Android AppSec
We (@hpAndro and @_RaviRamesh) spend a lot of time attacking android app hacking, breaking encryption, finding business logic flaws, penetration testing, and looking for sensitive data stored insecurely.
We do it for the right reasons - to help developers make their apps more secure. The best way to verify that your app follows secure mobile development best practices is to perform security assessments of the app, which can include automated mobile app security testing, fuzzing, manual penetration testing, and more. This application represents some of the knowledge we share with the infosec community. We are trying to build vulnerable applications based on OWASP Mobile Security Testing Guide.
🚩 CTF Link : https://ctf.hpandro.raviramesh.info
🟦 Facebook Page: https://www.facebook.com/hpAndro1337
🔷Twitter handle : https://twitter.com/hpandro1337
Runtime Debugging Native Android Shared library (.so) file using IDA Pro
Android Studio Emulator (AVD) Rooting with Magisk using rootAVD
SSAID or ANDROID_ID validation Bypass using Dalvik bytecode Patch - hpAndro Vulnerable Application
GPS Location Spoofing - hpAndro Vulnerable Application Challenge
Hardcoded Secret in Native Library (.so files) - hpAndro Vulnerable Application Challenge
RPATH - run-time search path hard-coded in native library - hpAndro Vulnerable Application Challenge
Checking Memory for Sensitive Data (Memory Flag) - hpAndro Vulnerable Application Challenge
![XML External Entity [XXE] - hpAndro Vulnerable Application Challenge](https://ricktube.ru/thumbnail/BHL9oESE0X4/mqdefault.jpg)
XML External Entity [XXE] - hpAndro Vulnerable Application Challenge
XPath Injection - hpAndro Vulnerable Application Challenge
User Password Enumeration - hpAndro Vulnerable Application Challenge
![Server Side Request Forgery [SSRF] - hpAndro Vulnerable Application Challenge](https://ricktube.ru/thumbnail/sORqqgN9kx4/mqdefault.jpg)
Server Side Request Forgery [SSRF] - hpAndro Vulnerable Application Challenge
Server Fingerprinting - hpAndro Vulnerable Application Challenge
![Remote File Inclusion [RFI] - hpAndro Vulnerable Application Challenge](https://ricktube.ru/thumbnail/1_m4aPQkxrg/mqdefault.jpg)
Remote File Inclusion [RFI] - hpAndro Vulnerable Application Challenge
REST API HTTP Methods - hpAndro Vulnerable Application Challenge
Unrestricted File Upload - hpAndro Vulnerable Application Challenge
![Server Side Template Injection [SSTI] - hpAndro Vulnerable Application Challenge](https://ricktube.ru/thumbnail/eYk6NhcTBwA/mqdefault.jpg)
Server Side Template Injection [SSTI] - hpAndro Vulnerable Application Challenge
S3 Bucket Misconfiguration - hpAndro Vulnerable Application Challenge
RIA Cross Domain Policy - hpAndro Vulnerable Application Challenge
Review Comment and Meta Data - hpAndro Vulnerable Application Challenge
OTP Bruteforce - hpAndro Vulnerable Application Challenge
Old Backup Files - hpAndro Vulnerable Application Challenge
Login Bypass Cookie Manipulation - hpAndro Vulnerable Application Challenge
JWT Misconfiguration - hpAndro Vulnerable Application Challenge
JSON to XXE Blind - hpAndro Vulnerable Application Challenge
JavaScript Info Leak - hpAndro Vulnerable Application Challenge
![Insecure Direct Object References [IDOR] - hpAndro Vulnerable Application Challenge](https://ricktube.ru/thumbnail/7PE55Xi5io8/mqdefault.jpg)
Insecure Direct Object References [IDOR] - hpAndro Vulnerable Application Challenge
Encoding & Hashing - hpAndro Vulnerable Application Challenge
Default Credential - hpAndro Vulnerable Application Challenge
Client Side Validation Bypass - hpAndro Vulnerable Application Challenge
Ninjutsu Android Penetration Testing Environment - MEmu based emulator