Never Ending Security

It starts all here

Android Device Testing Framework (“dtf”)

Android Device Testing Framework

The Android Device Testing Framework (“dtf”) is a data collection and analysis framework to help individuals answer the question: “Where are the vulnerabilities on this mobile device?” Dtf provides a modular approach and built-in APIs that allows testers to quickly create scripts to interact with their Android devices. The default download of dtf comes with multiple modules that allow testers to obtain information from their Android device, process this information into databases, and then start searching for vulnerabilities (all without requiring root privileges). These modules help you focus on changes made to AOSP components such as applications, frameworks, system services, as well as lower-level components such as binaries, libraries, and device drivers. In addition, you’ll be able to analyze new functionality implemented by the OEMs and other parties to find vulnerabilities.


To use dtf, you will need at least the following:

  • JRE 1.7
  • Python 2.6 or higher
  • A true Bash shell (no Dash!!!), with general purpose Linux utilities (sed, awk, etc.)
  • sqlite3
  • The Android SDK

Downloading, Configuring, and Installing

First, you’ll want to download the core component of dtf from GitHub:

user@testing$ git clone dtf/

You’ll need to add dtf to your path, as well as the Android SDK tools (so that dtf knows about “adb” and “aapt”). If you want to use the auto completion features of dtf, you have a few choices. You can source the file “” in your “.bashrc”, copy “ to “/etc/bash_completion.d/” (if you are already sourcing this in your “.bashrc”), or just run:

user@testing$ . dtf/

To confirm dtf is working, try the command:

user@testing$ dtf -h

If you see the dtf help screen with no errors, you are good to go!

Getting Modules

Dtf is just a framework. Without installing actual content, it doesn’t do anything! The modules that I use are available below, depending on your needs. For first time users, I recommend grabbing the core module content “” and the “” for the version(s) of Android you plan on testing (you’ll need the aosp-data-x packages for using some modules).


More information can be found at: and at:

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s