List of intentionally vulnerable Android apps

This is just a quick blog post to share a list of intentionally vulnerable Android apps that you can use for training. Some are less known that others and I had to dig a little to find them (especially the new ones), so I’m sharing them in case you want to work on your mobile hacking skills.

They are sorted by “last update” date:

App Last updated Type of app Vulnerabilities (not exhaustive)
SecurityShepherd Oct 01, 2018 Web & mobile app Broken crypto
Insecure data storage
Poor authentication
Untrusted input
Reverse engineering
Weak server-side controls
Client side injection
Content provider leakage
Unintended Data Leakage
owasp-mstg Sep 13, 2018 Reverse engineering
Damn Vulnerable Hybrid Mobile App (DVHMA) Aug 20, 2018 Hybrid (Cordova) Insecure logging
XSS
SQL injection
VulnerableAndroidAppOracle Jul 16, 2018 Native (Java) Flawed Broadcast Receivers
DoS
AdLibraries
Android Javascript
Activities access
Content providers
Insecure data storage
Data sent over HTTP
Intent sniffing
XML info disclosure
Android InsecureBankv2 Jul 15, 2018 Native (Java) Flawed Broadcast Receivers
Intent Sniffing and Injection
Weak Authorization mechanism
Local Encryption issues
Vulnerable Activity Components
Root Detection and Bypass
Emulator Detection and Bypass
Insecure Content Provider access
Insecure Webview implementation
Weak Cryptography implementation
Application Patching
Sensitive Information in Memory
Insecure Logging mechanism
Android Pasteboard vulnerability
Application Debuggable
Android keyboard cache issues
Android Backup vulnerability
Runtime Manipulation
Insecure SDCard storage
Insecure HTTP connections
Parameter Manipulation
Hardcoded secrets
Username Enumeration issue
Developer Backdoors
Weak change password implementation
Purposefully Insecure and Vulnerable Android Application (PIIVA) Feb 4, 2018 Native (Java) Usage of weak Initialization Vector
Man-In-The-Middle Attack
Remote URL load in WebView
Object deserialization
SQL injection
Missing tapjacking protection
Enabled Application Backup
Enabled Debug Mode
Weak encryptionvHardcoded encryption keys
Dynamic load of codevCreation of world readable or writable files
Usage of unencrypted HTTP protocol
Weak hashing algorithms
Predictable Random Number Generator
Exported Content Providers with insufficient protection
Exported Broadcast Receivers
Exported ServicesvJS enabled in a WebView
Deprecated setPluginState in WebView
Hardcoded data
Untrusted CA acceptance
Usage of banned API functions
Self-signed CA enabled in WebView
Path Traversal
Cleartext SQLite database
Temporary file creation
Sieve app Feb 2, 2016 SQL injection
Directory traversal
Insecure Content Provider access
Authention bypass
Data leakage
android-test Jan 22, 2016 Native (Java)
Damn Insecure and vulnerable App for Android (DIVA Android) Jan 15, 2016 Native (Java & C) Insecure Logging
Hardcoding Issues
Insecure Data Storage
Input Validation Issues
Access Control Issues
Hardcoding Issues
DodoVulnerableBank Oct 4, 2015 Native (Java)
Digitalbank Aug 15, 2015 Native (Java)
Vulnerable APK Application May 21, 2014

FIY, sieve can be tested with Drozer for automation. They’re from the same authors. And sievePWN provides examples of malicious apps which exploit some of sieve’s vulnerabilities.

Also, I determined each app’s type just by quickly looking at their source code, without testing all of them. If you notice any mistake, please notify me!


Let me know if you have any comments, requests for tutorials, questions, etc.

See you next time!


The 5 Hacking NewsLetter 22

Hey hackers! These are our favorite resources pertaining to pentesting and bug hunting for last week.

It covers the period from 28 of September to 05 of October.

T5HN22.png

Our favorite 5 hacking items

1. Resource of the week

Mobile Security Testing Guide (MSTG) v1.0.1 by OWASP

This is an awesome guide on mobile security testing! I’ve been reading through it because I’m preparing a training on Android hacking and it is very good quality information on hacking Android & iOS apps for both beginners and experienced testers.

More …

The 5 Hacking NewsLetter 21

Hey hackers! This is our latest selection of resources for pentesters and bug hunters. It covers the week from 21 to 28 of September.

T5HN21.png

Our favorite 5 hacking items

1. Tips of the week

5 Tips Bug Bounty Programs Want You to Know About by @d0nutptr

Lately on Twitter, there has been a lot of controversy/noise/discontentment around bug bounty platforms, particularly HackerOne. Personally, I believe that the best way to succeed and be happy at work in general is to have a flawless attitude, give constructive criticism, then, if you’re really not happy with your work environment, move on to another one.

With this same spirit, this blog post offers great information that could help you improve your bug hunting experience. It’s a must read.

More …

The 5 Hacking NewsLetter 20

Hey hackers! These are our favorite resources related to pentesting and bug hunting that we came across recently.

This issue covers the week from 14 to 21 of September.

T5HN20.png

Our favorite 5 hacking items

It’s weird how often I face a new challenge and, while preparing this newsletter, come across relevant resources without looking for them specifically! This is the case for all 5 items of this week, so I hope that you find them as informative as they were for me.

1. Tutorial of the week

Discovering GraphQL endpoints and SQLi vulnerabilities by @localh0t

I read more and more bug bounty writeups like this one or this one that mention misconfigured GraphQL endpoints and these bugs seem to pay really well.

GraphQL is an alternative to Web services like REST. This tutorial is a great introduction to understand their differences, how to find hidden GraphQL endpoints and exploit them to detect SQL injection.

More …

The 5 Hacking NewsLetter 19

Hey hackers! These are our latest favorite resources related to pentest & bug bounty.

This issue exceptionally covers two weeks, from 31 of August to 14 of September.

T5HN19.png

Our favorite 5 hacking items

1. Tutorial of the week

A practical guide to testing the security of Amazon Web Services (Part 1: AWS S3)

There is so much to learn to become a successful pentester/bug hunter. I can’t remember which famous bug hunter once said that it used to take him 9 month to learn about a new vulnerability!

That’s why I love this kind of comprehensive guides. It goes from the basics as if you’ve never heard of AWS S3 to advanced concepts on their security and how to test them for misconfigurations.

More …