Sponsored by

List of intentionally vulnerable Android apps

Posted in Articles on October 10, 2018

List of intentionally vulnerable Android apps

This is just a quick blog post to share a list of intentionally vulnerable Android apps that you can use for training. Some are less known that others and I had to dig a little to find them (especially the new ones), so I’m sharing them in case you want to work on your mobile hacking skills.

They are sorted by “last update” date:

AppLast updatedType of appVulnerabilities (not exhaustive)
SecurityShepherdOct 01, 2018Web & mobile appBroken crypto
Insecure data storage
Poor authentication
Untrusted input
Reverse engineering
Weak server-side controls
Client side injection
Content provider leakage
Unintended Data Leakage
owasp-mstgSep 13, 2018Reverse engineering
Damn Vulnerable Hybrid Mobile App (DVHMA)Aug 20, 2018Hybrid (Cordova)Insecure logging
SQL injection
VulnerableAndroidAppOracleJul 16, 2018Native (Java)Flawed Broadcast Receivers
Android Javascript
Activities access
Content providers
Insecure data storage
Data sent over HTTP
Intent sniffing
XML info disclosure
Android InsecureBankv2Jul 15, 2018Native (Java)Flawed Broadcast Receivers
Intent Sniffing and Injection
Weak Authorization mechanism
Local Encryption issues
Vulnerable Activity Components
Root Detection and Bypass
Emulator Detection and Bypass
Insecure Content Provider access
Insecure Webview implementation
Weak Cryptography implementation
Application Patching
Sensitive Information in Memory
Insecure Logging mechanism
Android Pasteboard vulnerability
Application Debuggable
Android keyboard cache issues
Android Backup vulnerability
Runtime Manipulation
Insecure SDCard storage
Insecure HTTP connections
Parameter Manipulation
Hardcoded secrets
Username Enumeration issue
Developer Backdoors
Weak change password implementation
Purposefully Insecure and Vulnerable Android Application (PIIVA)Feb 4, 2018Native (Java)Usage of weak Initialization Vector
Man-In-The-Middle Attack
Remote URL load in WebView
Object deserialization
SQL injection
Missing tapjacking protection
Enabled Application Backup
Enabled Debug Mode
Weak encryptionvHardcoded encryption keys
Dynamic load of codevCreation of world readable or writable files
Usage of unencrypted HTTP protocol
Weak hashing algorithms
Predictable Random Number Generator
Exported Content Providers with insufficient protection
Exported Broadcast Receivers
Exported ServicesvJS enabled in a WebView
Deprecated setPluginState in WebView
Hardcoded data
Untrusted CA acceptance
Usage of banned API functions
Self-signed CA enabled in WebView
Path Traversal
Cleartext SQLite database
Temporary file creation
Sieve appFeb 2, 2016SQL injection
Directory traversal
Insecure Content Provider access
Authention bypass
Data leakage
android-testJan 22, 2016Native (Java)
Damn Insecure and vulnerable App for Android (DIVA Android)Jan 15, 2016Native (Java & C)Insecure Logging
Hardcoding Issues
Insecure Data Storage
Input Validation Issues
Access Control Issues
Hardcoding Issues
DodoVulnerableBankOct 4, 2015Native (Java)
DigitalbankAug 15, 2015Native (Java)
Vulnerable APK ApplicationMay 21, 2014

FIY, sieve can be tested with Drozer for automation. They’re from the same authors. And sievePWN provides examples of malicious apps which exploit some of sieve’s vulnerabilities.

Also, I determined each app’s type just by quickly looking at their source code, without testing all of them. If you notice any mistake, please notify me!

Let me know if you have any comments, requests for tutorials, questions, etc.

See you next time!