Presenting a modern cloud based vulnerable Android app - VyAPI
Introduction
Recently, I completed the development of a vulnerable hybrid Android application called as VyAPI which contains the first set of (vulnerable) features that I feel would cover the basics (and a little more) for anyone interested in practising Android pen-testing.
Let me tell you that this is my first ever experience of writing code for an Android application, that too from the scratch. When I started writing the code in the month of July, earlier this year, my only intention was to identify the Android components and to understand the Android internals.
I wasn’t thinking much about where I have to reach, because my only goal was to learn as much as I could and to explore the possibilities. I was focused just on seeing how far I could go without giving up.
I guess this is what passion feels like!
The Story
Security Vulnerabilities
The first version of VyAPI has been released and it includes following deliberate security vulnerabilities for the purpose of security training of Android security professionals
- Broken Authorization due to security mis-configurations in Amazon Cognito
- Vulnerable Activity
- Vulnerable Broadcast Receiver
- Vulnerable Service
- SQL Injection through Content Provider
- Hard Coded Secret
- Business Logic Flaw
- Insecure Coding Practices
Technology Stack
I wanted to use, and I have used, the latest cloud and related technologies to build VyAPI 1.0
- AWS Amplify CLI
- AWS SDK for Android 10
- Amazon Cognito
- OpenJDK 1.8.0_152-release
- Glide v4
- Room Persistence Library
- Gradle 5.1.1
I believe that what makes VyAPI different from other available vulnerable Android apps is it’s technology stack, and it’s look and feel. I find most of the existing vulnerable apps very simple and not so exciting. I have tried to build VyAPI in a way real-world apps are built. I had a great time developing VyAPI and I wish to share my learnings with you through VyAPI. I hope you will find it interesting and fun to learn and use.
Github Repository
Why call it VyAPI?
“Vyapi” means all-pervasive in Sanskrit, i.e., it refers to what’s spread throughout and it affects all parts of something, just like Android devices are all-pervasive and so are the Android app vulnerabilities. The letters “API” in the term “Vyapi” deserve special attention because I have developed a hybrid Android app that involves making API calls, unlike the native apps. Also, the letter “A” could be easily used to symbolize us, the team at Appsecco. Thus, my Android app finally got its name as VyAPI.
At Appsecco we provide advice, testing, training and insight around software and website security, especially anything that’s online, and its associated hosting infrastructure — Websites, e-commerce sites, online platforms, mobile technology, web-based services etc.
