List of intentionally vulnerable Android apps

This is just a quick blog post to share a list of intentionally vulnerable Android apps that you can use for training. Some are less known that others and I had to dig a little to find them (especially the new ones), so I’m sharing them in case you want to work on your mobile hacking skills.

They are sorted by “last update” date:

App Last updated Type of app Vulnerabilities (not exhaustive)
SecurityShepherd Oct 01, 2018 Web & mobile app Broken crypto
Insecure data storage
Poor authentication
Untrusted input
Reverse engineering
Weak server-side controls
Client side injection
Content provider leakage
Unintended Data Leakage
owasp-mstg Sep 13, 2018 Reverse engineering
Damn Vulnerable Hybrid Mobile App (DVHMA) Aug 20, 2018 Hybrid (Cordova) Insecure logging
XSS
SQL injection
VulnerableAndroidAppOracle Jul 16, 2018 Native (Java) Flawed Broadcast Receivers
DoS
AdLibraries
Android Javascript
Activities access
Content providers
Insecure data storage
Data sent over HTTP
Intent sniffing
XML info disclosure
Android InsecureBankv2 Jul 15, 2018 Native (Java) Flawed Broadcast Receivers
Intent Sniffing and Injection
Weak Authorization mechanism
Local Encryption issues
Vulnerable Activity Components
Root Detection and Bypass
Emulator Detection and Bypass
Insecure Content Provider access
Insecure Webview implementation
Weak Cryptography implementation
Application Patching
Sensitive Information in Memory
Insecure Logging mechanism
Android Pasteboard vulnerability
Application Debuggable
Android keyboard cache issues
Android Backup vulnerability
Runtime Manipulation
Insecure SDCard storage
Insecure HTTP connections
Parameter Manipulation
Hardcoded secrets
Username Enumeration issue
Developer Backdoors
Weak change password implementation
Purposefully Insecure and Vulnerable Android Application (PIIVA) Feb 4, 2018 Native (Java) Usage of weak Initialization Vector
Man-In-The-Middle Attack
Remote URL load in WebView
Object deserialization
SQL injection
Missing tapjacking protection
Enabled Application Backup
Enabled Debug Mode
Weak encryptionvHardcoded encryption keys
Dynamic load of codevCreation of world readable or writable files
Usage of unencrypted HTTP protocol
Weak hashing algorithms
Predictable Random Number Generator
Exported Content Providers with insufficient protection
Exported Broadcast Receivers
Exported ServicesvJS enabled in a WebView
Deprecated setPluginState in WebView
Hardcoded data
Untrusted CA acceptance
Usage of banned API functions
Self-signed CA enabled in WebView
Path Traversal
Cleartext SQLite database
Temporary file creation
Sieve app Feb 2, 2016 SQL injection
Directory traversal
Insecure Content Provider access
Authention bypass
Data leakage
android-test Jan 22, 2016 Native (Java)
Damn Insecure and vulnerable App for Android (DIVA Android) Jan 15, 2016 Native (Java & C) Insecure Logging
Hardcoding Issues
Insecure Data Storage
Input Validation Issues
Access Control Issues
Hardcoding Issues
DodoVulnerableBank Oct 4, 2015 Native (Java)
Digitalbank Aug 15, 2015 Native (Java)
Vulnerable APK Application May 21, 2014

FIY, sieve can be tested with Drozer for automation. They’re from the same authors. And sievePWN provides examples of malicious apps which exploit some of sieve’s vulnerabilities.

Also, I determined each app’s type just by quickly looking at their source code, without testing all of them. If you notice any mistake, please notify me!


Let me know if you have any comments, requests for tutorials, questions, etc.

See you next time!


Comments