Home

Awesome

DIVA Android


What is DIVA?

DIVA (Damn insecure and vulnerable App) is an App intentionally designed to be insecure. We are releasing the Android version of Diva. We thought it would be a nice way to start the year by contributing something to the security community. The aim of the App is to teach developers/QA/security professionals, flaws that are generally present in the Apps due poor or insecure coding practices. If you are reading this, you want to either learn App pentesting or secure coding and I sincerely hope that DIVA solves your purpose. So, sit back and enjoy the ride.

Why name it Diva?

No offense to anyone, but I was bored with the name DV* and decided to name it more fancy :)

Who can use Diva?

The idea originated, from a developer’s perspective. The Android security training for developers becomes slightly boring with lot of theory and not much hands-on. SO, I created DIVA for our Android developer training. Diva gamifies secure development learning. With that said, it is an excellent learning tool for aspiring Android penetration testers and security professionals as it gives an insight into app vulnerabilities including the source code. To sum it up:

What is included in Diva?

I tried to put as much vulnerabilities as possible in a short period of time. I am sure I have missed out on some vulnerabilities. Please ping me if you know of a good vulnerability tat can be included in Diva. It covers common vulnerabilities in Android apps ranging from insecure storage, input validation to access control issues. I have also included few vulnerabilities in native code, which makes it more interesting from the perspective of covering both Java and C vulnerabilities.

Current Challenges include:

  1. Insecure Logging
  2. Hardcoding Issues – Part 1
  3. Insecure Data Storage – Part 1
  4. Insecure Data Storage – Part 2
  5. Insecure Data Storage – Part 3
  6. Insecure Data Storage – Part 4
  7. Input Validation Issues – Part 1
  8. Input Validation Issues – Part 2
  9. Access Control Issues – Part 1
  10. Access Control Issues – Part 2
  11. Access Control Issues – Part 3
  12. Hardcoding Issues – Part 2
  13. Input Validation Issues – Part 3

Can I contribute?

Yes, you can help by sending us the details of vulnerabilities that we can implement in future versions of Diva. Please send an email to info [at] payatu.com with subject “DIVA Contribution”.

Where can I get Diva?

How to compile Diva?

How to run Diva?

Feedback and Bug reports?

We would love to hear from you about your experience with Diva. Please send us an email on info (at) payatu dot com with Subject “DIVA Feedback” or “DIVA BUG” based on what you want to share. Please include the below in your email

  1. Android version (and API version if possible)
  2. Phone make and model (or Emulator Android/API version if using an emulator)
  3. Feedback/Bug details and steps to reproduce.

Author

Aseem Jakhar

About Payatu

Payatu is a boutique security testing company with specialization in:

We also organize two International Security Conferences

Website: http://payatu.com Email: info (at) payatu dot com