Allsafe is an intentionally vulnerable application that contains various vulnerabilities. Unlike other vulnerable Android apps, this one is less like a CTF and more like a real-life application that uses modern libraries and technologies. Additionally, I have included some Frida based challenges for you to explore. Have fun and happy hacking!
I have my Frida scripts (more like templates) in other repository. I'm sure they might be quite handy for the Frida related tasks. Check it out: https://github.com/t0thkr1s/frida
Tasks / Vulnerabilities
1. Insecure Logging
Simple information disclosure vulnerability. Use the logcat
command-line tool to discover sensitive information.
Resources & HackerOne Reports:
Some credentials are left in the code. Your task is to reverse engineer the app and find sensitive information.
Resources & HackerOne Reports:
3. Root Detection
This is purely for Frida practice. Make the code believe that you device is not rooted!
4. Arbitrary Code Execution
Loading modules securely with third-party apps are not easy. Write a PoC application and exploit the vulnerability!
Resources & HackerOne Reports:
5. Secure Flag Bypass
Another Frida-based task. No real vulnerability here, just have fun bypassing the secure flag!
Resources & HackerOne Reports:
6. Certificate Pinning Bypass
Certificate pinning is implemented using the OkHttp library. You have to bypass it in order to view the traffic with Burp Suite.
Resources & HackerOne Reports:
7. Insecure Broadcast Receiver
There's a vulnerable broadcast recevier in the application. Trigger it with the correct data and you're done!
Resources & HackerOne Reports:
- Android Broadcasts Overview
- ok.ru Broadcast Receiver Exploitation
- Bitwarden Vulnerable Broadcast Receiver
8. Deep Link Exploitation
Similar to the insecure broadcast receiver, you need to provide the right query parameter to complete this task!
Resources & HackerOne Reports:
9. SQL Injection
Just a regular SQL injection that you'd find in web applications. No need to reverse the code to bypass the login mechanism.
Resources & HackerOne Reports:
Show me how it's done!
# TODO
10. Vulnerable WebView
You can also complete this task without decompiling the application. Pop an alert dialog and read files!
Resources & HackerOne Reports:
In this task, you have to modify the execution flow of the application by editing the Smali code. Finally, rebuild and sign the APK!
Resources & HackerOne Reports:
12. Native Library
The application uses a native library that validates the entered password. Reverse engineer the library to find the password then use Frida to hook the native method.
Resources & HackerOne Reports: