Below are some of the best open source mobile application security scanners:
- OWASP Zed Attack Proxy (ZAP): The OWASP ZAP is one of the world’s most popular mobile app security testing tools that is free to use and is actively maintained by hundreds of volunteers worldwide. OWASP ZAP helps in finding security vulnerabilities automatically in applications during the development and testing phase. It’s also a great tool for pentesters who are experienced enough to use it for manual security testing.
- QARK (Quick Android Review Kit): QARK is part of those mobile app security testing tools that are designed to perform source code analysis and find out potential security vulnerabilities in Android apps. It is community-based, available to everyone and free for use. It also attempts to provide dynamically generated Android Debug Bridge (ADB) commands to aid in the validation of potential vulnerabilities it detects.
- Devknox: From our list of mobile app security testing tools, Devknox is first of its kind, enabling developers to detect and resolve security issues as they write code in Android Studio. While Devknox checks for basic mobile security issues, developers also get real-time suggestions to fix these issues instantly. Consider it to be like an autocorrect for security issues. It also takes care of your app security requirements and keeps it up to date with global security standards.
- Drozer: Drozer is a comprehensive security and attack framework for Android. This mobile app security testing tool allows you to assume the role of an Android app, and to interact with other apps, through Android’s Inter-Process Communication (IPC) mechanism, and the underlying operating system. What makes it different and unique from other automated scanners is its interactive nature.
- MobSF (Mobile Security Framework): Mobile Security Framework is an automated mobile app security testing tool for Android and iOS apps that is capable of performing static, dynamic analysis and web API testing. MobSF can effectively be used for a quick security analysis of Android & iOS apps. It supports binaries (APK & IPA) and zipped source code.
- Mitmproxy: Mitmproxy is a free open-source tool that allows users to intercept, inspect, modify and replay any traffic flows exchanged between an app and backend services. The name itself is derived from a kind of cyber attack called as MITM (Man in the Middle attack). In the case of a MITM attack, the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.
- iMAS: iMAS is an open source mobile app security testing tool that helps developers in encrypting application data, prompt for passwords, prevent application tampering, and enforce enterprise policies on iOS devices. Whether one needs to check for jailbreaks or debuggers, secure sensitive information in memory, or mitigate against binary patching, iMAS helps your iOS app protect itself in a hostile environment.