vulnerable-android-app

Note:- Run in secure envirornment Rooted devices preferd Use this Only for educational purpose . if any issues because of this apk. i will be not responsible for your loss .

Happy Hacking:))))

An intentionally insecure Android app for practicing mobile VAPT. Demonstrates common Android vulnerabilities like insecure SharedPreferences, exported components, WebView JS bridges, client-side auth bypass, hardcoded secrets, and SSL pinning bypass using Frida.

Summary of Vulnerabilities in Your Application Here are all the security flaws we have intentionally implemented so far, categorized by type:

1. Insecure Data Storage (#1) • Location: LoginActivity.kt • Description: The application saves the user's entered username and password directly into SharedPreferences without any encryption. On a rooted device, any app or user with root access can read the stored user_prefs.xml file and steal the credentials in plain text.
2. Insecure Logging (#2) • Locations: MainActivity.kt and LoginActivity.kt • Description: ◦ The MainActivity logs a hardcoded API key to Logcat upon startup. ◦ The LoginActivity logs the user's username and password to Logcat after the "Login" button is clicked. • Risk: Any app with READ_LOGS permission (or a developer with adb logcat) can view these sensitive credentials and keys.
3. Insecure Inter-Process Communication (IPC) (#3) • Locations: AndroidManifest.xml, LoginActivity.kt, SecretReceiver.kt • Description: ◦ Exported Activity (LoginActivity): This activity is marked as android:exported="true". A malicious app can directly launch your login screen out of context, potentially leading to UI redressing or intent spoofing attacks. ◦ Exported Broadcast Receiver (SecretReceiver): The receiver is exported and listens for a specific action (com.example.securityapplication.LEAK_SECRET). Any app on the device can craft and send a broadcast with this action, causing your app to log potentially sensitive data passed in the intent.
4. Insecure WebView Usage (#4) • Location: VulnerableWebViewActivity.kt • Description: The WebView enables JavaScript and exposes a native Kotlin function to the web page via addJavascriptInterface. A malicious script running on the loaded page can call this exposed stealSecret() function, effectively bridging the web world with your native app code and potentially leading to data exfiltration or unauthorized actions.
5. Bypassing SSL Pinning (#5) • Location: SslPinningActivity.kt • Description: The app correctly implements SSL pinning for github.com using OkHttp's CertificatePinner. The vulnerability is not in the code itself, but in the fact that this client-side control can be bypassed. An attacker can use runtime instrumentation tools like Frida to hook into the application's memory and disable the pinning logic, allowing them to intercept the app's encrypted network traffic.
6. Hardcoded Secrets (#6) • Location: MainActivity.kt • Description: A sensitive API_KEY is stored as a plain string directly in the source code. An attacker can easily decompile the APK to retrieve this key, granting them access to whatever service the key protects. 7. Insecure Local Authentication (#7) • Location: LocalAuthActivity.kt • Description: The screen uses a hardcoded PIN (1337) for authentication. The validation logic checkPin() is performed entirely on the client side. An attacker can decompile the app to find the correct PIN or use Frida to hook the checkPin() method to always return true, completely bypassing the lock screen.
7. Insecure Root Detection (#8) • Location: RootDetector.kt • Description: The app uses common but unreliable methods to check for a rooted device (checking for su binary, build tags). These checks are trivial to bypass using tools like Magisk Hide or Frida scripts that hook the detection functions and force them to return false.

Insecure Android App (Vulnerable-Android-App) ⚠️ Warning: This application is intentionally insecure and designed for educational purposes only. Do not use any of this code in a real production application. This project is a sample Android application built with Jetpack Compose that contains a wide range of common security vulnerabilities. It is designed to be a learning tool for security researchers, penetration testers, and Android developers who want to learn how to identify, exploit, and mitigate common Android security flaws. Purpose The goal of this project is to provide a safe and legal environment to practice Android penetration testing skills. By analyzing the source code and running the app in a controlled environment, users can gain hands-on experience with vulnerabilities like: Insecure Data Storage Hardcoded Secrets Logcat Data Leakage Insecure Inter-Process Communication (IPC) WebView JavaScript Interface Injection Client-Side Authentication Bypass Bypassable Root Detection And more...

Technical Specifications Package Name: com.example.securityapplication Language: Kotlin with Jetpack Compose Minimum Android Version: Android 8.0 (API Level 26) Target Android Version: Android 12L (API Level 32) Recommended Testing Environment For the best learning experience, it is highly recommended to run this application on a rooted Android device or an emulator with root access. A rooted environment is essential for performing many of the tests, including: Accessing the app's private data directory (/data/data/com.example.securityapplication) to find insecurely stored files. Using dynamic instrumentation tools like Frida to bypass client-side controls (e.g., SSL pinning, root detection, local authentication). Using tools like adb jdax frida to interact with exported app components.

How to Get Started 1.Clone the repository: Shell Script:- "sh git clone https://github.com/N1shanth/vulnerable-android-app" 2.Open the project in the latest version of Android Studio. 3.Build the project and run it on a rooted emulator or physical device. 4.Use tools like adb, Frida, and a decompiler (like Jadx) to find and exploit the vulnerabilities.