{"id":13649726,"url":"https://github.com/t0thkr1s/allsafe","last_synced_at":"2025-04-22T15:30:30.259Z","repository":{"id":65264278,"uuid":"312809182","full_name":"t0thkr1s/allsafe","owner":"t0thkr1s","description":"Intentionally vulnerable Android application.","archived":false,"fork":false,"pushed_at":"2024-04-03T04:46:02.000Z","size":510,"stargazers_count":189,"open_issues_count":2,"forks_count":64,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-05-01T17:54:35.481Z","etag":null,"topics":["android","bugbounty","bypass","certificate","dynamic-analysis","forthebadge","frida","frida-scripts","hackerone-reports","hardcoded-credentials","mobile-security","reverse","reverse-engineering","vulnerabilities","vulnerable","vulnerable-android-apps"],"latest_commit_sha":null,"homepage":"https://medium.com/infosec-adventures","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/t0thkr1s.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-11-14T12:06:54.000Z","updated_at":"2024-08-02T02:07:24.052Z","dependencies_parsed_at":"2024-08-02T02:17:26.686Z","dependency_job_id":null,"html_url":"https://github.com/t0thkr1s/allsafe","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t0thkr1s%2Fallsafe","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t0thkr1s%2Fallsafe/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t0thkr1s%2Fallsafe/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t0thkr1s%2Fallsafe/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/t0thkr1s","download_url":"https://codeload.github.com/t0thkr1s/allsafe/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223900372,"owners_count":17222028,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","bugbounty","bypass","certificate","dynamic-analysis","forthebadge","frida","frida-scripts","hackerone-reports","hardcoded-credentials","mobile-security","reverse","reverse-engineering","vulnerabilities","vulnerable","vulnerable-android-apps"],"created_at":"2024-08-02T02:00:23.593Z","updated_at":"2024-11-10T00:31:35.834Z","avatar_url":"https://github.com/t0thkr1s.png","language":"Java","funding_links":[],"categories":["Mobile Security","Kotlin (19)","Vulnerable Mobile apps:","Java","Mobile Apps"],"sub_categories":["Android"],"readme":"\n \u003cimg align=\"left\" width=\"132\" height=\"132\" src=\"app/src/main/res/mipmap-xxxhdpi/ic_launcher_round.png\"\u003e\n\n# Allsafe\n\n[![forthebadge](https://forthebadge.com/images/badges/built-for-android.svg)](https://github.com/t0thkr1s/)\n\nAllsafe is an intentionally vulnerable application that contains various vulnerabilities. Unlike other vulnerable Android apps, this one is less like a CTF and more like a real-life application that uses modern libraries and technologies. Additionally, I have included some Frida based challenges for you to explore. Have fun and happy hacking!\n\n#### Useful Frida Scripts\n \nI have my Frida scripts (more like templates) in other repository. I'm sure they might be quite handy for the Frida related tasks. Check it out: https://github.com/t0thkr1s/frida\n\n## Tasks / Vulnerabilities\n\n### 1. Insecure Logging\n\nSimple information disclosure vulnerability. Use the `logcat` command-line tool to discover sensitive information.\n\n###### Resources \u0026 HackerOne Reports:\n\n- [Logcat Tool](https://developer.android.com/studio/command-line/logcat)\n- [Coinbase OAuth Response Code Leak](https://hackerone.com/reports/5314)\n\n\u003cdetails\u003e\n\u003csummary\u003eShow me how it's done!\u003c/summary\u003e\n\u003cbr\u003e\nadb shell 'pidof infosecadventures.allsafe'\n\u003cbr\u003e\u003cbr\u003e\nTake output and substitue for \u003cpid\u003e\n\u003cbr\u003e\u003cbr\u003e\nadb shell 'logcat --pid \u003cpid\u003e | grep secret'\n\u003cbr\u003e\u003cbr\u003e\n\u003c/details\u003e\n\n---\n\n### 2. Hardcoded Credentials\n\nSome credentials are left in the code. Your task is to reverse engineer the app and find sensitive information.\n\n###### Resources \u0026 HackerOne Reports:\n\n- [Zomato Hardcoded Credentials](https://hackerone.com/reports/246995)\n- [8x8 Hardcoded Credentials](https://hackerone.com/reports/412772)\n- [Reverb Hardcoded API Secret](https://hackerone.com/reports/351555)\n\n\u003cdetails\u003e\n\u003csummary\u003eShow me how it's done!\u003c/summary\u003e\n\u003cbr\u003e\n# TODO\n\u003cbr\u003e\u003cbr\u003e\n\u003c/details\u003e\n\n---\n\n### 3. Root Detection\n\nThis is purely for Frida practice. Make the code believe that your device is not rooted!\n\n\u003cdetails\u003e\n\u003csummary\u003eShow me how it's done!\u003c/summary\u003e\n\u003cbr\u003e\nhttps://youtu.be/Gg-3Sw79gEI\n\u003cbr\u003e\u003cbr\u003e\n\u003c/details\u003e\n\n---\n\n### 4. Arbitrary Code Execution\n\nLoading modules securely with third-party apps are not easy. Write a PoC application and exploit the vulnerability!\n\n###### Resources \u0026 HackerOne Reports:\n\n- [Arbitrary Code Execution via Third-Party Package Contexts](https://blog.oversecured.com/Android-arbitrary-code-execution-via-third-party-package-contexts/)\n\n\u003cdetails\u003e\n\u003csummary\u003eShow me how it's done!\u003c/summary\u003e\n\u003cbr\u003e\n# TODO\n\u003cbr\u003e\u003cbr\u003e\n\u003c/details\u003e\n\n---\n\n### 5. Secure Flag Bypass\n\nAnother Frida-based task. No real vulnerability here, just have fun bypassing the secure flag!\n\n###### Resources \u0026 HackerOne Reports:\n\n- [Android FLAG_SECURE Reference](https://developer.android.com/reference/android/view/WindowManager.LayoutParams#FLAG_SECURE)\n\n\u003cdetails\u003e\n\u003csummary\u003eShow me how it's done!\u003c/summary\u003e\n\u003cbr\u003e\n# TODO\n\u003cbr\u003e\u003cbr\u003e\n\u003c/details\u003e\n\n---\n\n### 6. Certificate Pinning Bypass\n\nCertificate pinning is implemented using the OkHttp library. You have to bypass it in order to view the traffic with Burp Suite.\n\n###### Resources \u0026 HackerOne Reports:\n\n- [Certificate and Public Key Pinning](https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning)\n- [Coinbase Vulnerabilities](https://hackerone.com/reports/5786)\n\n\u003cdetails\u003e\n\u003csummary\u003eShow me how it's done!\u003c/summary\u003e\n\u003cbr\u003e\n# TODO\n\u003cbr\u003e\u003cbr\u003e\n\u003c/details\u003e\n\n---\n\n### 7. Insecure Broadcast Receiver\n\nThere's a vulnerable broadcast recevier in the application. Trigger it with the correct data and you're done!\n\n###### Resources \u0026 HackerOne Reports:\n\n- [Android Broadcasts Overview](https://developer.android.com/guide/components/broadcasts)\n- [ok.ru Broadcast Receiver Exploitation](https://hackerone.com/reports/97295)\n- [Bitwarden Vulnerable Broadcast Receiver](https://hackerone.com/reports/289000)\n\n\u003cdetails\u003e\n\u003csummary\u003eShow me how it's done!\u003c/summary\u003e\n\u003cbr\u003e\n# TODO\n\u003cbr\u003e\u003cbr\u003e\n\u003c/details\u003e\n\n---\n\n### 8. Deep Link Exploitation\n\nSimilar to the insecure broadcast receiver, you need to provide the right query parameter to complete this task!\n\n###### Resources \u0026 HackerOne Reports:\n\n- [Android Deep Linking](https://developer.android.com/training/app-links/deep-linking)\n- [Grab Insecure Deep Link](https://hackerone.com/reports/401793)\n- [Periscope Deep Link CSRF](https://hackerone.com/reports/583987)\n\n\u003cdetails\u003e\n\u003csummary\u003eShow me how it's done!\u003c/summary\u003e\n\u003cbr\u003e\n# TODO\n\u003cbr\u003e\u003cbr\u003e\n\u003c/details\u003e\n\n---\n\n### 9. SQL Injection\n\nJust a regular SQL injection that you'd find in web applications. No need to reverse the code to bypass the login mechanism.\n\n###### Resources \u0026 HackerOne Reports:\n\n- [SQL Injection in Content Provider](https://hackerone.com/reports/291764)\n\n\u003cdetails\u003e\n\u003csummary\u003eShow me how it's done!\u003c/summary\u003e\n\u003cbr\u003e\n# TODO\n\u003cbr\u003e\u003cbr\u003e\n\u003c/details\u003e\n\n---\n\n### 10. Vulnerable WebView\n\nYou can also complete this task without decompiling the application. Pop an alert dialog and read files!\n\n###### Resources \u0026 HackerOne Reports:\n\n- [ownCloud WebView XSS](https://hackerone.com/reports/87835)\n\n\u003cdetails\u003e\n\u003csummary\u003eShow me how it's done!\u003c/summary\u003e\n\u003cbr\u003e\n# TODO\n\u003cbr\u003e\u003cbr\u003e\n\u003c/details\u003e\n\n---\n\n### 11. Smali Patching\n\nIn this task, you have to modify the execution flow of the application by editing the Smali code. Finally, rebuild and sign the APK!\n\n###### Resources \u0026 HackerOne Reports:\n\n- [Uber APK Signer](https://github.com/patrickfav/uber-apk-signer)\n\n\u003cdetails\u003e\n\u003csummary\u003eShow me how it's done!\u003c/summary\u003e\n\u003cbr\u003e\n# TODO\n\u003cbr\u003e\u003cbr\u003e\n\u003c/details\u003e\n\n---\n\n### 12. Native Library\n\nThe application uses a native library that validates the entered password. Reverse engineer the library to find the password then use Frida to hook the native method.\n\n###### Resources \u0026 HackerOne Reports:\n\n- [Ghidra](https://github.com/NationalSecurityAgency/ghidra)\n- [Cutter](https://github.com/rizinorg/cutter)\n\n\u003cdetails\u003e\n\u003csummary\u003eShow me how it's done!\u003c/summary\u003e\n\u003cbr\u003e\n# TODO\n\u003cbr\u003e\u003cbr\u003e\n\u003c/details\u003e\n\n---\n\n### Contribute\n\nNoticed a bug? Have a suggestion? Feel free to open an issue or create a pull request!\n\n### Support\n\nIf this project was valuable to you or helped you in any way, please consider making a small amount of donation via the following cryptocurrencies. Giving a star on the project also helps a lot. Thanks!\n\n**Bitcoin Address**\n⟹ *bc1qd44kvj6zatjgn27n45uxd3nprzt6rm9x9g2yc8*\n\n**Ethereum Address**\n⟹ *0x1835a58E866a668C48Ee63d32432C7Fe28aF54b4*\n\n### Disclaimer\n\n\u003e This tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes! It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this tool and software.\n\n## License\n\nThis project is licensed under the GPLv3 License - see the [LICENSE](LICENSE) file for details\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ft0thkr1s%2Fallsafe","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ft0thkr1s%2Fallsafe","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ft0thkr1s%2Fallsafe/lists"}