DIVA Android - Damn Insecure and vulnerable App for Android.
What is DIVA?
DIVA (Damn insecure and vulnerable App) is an App intentionally designed to be insecure. We are releasing the Android version of Diva. We thought it would be a nice way to start the year by contributing something to the security community. The aim of the App is to teach developers/QA/security professionals, flaws that are generally present in the Apps due poor or insecure coding practices. If you are reading this, you want to either learn App pentesting or secure coding and I sincerely hope that DIVA solves your purpose. So, sit back and enjoy the ride.No offense to anyone, but I was bored with the name DV* and decided to name it more fancy :) Why name it Diva?
The idea originated, from a developer’s perspective. The Android security training for developers becomes slightly boring with lot of theory and not much hands-on. SO, I created DIVA for our Android developer training. Diva gamifies secure development learning. With that said, it is an excellent learning tool for aspiring Android penetration testers and security professionals as it gives an insight into app vulnerabilities including the source code. To sum it up: Who can use Diva?
- Android App developers
- Android Penetration testers
- Security professionals
- Students
I tried to put as much vulnerabilities as possible in a short period of time. I am sure I have missed out on some vulnerabilities. Please ping me if you know of a good vulnerability tat can be included in Diva. It covers common vulnerabilities in Android apps ranging from insecure storage, input validation to access control issues. I have also included few vulnerabilities in native code, which makes it more interesting from the perspective of covering both Java and C vulnerabilities. What is included in Diva?
Current Challenges include:
- Insecure Logging
- Hardcoding Issues – Part 1
- Insecure Data Storage – Part 1
- Insecure Data Storage – Part 2
- Insecure Data Storage – Part 3
- Insecure Data Storage – Part 4
- Input Validation Issues – Part 1
- Input Validation Issues – Part 2
- Access Control Issues – Part 1
- Access Control Issues – Part 2
- Access Control Issues – Part 3
- Hardcoding Issues – Part 2
- Input Validation Issues – Part 3
How to compile Diva?
- Download the source
- Open the project in Android Studio
- For Native library - open command line
- $ cd /app/src/main/jni
- $ make (This needs to be done only once, unless you make changes to the native code - in which case run "make clean && make")
- This will compile the native library and copy all the compiled versions in directory jniLibs which is required when building the app
- From the menu bar: Build->Make Project or Run->Run App
- Compile/download the app
- On your phone settings. Go to security and check Unknown Sources checkbox. This allows you to install apps outside of play store. You don’t need to do this if you are installing the app on an emulator.
- Connect your phone to the computer (make sure USB debugging is enabled on your phone) or run the emulator.
- cd
- adb install
- Start playing.
Post a Comment