List of intentionally vulnerable Android apps
This is just a quick blog post to share a list of intentionally vulnerable Android apps that you can use for training. Some are less known that others and I had to dig a little to find them (especially the new ones), so I’m sharing them in case you want to work on your mobile hacking skills.
They are sorted by “last update” date:
| App | Last updated | Type of app | Vulnerabilities (not exhaustive) |
|---|---|---|---|
| SecurityShepherd | Oct 01, 2018 | Web & mobile app | Broken crypto Insecure data storage Poor authentication Untrusted input Reverse engineering Weak server-side controls Client side injection Content provider leakage Unintended Data Leakage |
| owasp-mstg | Sep 13, 2018 | Reverse engineering | |
| Damn Vulnerable Hybrid Mobile App (DVHMA) | Aug 20, 2018 | Hybrid (Cordova) | Insecure logging XSS SQL injection |
| VulnerableAndroidAppOracle | Jul 16, 2018 | Native (Java) | Flawed Broadcast Receivers DoS AdLibraries Android Javascript Activities access Content providers Insecure data storage Data sent over HTTP Intent sniffing XML info disclosure |
| Android InsecureBankv2 | Jul 15, 2018 | Native (Java) | Flawed Broadcast Receivers Intent Sniffing and Injection Weak Authorization mechanism Local Encryption issues Vulnerable Activity Components Root Detection and Bypass Emulator Detection and Bypass Insecure Content Provider access Insecure Webview implementation Weak Cryptography implementation Application Patching Sensitive Information in Memory Insecure Logging mechanism Android Pasteboard vulnerability Application Debuggable Android keyboard cache issues Android Backup vulnerability Runtime Manipulation Insecure SDCard storage Insecure HTTP connections Parameter Manipulation Hardcoded secrets Username Enumeration issue Developer Backdoors Weak change password implementation |
| Purposefully Insecure and Vulnerable Android Application (PIIVA) | Feb 4, 2018 | Native (Java) | Usage of weak Initialization Vector Man-In-The-Middle Attack Remote URL load in WebView Object deserialization SQL injection Missing tapjacking protection Enabled Application Backup Enabled Debug Mode Weak encryptionvHardcoded encryption keys Dynamic load of codevCreation of world readable or writable files Usage of unencrypted HTTP protocol Weak hashing algorithms Predictable Random Number Generator Exported Content Providers with insufficient protection Exported Broadcast Receivers Exported ServicesvJS enabled in a WebView Deprecated setPluginState in WebView Hardcoded data Untrusted CA acceptance Usage of banned API functions Self-signed CA enabled in WebView Path Traversal Cleartext SQLite database Temporary file creation |
| Sieve app | Feb 2, 2016 | SQL injection Directory traversal Insecure Content Provider access Authention bypass Data leakage |
|
| android-test | Jan 22, 2016 | Native (Java) | |
| Damn Insecure and vulnerable App for Android (DIVA Android) | Jan 15, 2016 | Native (Java & C) | Insecure Logging Hardcoding Issues Insecure Data Storage Input Validation Issues Access Control Issues Hardcoding Issues |
| DodoVulnerableBank | Oct 4, 2015 | Native (Java) | |
| Digitalbank | Aug 15, 2015 | Native (Java) | |
| Vulnerable APK Application | May 21, 2014 |
FIY, sieve can be tested with Drozer for automation. They’re from the same authors. And sievePWN provides examples of malicious apps which exploit some of sieve’s vulnerabilities.
Also, I determined each app’s type just by quickly looking at their source code, without testing all of them. If you notice any mistake, please notify me!
Let me know if you have any comments, requests for tutorials, questions, etc.
See you next time!
