Allsafe - Intentionally Vulnerable Android Application

Allsafe is an intentionally vulnerable application that contains various vulnerabilities. Unlike other vulnerable Android apps, this one is less like a CTF and more like a real-life application that uses modern libraries and technologies. Additionally, I have included some Frida based challenges for you to explore. Have fun and happy hacking! Useful Frida Scripts I have my Frida scripts (more like templates) in other repository. I'm sure they might be quite handy for the Frida related tasks. Check it out: https://github.com/t0thkr1s/frida Tasks / Vulnerabilities 1. Insecure Logging Simple information disclosure vulnerability. Use the logcat command-line tool to discover sensitive information. Resources & HackerOne Reports: Logcat Tool Coinbase OAuth Response Code Leak 2. Hardcoded Credentials Some credentials are left in the code. Your task is to reverse engineer the app and find sensitive information. Resources & HackerOne Reports: Zomato Hardcoded Credentials 8x8 Hardcoded Credentials Reverb Hardcoded API Secret 3. Root Detection This is purely for Frida practice. Make the code believe that you device is not rooted! 4. Arbitrary Code Execution Loading modules securely with third-party apps are not easy. Write a PoC application and exploit the vulnerability! Resources & HackerOne Reports: Arbitrary Code Execution via Third-Party Package Contexts 5. Secure Flag Bypass Another Frida-based task. No real vulnerability here, just have fun bypassing the secure flag! Resources & HackerOne Reports: Android FLAG_SECURE Reference 6. Certificate Pinning Bypass Certificate pinning is implemented using the OkHttp library. You have to bypass it in order to view the traffic with Burp Suite. Resources & HackerOne Reports: Certificate and Public Key Pinning Coinbase Vulnerabilities 7. Insecure Broadcast Receiver There's a vulnerable broadcast recevier in the application. Trigger it with the correct data and you're done! Resources & HackerOne Reports: Android Broadcasts Overview ok.ru Broadcast Receiver Exploitation Bitwarden Vulnerable Broadcast Receiver 8. Deep Link Exploitation Similar to the insecure broadcast receiver, you need to provide the right query parameter to complete this task! Resources & HackerOne Reports: Android Deep Linking Grab Insecure Deep Link Periscope Deep Link CSRF 9. SQL Injection Just a regular SQL injection that you'd find in web applications. No need to reverse the code to bypass the login mechanism. Resources & HackerOne Reports: SQL Injection in Content Provider Show me how it's done! # TODO 10. Vulnerable WebView You can also complete this task without decompiling the application. Pop an alert dialog and read files! Resources & HackerOne Reports: ownCloud WebView XSS 11. Smali Patching In this task, you have to modify the execution flow of the application by editing the Smali code. Finally, rebuild and sign the APK! Resources & HackerOne Reports: Uber APK Signer 12. Native Library The application uses a native library that validates the entered password. Reverse engineer the library to find the password then use Frida to hook the native method. Resources & HackerOne Reports: Ghidra Cutter Download Allsafe

Allsafe - Intentionally Vulnerable Android Application


Allsafe is an intentionally vulnerable application that contains various vulnerabilities. Unlike other vulnerable Android apps, this one is less like a CTF and more like a real-life application that uses modern libraries and technologies. Additionally, I have included some Frida based challenges for you to explore. Have fun and happy hacking!


Useful Frida Scripts

I have my Frida scripts (more like templates) in other repository. I'm sure they might be quite handy for the Frida related tasks. Check it out: https://github.com/t0thkr1s/frida


Tasks / Vulnerabilities

1. Insecure Logging

Simple information disclosure vulnerability. Use the logcat command-line tool to discover sensitive information.


Resources & HackerOne Reports:

2. Hardcoded Credentials

Some credentials are left in the code. Your task is to reverse engineer the app and find sensitive information.


Resources & HackerOne Reports:

3. Root Detection

This is purely for Frida practice. Make the code believe that you device is not rooted!


4. Arbitrary Code Execution

Loading modules securely with third-party apps are not easy. Write a PoC application and exploit the vulnerability!


Resources & HackerOne Reports:

5. Secure Flag Bypass

Another Frida-based task. No real vulnerability here, just have fun bypassing the secure flag!


Resources & HackerOne Reports:

6. Certificate Pinning Bypass

Certificate pinning is implemented using the OkHttp library. You have to bypass it in order to view the traffic with Burp Suite.


Resources & HackerOne Reports:

7. Insecure Broadcast Receiver

There's a vulnerable broadcast recevier in the application. Trigger it with the correct data and you're done!


Resources & HackerOne Reports:

8. Deep Link Exploitation

Similar to the insecure broadcast receiver, you need to provide the right query parameter to complete this task!


Resources & HackerOne Reports:

9. SQL Injection

Just a regular SQL injection that you'd find in web applications. No need to reverse the code to bypass the login mechanism.


Resources & HackerOne Reports:
Show me how it's done!
# TODO



10. Vulnerable WebView

You can also complete this task without decompiling the application. Pop an alert dialog and read files!


Resources & HackerOne Reports:

11. Smali Patching

In this task, you have to modify the execution flow of the application by editing the Smali code. Finally, rebuild and sign the APK!


Resources & HackerOne Reports:

12. Native Library

The application uses a native library that validates the entered password. Reverse engineer the library to find the password then use Frida to hook the native method.


Resources & HackerOne Reports: