Skip to content
Branch: master
Clone or download
Latest commit c98e6a0 Sep 4, 2019


AndroGoat is purposely developed open source vulnerable/insecure app using Kotlin. Security Testers/Professionals/Enthusiasts, Developers...etc. can use this application to understand and defend the vulnerabilities in Android platform. This is the first vulnerable app developed using Kotlin.If you are looking to learn Android Application Security Testing then AndroGoat is a perfect solution.

I strongly believe this AndroGoat will help many people to learn Android Application Security Testing.

Happy learning

Vulnerabilities covered in this app:

  1. Root Detection
  2. Emulator Detection
  3. Insecure Data Storage – Shared Prefs - 1
  4. Insecure Data Storage - Shared Prefs - 2
  5. Insecure Data Storage - SQLite
  6. Insecure Data Storage – Temp Files
  7. Insecure Data Storage – SD Card
  8. Keyboard Cache
  9. Insecure Logging
  10. Input Validations – XSS
  11. Input Validations – SQLi
  12. Input Validations – WebView
  13. Unprotected Android Components – Activity
  14. Unprotected Android Components –Service
  15. Unprotected Android Components – Broadcast Receivers
  16. Unprotected Android Components – Content Providers (Coming Soon)
  17. Hard coding issues
  18. Network intercepting – HTTP
  19. Network intercepting – HTTPS
  20. Network intercepting – Certificate Pinning
  21. Misconfigured Network_Security_Config.xml
  22. Android Debuggable
  23. Android allowBackup
  24. Custom URL Scheme
  25. Broken Cryptography
  26. QR Code Scanning (Coming Soon)
  27. Fingerprint Authentication (Coming Soon)

Download apk file from , install and ride AndroGoat..

Feedbank and Ideas are welcome. Please reach me
Follow me on Twiiter for update on blogs, changes...etc

You can’t perform that action at this time.