Vulnerable Android application for developers and security enthusiasts to learn about Android insecurities
Java Python
Latest commit 998a0e1 Jul 30, 2016 dns Updated apk file


InsecureBankv2 Readme

Black Hat Arsenal

Black Hat Arsenal

This is a major update to one of my previous projects - "InsecureBank". This vulnerable Android application is named "InsecureBankv2" and is made for security enthusiasts and developers to learn the Android insecurities by testing this vulnerable application. Its back-end server component is written in python. The client component i.e. the Android InsecureBank.apk can be downloaded along with the source. The list of vulnerabilities that are currently included in this release are:

  • Flawed Broadcast Receivers
  • Intent Sniffing and Injection
  • Weak Authorization mechanism
  • Local Encryption issues
  • Vulnerable Activity Components
  • Root Detection and Bypass
  • Insecure Content Provider access
  • Insecure Webview implementation
  • Weak Cryptography implementation
  • Application Patching
  • Sensitive Information in Memory
  • Insecure Logging mechanism
  • Android Pasteboard vulnerability
  • Application Debuggable
  • Android keyboard cache issues
  • Android Backup vulnerability
  • Runtime Manipulation
  • Insecure SDCard storage
  • Insecure HTTP connections
  • Parameter Manipulation
  • Hardcoded secrets
  • Username Enumeration issue
  • Developer Backdoors
  • Weak change password implementation

Below are some of the other vulnerabilities that I am working on currently - and will be added as soon as I make sure that it does not break any of the other existing features:

  • Weak Pseudo Random Implementation
  • Path Traversal
  • Local SQL Injection
  • Intent based Denial-Of-Service - SMS
  • LockScreen Bypass
  • Location Spoofing
  • Dead Code