VulnDroid is a Vulnerable Android App designed in a CTF challenge style, it focuses on learning the exploitation of Android vulnerabilities pertaining to Local Storage, i.e. In-The-App malpractices by the developers. This playground has a total of Eight levels- with more to come. The attacker will have knowledge of the victim and will send a crafted payload, to read the flag and enter it within the app, on entering the correct flag, the user is greeted with a Congratulations page. The attacker only completes the challenge on successful validation of the flag.
- Hardocding Details
- Insecure Logging
- Insecure Database
- Sensitive info in Android VCS
- Insecure Shared Preferences
- Sensitive info within function calls
- Insecure External Storage
- Insecure Internal Storage
This also teaches the practice of secure coding. The developer can observe the source code and understand that the flag value is stored in an encrypted format and only the hash of the user input flag is stored. The validation is also carried out only by comparing the hash values. This makes the Source code quite difficult to reverse from the bundled APK even in absence of any obfuscation tool like ProGuard
- Open the Project in Android Studio
- Generate the VulnDroid APK by selecting
Build
->Generate Signed Bundle/ APK...
in Android Studio - Select The APK option in the wizard.
- Enter the Keystore path, Incase you don't have a keystore- create one using the on-screen options
- Select the debug option in the next screen
- Obtain the VulnDroid APK from the relative path
app/release/app-debug.apk
- Create an Android Emulator Note: The emulator used during the testing of VulnDroid had this Configuration
- Install the VulnDroid APK obtained from the above step into the Android Emulator and run the following command
adb install app-debug.apk
- The app starts up
- The Main Activity screens shows up next
- On this screen you can start with any level that you wish and try hunting the vulnerabilities with a hint in the title of that activity.
- On finding the flag, enter it within the text box of the same activity and on successful finding, you would be greeted with a congratulations page.😊
This App is only pertaining to the challenges and the exploitabiliy of the localstorage options. In the upcoming series of app releases, other dynamic analysis challenges would also be released.
In case of any Bugs create an issue and to add any functionality to this app send a Pull Request.
- Create more levels on for this App
- Minor changes for the UX of the app
- Create another app for android testing on Web hooking, Dynamic testing, etc.