β οΈ WARNING: This application is intentionally vulnerable. It is designed exclusively for security research, education, and testing purposes. Do NOT use in production environments.
NutBank is part of nutcracker.sh β an Android security analysis platform. It is a deliberately insecure Android application that simulates a banking app with multiple intentional vulnerabilities and real-world RASP protections.
This app allows security researchers, pentesters, and students to practice identifying and exploiting real-world mobile vulnerabilities in a safe, controlled environment.
π nutcracker.sh β Android mobile security testing platform
- API keys, database credentials, Stripe keys, Firebase config, AWS credentials, and more β all hardcoded in plaintext inside
Secrets.kt.
- Session tokens stored in SharedPreferences in plaintext.
- Sensitive data written to external storage, cache, and an insecure SQLite database.
- ECB mode encryption.
- MD5 and SHA-1 hashing for passwords and integrity checks.
- No certificate pinning.
- No hostname verification.
- HTTP endpoints used alongside HTTPS.
- ContentProvider exported with sensitive data accessible to any app.
- BroadcastReceiver accepting implicit intents from any application.
- Activities exported without proper permission checks.
- Credentials, session tokens, API keys, and database connection strings logged to Logcat.
- JavaScript enabled with no restrictions.
- Mixed content allowed.
- Biometric check that can be bypassed.
- Implicit intents with sensitive data (credentials, API keys) sent through insecure deep links.
NutBank implements Runtime Application Self-Protection (RASP) with multiple layers of defense that aim to resist bypass attempts. These protections serve as a real-world challenge for security researchers and mobile app pentesters.
- π± Root Detection β via RootBeer library:
subinary, root management apps (Magisk, SuperSU), test-keys build, writable system partitions - π Frida Detection β port scanning (27042),
/proc/*/cmdlineprocess inspection,/proc/self/mapsmemory analysis for Frida artifacts (frida-server,frida-agent,frida-gadget, etc.) - π₯οΈ Emulator Detection β Build fingerprint analysis, QEMU pipe/socket detection, hardware property checks
- π Debugger Detection β
android.os.Debug.isDebuggerConnected(), ptrace status via/proc/self/status - π§ Hooking Framework Detection β Xposed, Substrate, and LSPOSED module scanning
- π Repackaging / Tamper Detection β APK signature verification, package certificate hash comparison
- π± Screen Capture Prevention β
FLAG_SECUREon all activities to prevent screenshots and screen recording
When a threat is detected, NutBank can:
- Display a blocking dialog that forces app closure
- Run checks continuously in the background via coroutines, not just at startup
- Use obfuscated check logic to hinder static analysis
- Employ timing-based anomalies to detect hooking interference
π‘ These RASP controls are designed to be robust but bypassable β the goal is to provide a realistic training target. Advanced attackers using nutcracker.sh can practice bypassing each protection type.
app/src/main/java/sh/nutcracker/nutbank/
βββ MainActivity.kt # Login screen + RASP checks
βββ DashboardActivity.kt # Displays all "leaked" secrets
βββ AdminActivity.kt # Exported admin panel (no auth)
βββ Secrets.kt # Hardcoded credentials & API keys
βββ CryptoHelper.kt # Weak crypto (ECB, MD5, SHA-1)
βββ DataStoreManager.kt # Insecure storage patterns
βββ NetworkClient.kt # No SSL pinning / hostname verification
βββ ContentProviderHandler.kt # Exported content provider
βββ BroadcastReceiverHandler.kt# Exported broadcast receiver
βββ DeepLinkActivity.kt # Insecure deep link handling
βββ WebActivity.kt # Insecure WebView
βββ BiometricAuthActivity.kt # Weak biometric implementation
βββ DataStoreManager.kt # File/database preference storage
- Android Studio (latest stable)
- Android Emulator or physical device (API 28+)
- RootBeer library (included via Gradle)
# Clone the repository
git clone https://github.com/nutcracker-sh/nutbank.git
cd nutbank
# Build and install
./gradlew installDebug
# Launch on connected device/emulator
adb shell am start -n sh.nutcracker.nutbank/.MainActivity- Username:
admin - Password:
P@ssw0rd123!
This app is designed as a companion target for nutcracker.sh:
- Install NutBank on your test device/emulator
- Run nutcracker security analysis against the app
- Identify all intentional vulnerabilities
- Practice writing remediation reports
| MASVS Category | Vulnerability | Status |
|---|---|---|
| MASVS-CRYPTO-1 | Weak crypto algorithms | β |
| MASVS-PLATFORM-1 | Exported components | β |
| MASVS-PLATFORM-2 | Insecure data storage | β |
| MASVS-PLATFORM-5 | Insecure WebView | β |
| MASVS-PLATFORM-6 | Insecure deep links | β |
| MASVS-NETWORK-1 | No certificate pinning | β |
| MASVS-NETWORK-2 | Weak TLS configuration | β |
| MASVS-CODE-4 | Insecure logging | β |
| MASVS-CODE-9 | Hardcoded secrets | β |
| MASVS-AUTH-8 | Weak biometric auth | β |
This application is provided for educational and authorized security testing purposes only. The authors assume no liability and are not responsible for any misuse or damage caused by this project.
Carlos Ganoza (@drneox) β carlos.ganoza@owasp.org
This project is licensed for educational and security research purposes.