This is just a brief blog post to give a list of Android apps that are intentionally insecure and can be used for testing our penetration testing skill. This list is made if you want to practice mobile pen testing because some are less well-known than others and I had to look a little harder to find them.
If you are new to android pen testing, you might need to set up android pen testing lab as well. For setting up pen testing lab follow this link Setting up Android Pentesting Lab.
1. Damn Vulnerable Bank
Damn Vulnerable Bank is designed to be an intentionally vulnerable android application. This application provides an interface to assess the security knowledge you gained over time. The Application has multiple vulnerabilities such as Root and emulator detection, Anti-debugging checks (prevents hooking with frida, jdb, etc), Hardcoded sensitive information, Logcat leakage, Insecure storage (cleartext credit card numbers ), Exported activities, Deep links and many more.
Download Link: https://github.com/rewanthtammana/Damn-Vulnerable-Bank
2. Insecure Bank v2
This vulnerable Android app”InsecureBankv2,” is created for security experts and developers to test and learn about different Android security vulnerabilities. This app let us gain hands on expertise by practising different flaws in the application.
The application currently has following different vulnerabilities:
- Flawed Broadcast Receivers
- Intent Sniffing and Injection
- Weak Authorization mechanism
- Local Encryption issues
- Vulnerable Activity Components
- Root Detection and Bypass
- Emulator Detection and Bypass
- Insecure Content Provider access
- Insecure Webview implementation
- Weak Cryptography implementation
- Application Patching
- Sensitive Information in Memory
- Insecure Logging mechanism
- Android Pasteboard vulnerability
- Application Debuggable
- Android keyboard cache issues
- Android Backup vulnerability
- Runtime Manipulation
- Insecure SDCard storage
- Insecure HTTP connections
- Parameter Manipulation
- Hardcoded secrets
- Username Enumeration issue
- Developer Backdoor
- Weak change password implementation
Download Link: https://github.com/dineshshetty/Android-InsecureBankv2
3. DIVA (Damn insecure and vulnerable App)
DIVA app is purposefully made to be vulnerable. The app’s goal is to educate developers, quality assurance testers, and security professionals about vulnerabilities that are commonly present in apps because of bad or unsafe coding techniques. I genuinely hope DIVA serves your needs if you are reading this and wish to learn app pen testing or secure coding.
List of vulnerabilities that are present in DIVA.
- Insecure Logging
- Hardcoding Issues – Part 1
- Insecure Data Storage – Part 1
- Insecure Data Storage – Part 2
- Insecure Data Storage – Part 3
- Insecure Data Storage – Part 4
- Input Validation Issues – Part 1
- Input Validation Issues – Part 2
- Access Control Issues – Part 1
- Access Control Issues – Part 2
- Access Control Issues – Part 3
- Hardcoding Issues – Part 2
- Input Validation Issues – Part 3
Download Link: https://github.com/payatu/diva-android
4. OWASP MASTG
The MASTG Playground is a collection of educational iOS and Android mobile apps that are purposefully designed to be unsafe in order to provide developers, security researchers, and penetration testers with useful advice. Through the knowledge supplied in the MASTG, penetration testers and security researchers can recognize risky techniques, harmful methods, and classes they should check for while evaluating a mobile app.
Download Link: https://github.com/OWASP/MASTG-Hacking-Playground/tree/master/Android
Beetlebug is Capture the Flag game for beginners in Android. Developers, mobile penetration testers, and bug hunters are the target audience for the app and it has multiple security challenges for them.
The features include flagging the completion state and tracking the user’s progress, among many others. Few of the vulnerabilities that are included in BeetleBug are:
- Hardcoded Secrets
- Insecure Data Storage
- Sensitive Information Disclosure
- Vulnerable Android IPC Components (Broadcast Receivers, Services & Content Providers)
- Vulnerable Webviews
- Fingerprint Authentication By-pass
- Insecure Deeplinks
- Firebase Database Misconfiguration
- SQLite Injection
- Input Validation (XSS)
Download Link: https://github.com/hafiz-ng/Beetlebug
6. Damn Vulnerable Hybrid Mobile App (DVHMA)
DVHMA is an hybrid mobile app (for Android) that intentionally contains security vulnerabilities. It’s goal is to make it lawful for security professionals to test their tools and methods and to give developers a better understanding of the typical mistakes to avoid while creating secure hybrid mobile apps.
Download Link: https://github.com/logicalhacking/DVHMA
7. OWASP Security Shepherd
It is a platform for training on web and mobile application security. The goal of Security Shepherd is to promote and enhance security awareness among a diverse skill-set demographic. The goal of this project is to take engineers with little or no experience in application security and help them develop their penetration testing expertise.
Download Link: https://github.com/OWASP/SecurityShepherd/releases
8. Purposefully Insecure and Vulnerable Android Application (PIVAA)
PIVAA is another mobile application security testing platform to practice our security skills. The vulnerable application contains vulnerabilities from multiple categories such as
- Weak encryption
- Man in the middle attack
- Object deserialization
- Hardcoded keys
- SQL Injection
- Predictable random number generator
- Exported broadcast receiver
- Unencrypted SQLite database
- Path Traversal
Another potentially vulnerable app for testing security vulnerabilities.
Download Link: https://github.com/CyberScions/Digitalbank
10. Sieve App
An android application which exploits sieve through android components. The application consist of following vulnerabilities.
Insecure Content Provider access
Download Link: https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk
11. Andro Goat
AndroGoat is purposely developed an open-source vulnerable/insecure app using Kotlin for Security Testers/Professionals/Enthusiasts.
Download Link: https://github.com/satishpatnayak/AndroGoat
12. Insecure Shop
An Intentionally designed Vulnerable Android Application built in Kotlin.
Download Link: https://github.com/optiv/InsecureShop
13. Injured Android
The app consist of different security flaws that are commonly found during the bug bounty hunting.
Download Link: https://github.com/B3nac/InjuredAndroid
14. Oversecured Vulnerable Android App (OVAA)
Oversecured Vulnerable Android App compiles all of the platform’s well-known and widely used security flaws. Vulnerabilities like deep link exploits, exported activities, insecure broadcast,memory corruption, hard coded credentials etc are covered.
Download Link: https://github.com/oversecured/ovaa