Awesome
⚠️ Important - Change in Repository
Please note, any further releases and development of InsecureShop will now take place at https://github.com/hax0rgb/InsecureShop
You can update your local copy to track the new repo:
git remote set-url origin https://github.com/hax0rgb/InsecureShop.git
📱 InsecureShop
- InsecureShop is an Android application that is designed to be intentionally vulnerable.
- The aim of creating this app is to teach developers and security professionals about the vulnerabilities that are present in modern Android applications.
- This also serves as a platform to test your Android pentesting skills.
- Developed in Kotlin, this application was created primarily for research on Android Deeplinks and Webviews. However, several more vulnerabilities were added in this app which were found in real-world Android applications. The vulnerabilities present in this app are real and have been found during mobile pentests.
⚙️ Usage
You can compile the source code in Android Studio or simply download the APK file from here
📌 Note:
- Rooted device is not required. All vulnerabilities can be exploited on a non-rooted device.
- No API's being used by the app.
🤔 How InsecureShop is different from other Damn Vulnerable Apps?
- More Realistic: Mimics a shopping Application.
- Built-in Kotlin: Just because most of the apps are now using Kotlin.
- Contains Real-World Vulnerabilities: Unlike other Damn Vulnerable Apps which contain hypothetical or unrealistic scenarios, most of the vulnerabilities in this app were recently found in actual pentest. Some of the vulnerable implementations are also taken which were highlighted in the research done by several security researchers.
❗️Vulnerabilities:
- Hardcoded Credentials: Credentials are hardcoded somewhere that can be used to login to the application
- Insufficient URL Validation: Possible to load any arbitrary URL in webview via Deeplink.
- Weak Host Validation Check: Possible to bypass host validation check to load any arbitrary URL in webview.
- Arbitrary Code Execution: Arbitrary Code Execution via third-party package contexts.
- Access to Protected Components: The app takes an embedded Intent and passes it to method like startActivity. This allows any third party app to launch any protected component.
- Unprotected Data URIs: The untrusted URI's passed via loadUrl method allows attackers to pass arbitrary URL in webview.
- Theft of Arbitrary: Possible to steal files from app's local storage via ChooserActivity.
- Using Components with Known Vulnerabilities: Identify the vulnerable components or libraries used in the app that can allow you to exfiltrate local files to remote domain.
- Insecure Broadcast Receiver: An exported activity registers a broadcast during onCreate method execution. An attacker can trigger this broadcast and provide arbitrary URL in 'web_url' parameter.
- AWS Cognito Misconfiguration: The misconfigured AWS cognito instance can be used to accesss AWS S3 bucket.
- Insecure use of FilePaths in FileProvider: The use of wide file sharing declaration can be used to access root directory via content Provider.
- Use of Implicit intent to send a broadcast with sensitive data: The use of Implicit intent can allow third-party apps to steal credentials.
- Intercepting Implicit intent to load arbitrary URL: The use of Implicit intent can allow third-party apps to load any arbitrary URL in webview.
- Insecure Implementation of SetResult in exported Activity: The insecure implementation used in ResultActivity can be used to access arbitrary content providers.
- Insecure Content Provider: The content provider can be accessed by any third-party app to steal user credentials.
- Lack of SSL Certificate Validation: The unsafe implementation of OnReceived SSL Error can be used to eavesdrop all the traffic loaded in webview.
- Insecure Webview Properties Enabled: Insecure Webview properties are enabled that can allow third-party apps to exfiltrate local data to remote domain.
- Insecure Data Storage: The app stores user credentials locally without encrypting them.
- Insecure Logging: User credentials are leaked in logcat. Only attackers with physical access to the device can access this information.
🕵 Hints:
The provided link doesn't provide you with solutions but can point you in the right direction 😉:
https://docs.insecureshopapp.com (This is still under development)
🙌 Thanks:
- Rujul Gandhi: Thank you for your contributions towards this app
- Sergey Toshin (Oversecured): Thank you for your amazing research on Android security which prompted me to start this project