The applications listed below can be used as training materials. Note: only the MASTG apps and Crackmes are tested and maintained by the MAS project.
A set of apps to test your Android application hacking skills - https://github.com/OWASP/owasp-mastg/tree/master/Crackmes
Available at https://github.com/OWASP/owasp-mastg/blob/master/Crackmes/Android/Level_01
Available at https://github.com/OWASP/owasp-mastg/blob/master/Crackmes/Android/Level_02
Available at https://github.com/OWASP/owasp-mastg/blob/master/Crackmes/Android/Level_03
Available at https://github.com/OWASP/owasp-mastg/blob/master/Crackmes/Android/Level_04
Available at https://github.com/OWASP/owasp-mastg/blob/master/Crackmes/Android/License_01
An open source vulnerable/insecure app using Kotlin. This app has a wide range of vulnerabilities related to certificate pinning, custom URL schemes, Android Network Security Configuration, WebViews, root detection and over 20 other vulnerabilities - https://github.com/satishpatnayak/AndroGoat
A hybrid mobile app (for Android) that intentionally contains vulnerabilities - https://github.com/logicalhacking/DVHMA
A vulnerable app created in 2015, which can be used on older Android platforms - https://github.com/CyberScions/Digitalbank
An app intentionally designed to be insecure which has received updates in 2016 and contains 13 different challenges - https://github.com/payatu/diva-android
An insecure Android app from 2015 - https://github.com/CSPF-Founder/DodoVulnerableBank
A vulnerable Android app made for security enthusiasts and developers to learn the Android insecurities by testing a vulnerable application. It has been updated in 2018 and contains a lot of vulnerabilities - https://github.com/dineshshetty/Android-InsecureBankv2
A vulnerable Android app with vulnerabilities similar to the test cases described in this document
Available at https://github.com/OWASP/MASTG-Hacking-Playground/tree/master/Android/MSTG-Android-Java-App
Available at https://github.com/OWASP/MASTG-Hacking-Playground/tree/master/Android/MSTG-Android-Kotlin-App
A set of applications to test your iOS application hacking skills - https://github.com/OWASP/owasp-mastg/tree/master/Crackmes
Available at https://github.com/OWASP/owasp-mastg/tree/master/Crackmes/iOS/Level_01
Available at https://github.com/OWASP/owasp-mastg/tree/master/Crackmes/iOS/Level_02
A vulnerable iOS app with iOS security challenges - https://github.com/GeoSn0w/Myriam
A vulnerable iOS app written in Objective-C which provides a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills - http://damnvulnerableiosapp.com/
A vulnerable iOS app, written in Swift with over 15 vulnerabilities - https://github.com/prateek147/DVIA-v2
An iOS Objective-C app serving as a learning tool for iOS developers (iPhone, iPad, etc.) and mobile app pentesters. It was inspired by the WebGoat project, and has a similar conceptual flow to it - https://github.com/owasp/igoat
A Swift version of original iGoat project - https://github.com/owasp/igoat-swift
UnSAFE Bank is a core virtual banking application designed with the aim to incorporate the cybersecurity risks and various test cases such that newbie, developers, and security analysts can learn, hack and improvise their vulnerability assessment and penetration testing skills. - https://github.com/lucideus-repo/UnSAFE_Bank