This is the mobile security toolchain project. It is loosely based on the MSTG testing tools section (https://github.com/OWASP/owasp-mstg/blob/master/Document/0x08-Testing-Tools.md).

The project is in early beta stage. Feel free to contribute! Note that developments are currently slow as the primary focus is now on developing the MSTG. There are quiet a few bugs when running this on Catalina. We hope to resolve them in 2021 (as Corona outbreak made our work a little harder) unless a volunteer arrives earlier ;-).

Have a Mac OS X based system (needs 10.13.x) with about 4 GB of RAM and 4 GB of free space. Next, install Docker for Mac on it and then:

• if you want to have both the iOS and Android tools, as well as all the scaffolding, just use ./install.sh

• if you want to have the iOS tools only: install brew and Ansible, then type:

   ansible-galaxy install -r requirements.yml
    ansible-playbook -K ./iOS/generic_items.yml

• if you want to have the Android tools only: install brew and Ansible, then type:

  ansible-playbook ./Android/generic_items.yml

Please note: the iOS part requires you to install XCode using the Mac App Store (MAS) which will ask you to authenticate with a popup.

Brew, pip and Ansible will be installed first, if not available. Then generic, iOS and Android tools will be installed:

• autoconf
• bash-completion
• dependency-check
• doxygen
• git
• go
• gpg
• httpie
• ideviceinstaller
• libimobiledevice
• mcrypt
• mitmproxy
• nmap
• node
• python #python 3
• testssl.sh
• openssl
• wget
• atom
• burp-suite
• chromedriver
• docker
• dropbox
• firefox
• google-chrome
• java
• owasp-zap
• sequel-pro
• vagrant
• virtualbox
• Frida
• Radare2
• Objection
• MobSF
• Appmon
• zsh //sh -c "$(curl -fsSL https://raw.githubusercontent.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"

• apktool
• dependency-check
• dex2jar
• ideviceinstaller
• jadx
• libimobiledevice
• mcrypt
• node
• android-studio
• java
• jd-gui
• Nathan
• super analyzer
• Drozer
• Qark

• cmake
• usbmuxd
• libimobiledevice
• qt@4
• class-dump
• itms
• idb
• java

As we are still in development of 1.0, there are the following quirks:

• Some applications might not work the first time as you will first have to start them from your Applications folder, such as: Android Studio (including ADB) & Docker for Mac. After that you have to run the runbooks once more. You should have , after 2 runs of the android runbook (e.g. run android runbook, run android studio, run android runbook, a working adb, given that you use .bash_profile)
• iOS has not been tested on the buildserver (only general and android are, so please test them)
• Some of the output of ansible seems very "drastic": in red/green/yellow. Please wait for it to finish and then see if something failed.
• For iOS you need to run things twice: once to start the installation, while being logged in into the Apple store with your account (actual active state can be achieved by installing any app from the app-store), second time with an active developer account in xCode.
• Lastly, it could be the case when you are testing this on a separate account, which does not have the correct rights for the brew folders. See Issue #30 reported by @TheDauntless. When you are on High Sierra you need to do:

  chgrp -R admin /usr/local/*
  chmod -R g+w /usr/local/*

and otherwise you can follow this fix.

Does something not work? Create an issue, or even better: create a pull-request!

@clviper (reviewing), @andreaslindeboom for a lot of ansible improvements, @meetinthemiddle-be for testing & @sushi2k for contributing & @hierynomus for fixing travis issues & @RiieCco for motivating me to get the project started. @geerlingguy for creating awesome Ansible roles that speeded up the development tremendously. Xebia, as a company from which I used an private repo to start hacking at the project. My wife for supporting me in doing mobile security open source projects in my spare time.