An Intentionally designed Vulnerable Android Application built in Kotlin.

Overview

📱 InsecureShop

  • InsecureShop is an Android application that is designed to be intentionally vulnerable.
  • The aim of creating this app is to teach developers and security professionals about the vulnerabilities that are present in modern Android applications.
  • This also serves as a platform to test your Android pentesting skills.
  • Developed in Kotlin, this application was created primarily for research on Android Deeplinks and Webviews. However, several more vulnerabilities were added in this app which were found in real-world Android applications. The vulnerabilities present in this app are real and have been found during mobile pentests.

⚙️ Usage

You can compile the source code in Android Studio or simply download the APK file from here

📌 Note:

  • Rooted device is not required. All vulnerabilities can be exploited on a non-rooted device.
  • No API's being used by the app.

🤔 How InsecureShop is different from other Damn Vulnerable Apps?

  • More Realistic: Mimics a shopping Application.
  • Built-in Kotlin: Just because most of the apps are now using Kotlin.
  • Contains Real-World Vulnerabilities: Unlike other Damn Vulnerable Apps which contain hypothetical or unrealistic scenarios, most of the vulnerabilities in this app were recently found in actual pentest. Some of the vulnerable implementations are also taken which were highlighted in the research done by several security researchers.

❗️ Vulnerabilities:

  1. Hardcoded Credentials: Credentials are hardcoded somewhere that can be used to login to the application
  2. Insufficient URL Validation: Possible to load any arbitrary URL in webview via Deeplink.
  3. Weak Host Validation Check: Possible to bypass host validation check to load any arbitrary URL in webview.
  4. Arbitrary Code Execution: Arbitrary Code Execution via third-party package contexts.
  5. Access to Protected Components: The app takes an embedded Intent and passes it to method like startActivity. This allows any third party app to launch any protected component.
  6. Unprotected Data URIs: The untrusted URI's passed via loadUrl method allows attackers to pass arbitrary URL in webview.
  7. Theft of Arbitrary: Possible to steal files from app's local storage via ChooserActivity.
  8. Using Components with Known Vulnerabilities: Identify the vulnerable components or libraries used in the app that can allow you to exfiltrate local files to remote domain.
  9. Insecure Broadcast Receiver: An exported activity registers a broadcast during onCreate method execution. An attacker can trigger this broadcast and provide arbitrary URL in 'web_url' parameter.
  10. AWS Cognito Misconfiguration: The misconfigured AWS cognito instance can be used to accesss AWS S3 bucket.
  11. Insecure use of FilePaths in FileProvider: The use of wide file sharing declaration can be used to access root directory via content Provider.
  12. Use of Implicit intent to send a broadcast with sensitive data: The use of Implicit intent can allow third-party apps to steal credentials.
  13. Intercepting Implicit intent to load arbitrary URL: The use of Implicit intent can allow third-party apps to load any arbitrary URL in webview.
  14. Insecure Implementation of SetResult in exported Activity: The insecure implementation used in ResultActivity can be used to access arbitrary content providers.
  15. Insecure Content Provider: The content provider can be accessed by any third-party app to steal user credentials.
  16. Lack of SSL Certificate Validation: The unsafe implementation of OnReceived SSL Error can be used to eavesdrop all the traffic loaded in webview.
  17. Insecure Webview Properties Enabled: Insecure Webview properties are enabled that can allow third-party apps to exfiltrate local data to remote domain.
  18. Insecure Data Storage: The app stores user credentials locally without encrypting them.
  19. Insecure Logging: User credentials are leaked in logcat. Only attackers with physical access to the device can access this information.

🕵 Hints:

The provided link doesn't provide you with solutions but can point you in the right direction 😉 :

https://docs.insecureshopapp.com (This is still under development)

🙌 Thanks:

  • Rujul Gandhi: Thank you for your contributions towards this app
  • Sergey Toshin (Oversecured): Thank you for your amazing research on Android security which prompted me to start this project
You might also like...
A complete Kotlin application built to demonstrate the use of Modern development tools with best practices implementation using multi-module architecture developed using SOLID principles
A complete Kotlin application built to demonstrate the use of Modern development tools with best practices implementation using multi-module architecture developed using SOLID principles

This repository serves as template and demo for building android applications for scale. It is suited for large teams where individuals can work independently on feature wise and layer wise reducing the dependency on each other.

An e-commerce mobile application built using Android Studio + Java + Firebase.
An e-commerce mobile application built using Android Studio + Java + Firebase.

E-Commerce An e-commerce mobile application built using Android Studio + Java + Firebase. Login for : [email protected] 123456 Screenshots of the app : L

AnKunv2 is an Android application built with Jetpack Compose to stream anime on demand.
AnKunv2 is an Android application built with Jetpack Compose to stream anime on demand.

AnKunv2 AnKunv2 is an app a bit similar to YouTube but to stream anime. Updated from AnKun using Jetpack Compose. Tech Stack Kotlin AndroidX UI - Jetp

The WeeBe application is a social media-type app built on Ktor framework

The WeeBe application is a social media-type app built on Ktor framework that allows users to exchange various content connected with mental health, motivation, psychology, and improving oneself. Users can share posts with texts, images, videos, and links, as well as discuss the content in the comment section

An e-commercial application built as a technological demonstration.
An e-commercial application built as a technological demonstration.

Overview An e-commercial application built as a technological demonstration. The purpose of this app is to get an experience from creatinig architectu

A sample skeleton backend app built using Spring Boot kotlin, Expedia Kotlin Graphql, Reactive Web that can be deployed to Google App Engine Flexible environmennt

spring-kotlin-gql-gae This is a sample skeleton of a backend app that was built using: Spring Boot(Kotlin) Reactive Web Sprinng Data R2DBC with MYSQL

Amazing and easy to use Accordion Library for Android built with kotlin
Amazing and easy to use Accordion Library for Android built with kotlin

AccoLib An easy-to-use, amazing Accordion Library for Android built with kotlin. It reduces the amount of code needed to make Accordions in android, w

FirestoreCleanArchitectureApp is an app built with Kotlin and Firestore that displays data in real-time using the MVVM Architecture Pattern. For the UI it uses Jetpack Compose,  Android's modern toolkit for building native UI.
FirestoreCleanArchitectureApp is an app built with Kotlin and Firestore that displays data in real-time using the MVVM Architecture Pattern. For the UI it uses Jetpack Compose, Android's modern toolkit for building native UI.

FirestoreCleanArchitectureApp FirestoreCleanArchitectureApp is an app built with Kotlin and Cloud Firestore that displays data in real-time using Andr

PlanetFacts - An educational android app for kids to learn about the planets in our solar system. Built with Kotlin.

PlanetFacts PlanetFacts is an offline simple, modern & material-designed educational Android application for kids. It contains basic facts with visual

Comments
  • two fixes for two vulnerabilities

    two fixes for two vulnerabilities

    • the first fix is regarding the fileprovider and the fact that in order to be able to read the contacts you actually have to request the permission at some point. I have added that to be done right after the login.
    • the second fix is regarding the ProductDetailBroadCast which i believe it was intended to have the url as put extra being assigned from the incoming intent.
    opened by erev0s 5
  • AWS Cognito Misconfiguration buckets

    AWS Cognito Misconfiguration buckets

    The given identity pool can access two buckets, from which one of them has full control granted to all users. Was that bucket supposed to contain something ? Based on the description here https://docs.insecureshopapp.com/insecureshop-challenges/aws-cognito-misconfiguration I thought that you probably had something different in mind (like give permission to write acl but not read - and the user should be first add the read permission to all users before seeing the files). Is that the case?

    (also thought that someone before could have overwritten this for example and deleted any file you had there) In any case i dont know if the bucket is intentionally empty or not, hence this issue.

    opened by erev0s 4
  • Prisma Cloud IaC Scan - Error occurred during scan

    Prisma Cloud IaC Scan - Error occurred during scan

    Cannot find config.yml under .prismaCloud folder in repo InsecureShop. Please make sure the file is present in correct format (sample file - https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-devops-security/use-the-prisma-cloud-app-for-github.html) at the main branch of your repo under .prismaCloud folder.

    opened by prisma-cloud[bot] 0
  • Unprotected Data URIs

    Unprotected Data URIs

    Does the extra mile included there actually work any more ?

    If yes, what is the correct intent that should be used. As far as i checked and searched it should no longer work.

    This is the result i am getting:

    09-16 22:29:26.838 13798 13798 I chromium: [INFO:CONSOLE(0)] "Navigation is blocked: intent:#Intent;action=ACTION_VIEW;type=text/plain;component=com.insecureshop/com.insecureshop.WebView2Activity;S.url=http://someurl.com;end", source: http://myawesomesite.com/ (0)
    

    Where from http://myawesomesite.com/ i tried with javascript, or with a button.

    <a href="intent://#Intent;action=ACTION_VIEW;type=text/plain;component=com.insecureshop/com.insecureshop.WebView2Activity;S.url=http://someurl.com;end">Trigger</a>
    
    opened by marvyr 2
Owner
Optiv Security
Optiv Security is a security solutions integrator that enables clients to reduce risk by taking a strategic approach to cybersecurity.
Optiv Security
Climby is designed to put climbers in contact with each other

Climby Con el nuevo 'BOOM' de la escalada, se vio la necesidad de crear un app donde los usuarios puedan publicar o unirse a viajes, sin la necesidad

Javier Gómez 1 Jan 10, 2022
Go Outside is an augmented reality app designed for our team's Software Engineering UI/UX class

Go Outside Go Outside is an augmented reality app designed for our team's Software Engineering UI/UX class. This app serves as a PROTOTYPE to demonstr

Kris 4 Jul 28, 2022
A commerce service designed with MSA and DDD.

A commerce service designed with MSA and DDD.

null 48 Sep 7, 2022
PenPath class is designed to be used to draw paths with variable thickness

PenPath class is designed to be used to draw paths with variable thickness. It creates an object of android.graphics.Path and should be drawn with Paint.Style.FILL type paint.

null 2 Jun 5, 2022
Candroid Browser is a replacement web browser for Candroid. It is designed to replace the AOSP browser, but not Google Chrome. It will be based on a privacy friendly WebKit engine fork.

Candroid Browser Candroid Browser is a replacement web browser for Candroid. It is designed to replace the AOSP browser, but not Google Chrome. It wil

Sean P. Myrick V19.1.7.2 3 Dec 22, 2022
🧮 Provides simple and advanced mathematical functions in a beautifully designed UI.

Calculator ?? Android App ?? Download the App ?? What is this App ✍️ This will basically provide simple and advanced mathematical functions in a beaut

Ayush Agnihotri 9 Jan 31, 2023
An Android app built with Kotlin, consuming StarWars API to display characters of the popular StarWars Movie. It is built with the MVVM pattern and the latest Jetpack components.

StarWars An Android app built with Kotlin, consuming StarWars API to display characters of the popular StarWars Movie. It is built with the MVVM patte

Joel Kanyi 42 Nov 20, 2022
Shreyas Patil 2.2k Jan 4, 2023
📒 NotyKT is a complete 💎Kotlin-stack (Backend + Android) 📱 application built to demonstrate the use of Modern development tools with best practices implementation🦸.

NotyKT ??️ NotyKT is the complete Kotlin-stack note taking ??️ application ?? built to demonstrate a use of Kotlin programming language in server-side

Shreyas Patil 1.4k Dec 26, 2022
Weather application built with kotlin

Weather App - Android Technical Task ?? Video Demo for this task on youtube ?? Weather application Created android screen that has search bar on top.

Mostafa Anter 5 May 17, 2022