framework](https://github.com/Sable/soot)
 95 | * [Android Quality Starter](https://github.com/pwittchen/android-quality-starter)
 96 | * [QARK – Quick Android Review Kit](https://github.com/linkedin/qark)
 97 | * [Infer – A Static Analysis tool for Java, C, C++ and Objective-C](https://github.com/facebook/infer)
 98 | * [Android Check – Static Code analysis plugin for Android Project](https://github.com/noveogroup/android-check)
 99 | * [FindBugs-IDEA Static byte code analysis to look for bugs in Java code](https://plugins.jetbrains.com/plugin/3847-findbugs-idea)
100 | * [APK Leaks – Scanning APK file for URIs, endpoints & secrets](https://github.com/dwisiswant0/apkleaks)
101 |       
102 | #### Dynamic Analysis
103 | 
104 | * [Adhrit - Android Security Suite for in-depth reconnaissance and static bytecode analysis based on Ghera benchmarks](https://github.com/abhi-r3v0/Adhrit)
105 | * [Android Hooker - Opensource project for dynamic analyses of Android applications](https://github.com/AndroidHooker/hooker)
106 | * [AppAudit - Online tool ( including an API) uses dynamic and static analysis](http://appaudit.io/)
107 | * [AppAudit - A bare-metal analysis tool on Android devices](https://github.com/ucsb-seclab/baredroid)
108 | * [CuckooDroid - Extension of Cuckoo Sandbox the Open Source software](https://github.com/idanr1986/cuckoo-droid)
109 | * [DroidBox - Dynamic analysis of Android applications](https://code.google.com/p/droidbox/)
110 | * [Droid-FF - Android File Fuzzing Framework](https://github.com/antojoseph/droid-ff)
111 | * [Drozer](https://www.mwrinfosecurity.com/products/drozer/)
112 | * [Marvin - Analyzes Android applications and allows tracking of an app](https://github.com/programa-stic/marvin-django)
113 | * [Inspeckage](https://github.com/ac-pm/Inspeckage)
114 | * [PATDroid - Collection of tools and data structures for analyzing Android applications](https://github.com/mingyuan-xia/PATDroid)
115 | * [AndroL4b - Android security virtual machine based on ubuntu-mate](https://github.com/sh4hin/Androl4b)
116 | * [Radare2 - Unix-like reverse engineering framework and commandline tools](https://github.com/radareorg/radare2)
117 | * [Cutter - Free and Open Source RE Platform powered by radare2](https://cutter.re/)
118 | * [ByteCodeViewer - Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger)](https://bytecodeviewer.com/)
119 | * [Mobile-Security-Framework MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF)
120 | * [CobraDroid - Custom build of the Android operating system geared specifically for application security ](https://thecobraden.com/projects/cobradroid/)
121 | * [Magisk v20.2 - Root & Universal Systemless Interface](https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445)
122 | * [Runtime Mobile Security (RMS) - is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security)
123 | * [MOBEXLER - A Mobile Application Penetration Testing Platform](https://mobexler.com/)
124 | 
125 |         
126 | #### Android Online APK Analyzers
127 | 
128 | * [Oversecured](https://oversecured.com/) - A static vulnerability scanner for Android apps (APK files) containing 90+ vulnerability categories
129 | * [Android Observatory APK Scan](https://androidobservatory.org/upload)
130 | * [Android APK Decompiler](http://www.decompileandroid.com/)
131 | * [AndroTotal](http://andrototal.org/)
132 | * [NVISO ApkScan](https://apkscan.nviso.be/)
133 | * [VirusTotal](https://www.virustotal.com/#/home/upload)
134 | * [Scan Your APK](https://scanyourapk.com/)
135 | * [AVC Undroid](https://undroid.av-comparatives.org/index.php)
136 | * [OPSWAT](https://metadefender.opswat.com/#!/)
137 | * [ImmuniWeb Mobile App Scanner](https://www.htbridge.com/mobile/)
138 | * [Ostor Lab](https://www.ostorlab.co/scan/mobile/)
139 | * [Quixxi](https://quixxisecurity.com/)
140 | * [TraceDroid](http://tracedroid.few.vu.nl/submit.php)
141 | * [Visual Threat](http://www.visualthreat.com/UIupload.action)
142 | * [App Critique](https://appcritique.boozallen.com/)
143 |         
144 | ### Labs
145 |   
146 | * [OVAA (Oversecured Vulnerable Android App)](https://github.com/oversecured/ovaa)
147 | * [DIVA (Damn insecure and vulnerable App)](https://github.com/payatu/diva-android)
148 | * [SecurityShepherd](https://github.com/OWASP/SecurityShepherd)
149 | * [Damn Vulnerable Hybrid Mobile App (DVHMA)](https://github.com/logicalhacking/DVHMA)
150 | * [OWASP-mstg](https://github.com/OWASP/owasp-mstg/tree/master/Crackmes)
151 | * [VulnerableAndroidAppOracle](https://github.com/dan7800/VulnerableAndroidAppOracle)
152 | * [Android InsecureBankv2](https://github.com/dineshshetty/Android-InsecureBankv2)
153 | * [Purposefully Insecure and Vulnerable Android Application (PIIVA)](https://github.com/htbridge/pivaa)
154 | * [Sieve app](https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk)
155 | * [DodoVulnerableBank](https://github.com/CSPF-Founder/DodoVulnerableBank)
156 | * [Digitalbank](https://github.com/CyberScions/Digitalbank)
157 | * [OWASP GoatDroid](https://github.com/jackMannino/OWASP-GoatDroid-Project)
158 | * [AppKnox Vulnerable Application](https://github.com/appknox/vulnerable-application)
159 | * [Vulnerable Android Application](https://github.com/Lance0312/VulnApp)
160 | * [MoshZuk](https://dl.dropboxusercontent.com/u/37776965/Work/MoshZuk.apk)
161 | * [Hackme Bank](http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx)
162 | * [Android Security Labs](https://github.com/SecurityCompass/AndroidLabs)
163 | * [Android-InsecureBankv2](https://github.com/dineshshetty/Android-InsecureBankv2)
164 | * [Android-security](https://github.com/rafaeltoledo/android-security)
165 | * [VulnDroid](https://github.com/shahenshah99/VulnDroid)
166 | * [FridaLab](https://rossmarks.uk/blog/fridalab/)
167 | * [Santoku Linux - Mobile Security VM](https://santoku-linux.com/)
168 | * [Vuldroid](https://github.com/jaiswalakshansh/Vuldroid)
169 | 
170 |   
171 | ### Talks
172 | 
173 | * [Blowing the Cover of Android Binary Fuzzing (Slides)](https://speakerdeck.com/flankerhqd/blowing-the-cover-of-android-binary-fuzzing)
174 | * [One Step Ahead of Cheaters -- Instrumenting Android Emulators](https://www.youtube.com/watch?v=L3AniAxp_G4)
175 | * [Vulnerable Out of the Box: An Evaluation of Android Carrier Devices](https://www.youtube.com/watch?v=R2brQvQeTvM)
176 | * [Rock appround the clock: Tracking malware developers by Android](https://www.youtube.com/watch?v=wd5OU9NvxjU)
177 | * [Chaosdata - Ghost in the Droid: Possessing Android Applications with ParaSpectre](https://www.youtube.com/watch?v=ohjTWylMGEA)
178 | * [Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets](https://www.youtube.com/watch?v=TDk2RId8LFo)
179 | * [Honey, I Shrunk the Attack Surface – Adventures in Android Security Hardening](https://www.youtube.com/watch?v=EkL1sDMXRVk)
180 | * [Hide Android Applications in Images](https://www.youtube.com/watch?v=hajOlvLhYJY)
181 | * [Scary Code in the Heart of Android](https://www.youtube.com/watch?v=71YP65UANP0)
182 | * [Fuzzing Android: A Recipe For Uncovering Vulnerabilities Inside System Components In Android](https://www.youtube.com/watch?v=q_HibdrbIxo)
183 | * [Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library](https://www.youtube.com/watch?v=s0Tqi7fuOSU)
184 | * [Android FakeID Vulnerability Walkthrough](https://www.youtube.com/watch?v=5eJYCucZ-Tc)
185 | * [Unleashing D* on Android Kernel Drivers](https://www.youtube.com/watch?v=1XavjjmfZAY)
186 | * [The Smarts Behind Hacking Dumb Devices](https://www.youtube.com/watch?v=yU1BrY1ZB2o)
187 | * [Overview of common Android app vulnerabilities](https://www.bugcrowd.com/resources/webinars/overview-of-common-android-app-vulnerabilities/)
188 | * [Android Dev Summit 2019](https://developer.android.com/dev-summit)
189 | * [Android security architecture](https://www.youtube.com/watch?v=3asW-nBU-JU)
190 | * [Get the Ultimate Privilege of Android Phone](https://vimeo.com/335948808)
191 |   
192 | ### Misc.
193 |     
194 | * [Android-Reports-and-Resources](https://github.com/B3nac/Android-Reports-and-Resources/blob/master/README.md)
195 | * [android-security-awesome](https://github.com/ashishb/android-security-awesome)
196 | * [Android Penetration Testing Courses](https://medium.com/mobile-penetration-testing/android-penetration-testing-courses-4effa36ac5ed)
197 | * [Lesser-known Tools for Android Application PenTesting](https://captmeelo.com/pentest/2019/12/30/lesser-known-tools-for-android-pentest.html)
198 | * [android-device-check - a set of scripts to check Android device security configuration](https://github.com/nelenkov/android-device-check)
199 | * [apk-mitm - a CLI application that prepares Android APK files for HTTPS inspection](https://github.com/shroudedcode/apk-mitm)
200 | * [Andriller - is software utility with a collection of forensic tools for smartphones](https://github.com/den4uk/andriller)
201 | * [Dexofuzzy: Android malware similarity clustering method using opcode sequence-Paper](https://www.virusbulletin.com/virusbulletin/2019/11/dexofuzzy-android-malware-similarity-clustering-method-using-opcode-sequence/)
202 | * [Chasing the Joker](https://docs.google.com/presentation/d/1sFGAERaNRuEORaH06MmZKeFRqpJo1ol1xFieUa1X_OA/edit#slide=id.p1)
203 | * [Side Channel Attacks in 4G and 5G Cellular Networks-Slides](https://i.blackhat.com/eu-19/Thursday/eu-19-Hussain-Side-Channel-Attacks-In-4G-And-5G-Cellular-Networks.pdf)
204 | * [Shodan.io-mobile-app for Android](https://github.com/PaulSec/Shodan.io-mobile-app)
205 | * [Popular Android Malware 2018](https://github.com/sk3ptre/AndroidMalware_2018)
206 | * [Popular Android Malware 2019](https://github.com/sk3ptre/AndroidMalware_2019)
207 | * [Popular Android Malware 2020](https://github.com/sk3ptre/AndroidMalware_2020)    
208 |     
209 |    
210 | ## iOS
211 | 
212 | ### General - Blogs, Papers, How to's
213 | 
214 | * [iOS Security](https://www.cse.wustl.edu/~jain/cse571-14/ftp/ios_security/index.html)
215 | * [Basic iOS Apps Security Testing lab](https://medium.com/@ehsahil/basic-ios-apps-security-testing-lab-1-2bf37c2a7d15)
216 | * [IOS Application security – Setting up a mobile pentesting platform](https://resources.infosecinstitute.com/ios-application-security-part-1-setting-up-a-mobile-pentesting-platform/#gref)
217 | * [Collection of the most common vulnerabilities found in iOS applications](https://github.com/felixgr/secure-ios-app-dev)
218 | * [IOS_Application_Security_Testing_Cheat_Sheet](https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet)
219 | * [OWASP iOS Basic Security Testing](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing)
220 | * [Dynamic analysis of iOS apps w/o Jailbreak](https://medium.com/@ansjdnakjdnajkd/dynamic-analysis-of-ios-apps-wo-jailbreak-1481ab3020d8)
221 | * [iOS Application Injection](https://arjunbrar.com/post/ios-application-injection)
222 | * [Low-Hanging Apples: Hunting Credentials and Secrets in iOS Apps](https://spaceraccoon.dev/low-hanging-apples-hunting-credentials-and-secrets-in-ios-apps)
223 | * [Checkra1n Era - series](https://blog.digital-forensics.it/)
224 | * [BFU Extraction: Forensic Analysis of Locked and Disabled iPhones](https://blog.elcomsoft.com/2019/12/bfu-extraction-forensic-analysis-of-locked-and-disabled-iphones/)
225 | * [HowTo-decrypt-Signal.sqlite-for-IOS](https://github.com/Magpol/HowTo-decrypt-Signal.sqlite-for-IOS)
226 | * [Can I Jailbreak?](https://canijailbreak.com/)
227 | * [How to Extract Screen Time Passcodes and Voice Memos from iCloud](https://blog.elcomsoft.com/2019/10/how-to-extract-screen-time-passcodes-and-voice-memos-from-icloud/)
228 | * [Reverse Engineering Swift Apps](https://github.com/iOS-Reverse-Engineering-Dev/Swift-Apps-Reverse-Engineering/blob/master/Reverse%20Engineering%20Swift%20Applications.pdf)
229 | * [Mettle your iOS with FRIDA](https://sensepost.com/blog/2019/mettle-your-ios-with-frida/)
230 | * [A run-time approach for pentesting iOS applications](https://blog.securelayer7.net/a-run-time-approach-for-pen-testing-ios-applications-part-ii-objection-in-action/)
231 | * [iOS Internals vol 2](http://newosxbook.com/bonus/iBoot.pdf)
232 | * [Understanding usbmux and the iOS lockdown service](https://medium.com/@jon.gabilondo.angulo_7635/understanding-usbmux-and-the-ios-lockdown-service-7f2a1dfd07ae)
233 | * [A Deep Dive into iOS Code Signing](https://blog.umangis.me/a-deep-dive-into-ios-code-signing/)
234 | * [AirDoS: remotely render any nearby iPhone or iPad unusable](https://kishanbagaria.com/airdos/)
235 | * [How to access and traverse a #checkra1n jailbroken iPhone File system using SSH](https://aboutdfir.com/jailbreaking-checkra1n-configuration/)
236 | * [Deep dive into iOS Exploit chains found in the wild - Project Zero](https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html)
237 | * [The Fully Remote Attack Surface of the iPhone - Project Zero](https://googleprojectzero.blogspot.com/2019/08/the-fully-remote-attack-surface-of.html)
238 | 
239 | 
240 | ### Books
241 | 
242 | * [Hacking and Securing iOS Applications: Stealing Data, Hijacking Software, and How to Prevent It](https://www.amazon.com/Hacking-Securing-iOS-Applications-Hijacking/dp/1449318746)
243 | * [iOS Penetration Testing](https://www.apress.com/gp/book/9781484223543)
244 | * [iOS App Security, Penetration Testing, and Development](https://www.allysonomalley.com/)
245 | * [IOS Hacker's Handbook](https://www.amazon.com/iOS-Hackers-Handbook-Charlie-Miller/dp/1118204123)
246 | * [Hacking iOS Applications a detailed testing guide](https://web.securityinnovation.com/hubfs/iOS%20Hacking%20Guide.pdf)
247 | * [Develop iOS Apps (Swift)](https://developer.apple.com/library/archive/referencelibrary/GettingStarted/DevelopiOSAppsSwift/)
248 | * [iOS Programming Cookbook](https://www.packtpub.com/in/application-development/ios-programming-cookbook)
249 | 
250 | ### Courses
251 | 
252 | * [Pentesting iOS Applications](https://www.pentesteracademy.com/course?id=2)
253 | * [Reverse Engineering iOS Applications](https://github.com/ivRodriguezCA/RE-iOS-Apps)
254 | * [App Design and Development for iOS](https://www.coursera.org/learn/ios-app-design-development)
255 | 
256 | ### Tools
257 | 
258 | * [Cydia Impactor](http://www.cydiaimpactor.com/)
259 | * [checkra1n jailbreak](https://checkra.in/)
260 | * [idb - iOS App Security Assessment Tool](https://www.idbtool.com/)
261 | * [Frida](https://github.com/frida/frida/releases)
262 | * [Objection - mobile exploration toolkit by Frida](https://github.com/sensepost/objection)
263 | * [Bfinject](https://github.com/BishopFox/bfinject)
264 | * [iFunbox](http://www.i-funbox.com/)
265 | * [Libimobiledevice - library to communicate with the services of the Apple ios devices](https://www.libimobiledevice.org/)
266 | * [iRET (iOS Reverse Engineering Toolkit)](https://www.veracode.com/sites/default/files/Resources/Tools/iRETTool.zip) - includes oTool, dumpDecrypted, SQLite, Theos, Keychain_dumper, Plutil
267 | * [Myriam iOS](https://github.com/GeoSn0w/Myriam)
268 | * [iWep Pro - wireless suite of useful applications used to turn your iOS device into a wireless network diagnostic tool](https://itunes.apple.com/us/app/iweppro/id578135585?mt=8)
269 | * [Burp Suite](https://portswigger.net/burp/communitydownload)
270 | * [Cycript](https://cydia.saurik.com/api/latest/3)
271 | * [needle - The iOS Security Testing Framework](https://github.com/FSecureLABS/needle)
272 | * [iLEAPP - iOS Logs, Events, And Preferences Parser](https://github.com/abrignoni/iLEAPP)
273 | * [Cutter - Free and Open Source RE Platform powered by radare2](https://cutter.re/)
274 | * [decrypt0r - automatically download and decrypt SecureRom stuff](https://github.com/shinvou/decrypt0r)
275 | * [iOS Security Suite - an advanced and easy-to-use platform security & anti-tampering library](https://github.com/securing/IOSSecuritySuite)
276 | 
277 | ### Labs
278 | 
279 | * [OWASP iGoat](https://www.owasp.org/index.php/OWASP_iGoat_Tool_Project)
280 | * [Damn Vulnerable iOS App (DVIA) v2](https://github.com/prateek147/DVIA-v2)
281 | * [Damn Vulnerable iOS App (DVIA) v1](https://github.com/prateek147/DVIA)
282 | * [iPhoneLabs](https://github.com/SecurityCompass/iPhoneLabs)
283 | * [iOS-Attack-Defense](https://github.com/ManicodeSecurity/iOS-Attack-Defense)
284 | 
285 | ### Talks
286 | 
287 | * [Behind the Scenes of iOS Security](https://www.youtube.com/watch?v=BLGFriOKz6U)
288 | * [Modern iOS Application Security](https://www.infoq.com/presentations/ios-security/)
289 | * [Demystifying the Secure Enclave Processor](https://www.youtube.com/watch?v=7UNeUT_sRos)
290 | * [HackPac Hacking Pointer Authentication in iOS User Space](https://www.youtube.com/watch?v=DJFxhShJ6Ns)
291 | * [Analyzing and Attacking Apple Kernel Drivers](https://www.youtube.com/watch?v=07VqX4bbXTI)
292 | * [Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox](https://www.youtube.com/watch?v=bP5VP7vLLKo)
293 | * [Reverse Engineering iOS Mobile Apps](https://www.bugcrowd.com/resources/webinars/reverse-engineering-ios-mobile-apps/)
294 | * [iOS 10 Kernel Heap Revisited](https://www.youtube.com/watch?v=DNW6Im31lQo)
295 | * [KTRW: The journey to build a debuggable iPhone](https://media.ccc.de/v/36c3-10806-ktrw_the_journey_to_build_a_debuggable_iphone)
296 | * [The One Weird Trick SecureROM Hates](https://media.ccc.de/v/36c3-11238-the_one_weird_trick_securerom_hates)
297 | * [Tales of old: untethering iOS 11-Spoiler: Apple is bad at patching](https://media.ccc.de/v/36c3-11034-tales_of_old_untethering_ios_11)
298 | * [Messenger Hacking: Remotely Compromising an iPhone through iMessage](https://media.ccc.de/v/36c3-10497-messenger_hacking_remotely_compromising_an_iphone_through_imessage)
299 | * [Recreating An iOS 0-Day Jailbreak Out Of Apple's Security Updates](https://www.youtube.com/watch?v=p512McKXukU)
300 | * [Reverse Engineering the iOS Simulator’s SpringBoard](https://vimeo.com/231806976)
301 | * [Attacking iPhone XS Max](https://www.youtube.com/watch?v=8cOx7vfszZU&feature=youtu.be)
302 | 
303 | 
304 | 
305 | ### Misc.
306 |   
307 | * [Most usable tools for iOS penetration testing](https://github.com/ansjdnakjdnajkd/iOS)
308 | * [iOS-Security-Guides](https://github.com/0xmachos/iOS-Security-Guides)
309 | * [osx-security-awesome - OSX and iOS related security tools](https://github.com/ashishb/osx-and-ios-security-awesome)    
310 | * [Trust in Apple's Secret Garden: Exploring & Reversing Apple's Continuity Protocol-Slides](https://i.blackhat.com/eu-19/Thursday/eu-19-Yen-Trust-In-Apples-Secret-Garden-Exploring-Reversing-Apples-Continuity-Protocol-3.pdf)
311 | * [Apple Platform Security](https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf)
312 | * [Mobile security, forensics & malware analysis with Santoku Linux](https://2013.appsecusa.org/2013/wp-content/uploads/2013/12/viaForensics-AppSecUSA-Nov-2013.pdf)
313 | 
314 |     
315 | 


--------------------------------------------------------------------------------