This vulnerable Android application is named “InsecureBankv2” and is made for security enthusiasts and developers to learn the Android insecurities by testing this vulnerable application. Its back-end server component is written in python. The client component i.e. the Android InsecureBank.apk can be downloaded along with the source. The list of vulnerabilities that are currently included in this release are:
– Flawed Broadcast Receivers
– Intent Sniffing and Injection
– Weak Authorization mechanism
– Local Encryption issues
– Vulnerable Activity Components
– Root Detection and Bypass
– Insecure Content Provider access
– Insecure Webview implementation
– Weak Cryptography implementation
– Application Patching
– Sensitive Information in Memory
– Insecure Logging mechanism
– Android Pasteboard vulnerability
– Application Debuggable
– Android keyboard cache issues
– Android Backup vulnerability
– Runtime Manipulation
– Insecure SDCard storage
– Insecure HTTP connections
– Parameter Manipulation
– Hardcoded secrets
– Username Enumeration issue
– Developer Backdoors
– Weak change password implementation
If you are too impatient to use the application or read the usage guide then follow these steps:
- Download and install latest apk file
- Make sure that the AndroLab server is running
- Make sure Is machine-machine access allowed on your network. Firewall disabled. Open netcat on your machine and then adb into your emulator. Try to connect to the address from adb and see if you can reach the machine. If you can not – fix the network issue before trying. I can not help you fix your network issues sadly so please there is no point creating git issues for it
- Use the credentials dinesh/[email protected]$ or jack/[email protected]$ and start using the application
Testing Android application packing and weak authentication.
The following is required to verify this issue:
• Download the latest version of the Android-InsecureBankv2 apk from https://github.com/dineshshetty/Android-InsecureBankv2
• Download Android SDK from http://developer.android.com/sdk/index.html
• Download the latest version of apktool from http://ibotpeaches.github.io/Apktool/ . The installation guide can be found at http://ibotpeaches.github.io/Apktool/install/
• Download the latest version of SignApk from https://github.com/appium/sign
1 – Check connect
Type $adb devices and Enter
2 – Install application to emulator
Run command: $adb install file.apk
3 – Launch the installed InsecureBankv2 application on the Emulator. The following screenshot shows the default screen available to a normal user after login.
4 – Copy the InsecureBankv2.apk into the “apktool” folder and enter the below command to decompile the application:
$java -jar apktool.jar d InsecureBankv2.apk
We will get the following files:
5 – Navigate to the folder ~/apktool/InsecureBankv2/res/values and open the file strings.xml for editing. Modify the value of “is_admin” from “no” to “yes”.
6 – Navigate back to the base apktool folder and enter the below command to re-compile the application:
$java -jar apktool b InsecureBankv2
7 – Copy the InsecureBankv2.apk file generate above into the “dist” folder of SignApk and enter the below command to sign the apk file generated in the previous test.
$java -jar sign.jar InsecureBankv2.apk
A new sign apk file called InsecureBankv2.s.apk is generated in the same “dist” folder.
8 – Use the below command to install the newly signed Android-InsecureBankv2 application to the emulator.
$adb install InsecureBankv2.s.apk
9 – Launch the newly installed InsecureBankv2 application in the Android Emulator. Following screen shows that the user is provided with an additional “Create User” button that is otherwise only available only for the admin user. This button was previously not visible.
10 – Clicking on the “Create User” redirects the user to the user creation module.