Run automated dynamic security scans on Android apps you are authorized to test
Check whether sensitive data leaks through logs, clipboard, or insecure storage
Test whether an app's session data is properly cleared after logout
Bypass SSL pinning and root detection to evaluate an app's runtime defenses
| selimwdev/selimdroid | akaakshat246/ecoscore-browser-extension | andrelog99/dam | |
|---|---|---|---|
| Stars | 16 | 16 | 16 |
| Language | JavaScript | JavaScript | JavaScript |
| Setup difficulty | hard | hard | easy |
| Complexity | 4/5 | 3/5 | 2/5 |
| Audience | researcher | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires a rooted Android device or emulator plus a running Frida server.
SelimDroid is an open source security testing tool built for Android apps. It falls into a category called DAST, which stands for Dynamic Application Security Testing: instead of just reading an app's code, it watches and interacts with the app while it is actually running on a phone or emulator. The tool connects to a rooted Android device using ADB (Android Debug Bridge) and Frida, a runtime instrumentation toolkit that lets it hook into a live app and inspect what it is doing. Once connected, SelimDroid runs a series of automated checks: it looks for sensitive data stored insecurely in local databases or shared preferences, scans system logs and the clipboard for leaked information, tests whether the app properly detects rooted devices, and attempts to bypass SSL pinning, a common defense against network traffic interception. It also checks exported app components, content providers, and WebViews for common security holes. A notable feature is its post logout validation: after a user logs out of the tested app, SelimDroid checks whether session tokens, cached data, and database records were actually cleared, rather than assuming the logout worked. Some checks need the person running the scan to interact with the app directly, such as logging in, copying something to the clipboard, or moving through a WebView, the tool pauses and prompts for these actions when needed. After a scan finishes, SelimDroid produces a single combined report listing everything it found, saved to a reports folder. To run it, you need Python 3.9 or newer, Frida and its server component, ADB, and a rooted Android device or emulator with USB debugging turned on. This is a specialist tool aimed at security researchers and penetration testers, not general app developers. The author states it is meant only for authorized testing, security research, and educational use, and should not be run against apps or systems without permission.
SelimDroid is an open source tool that automatically tests running Android apps for security weaknesses like data leaks, weak session handling, and SSL pinning gaps.
Mainly JavaScript. The stack also includes Python, Frida, ADB.
Use, modify, and distribute freely, including commercially, as long as you keep the copyright notice.
Setup difficulty is rated hard, with roughly 1h+ to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.