{"id":37645492,"url":"https://github.com/t0thkr1s/allsafe-android","last_synced_at":"2026-01-16T11:25:48.021Z","repository":{"id":65264278,"uuid":"312809182","full_name":"t0thkr1s/allsafe-android","owner":"t0thkr1s","description":"Intentionally vulnerable Android application.","archived":false,"fork":false,"pushed_at":"2025-09-13T11:57:23.000Z","size":3273,"stargazers_count":287,"open_issues_count":0,"forks_count":89,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-09-13T13:57:41.977Z","etag":null,"topics":["android","bugbounty","bypass","certificate","dynamic-analysis","forthebadge","frida","frida-scripts","hackerone-reports","hardcoded-credentials","mobile-security","reverse","reverse-engineering","vulnerabilities","vulnerable","vulnerable-android-apps"],"latest_commit_sha":null,"homepage":"https://medium.com/infosec-adventures","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/t0thkr1s.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-11-14T12:06:54.000Z","updated_at":"2025-09-13T11:57:27.000Z","dependencies_parsed_at":"2025-08-05T22:28:22.563Z","dependency_job_id":"0714815c-bb41-47b9-b3b0-b28edf0ead6b","html_url":"https://github.com/t0thkr1s/allsafe-android","commit_stats":null,"previous_names":["t0thkr1s/allsafe-android"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/t0thkr1s/allsafe-android","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t0thkr1s%2Fallsafe-android","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t0thkr1s%2Fallsafe-android/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t0thkr1s%2Fallsafe-android/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t0thkr1s%2Fallsafe-android/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/t0thkr1s","download_url":"https://codeload.github.com/t0thkr1s/allsafe-android/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t0thkr1s%2Fallsafe-android/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28478247,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-16T06:30:42.265Z","status":"ssl_error","status_checked_at":"2026-01-16T06:30:16.248Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","bugbounty","bypass","certificate","dynamic-analysis","forthebadge","frida","frida-scripts","hackerone-reports","hardcoded-credentials","mobile-security","reverse","reverse-engineering","vulnerabilities","vulnerable","vulnerable-android-apps"],"created_at":"2026-01-16T11:25:47.937Z","updated_at":"2026-01-16T11:25:48.002Z","avatar_url":"https://github.com/t0thkr1s.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"screenshots/logo.png\" alt=\"Allsafe Logo\" width=\"120\"/\u003e\n  \n  # Allsafe - Android\n  \n  **An Intentionally Vulnerable Android Application for Security Education**\n  \n  [![Android CI](https://github.com/t0thkr1s/allsafe/workflows/Android%20CI/badge.svg)](https://github.com/t0thkr1s/allsafe/actions)\n  [![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)\n  [![Platform](https://img.shields.io/badge/Platform-Android-green.svg)](https://www.android.com)\n  [![API](https://img.shields.io/badge/API-23%2B-brightgreen.svg)](https://android-arsenal.com/api?level=23)\n  \n  \u003cp align=\"center\"\u003e\n    \u003ca href=\"#features\"\u003eFeatures\u003c/a\u003e •\n    \u003ca href=\"#screenshots\"\u003eScreenshots\u003c/a\u003e •\n    \u003ca href=\"#installation\"\u003eInstallation\u003c/a\u003e •\n    \u003ca href=\"#challenges\"\u003eChallenges\u003c/a\u003e •\n    \u003ca href=\"#contributing\"\u003eContributing\u003c/a\u003e •\n    \u003ca href=\"#support\"\u003eSupport\u003c/a\u003e\n  \u003c/p\u003e\n\u003c/div\u003e\n\n---\n\n## 📱 About\n\n**Allsafe** is an intentionally vulnerable Android application designed for security enthusiasts, pentesters, and developers to learn about Android application security. Unlike typical CTF-style apps, Allsafe simulates a real-world application using modern libraries and technologies, providing a practical learning experience for identifying and exploiting Android vulnerabilities.\n\n### 🎯 Key Features\n\n- **15+ Security Challenges** covering various vulnerability categories\n- **Modern Tech Stack** using current Android development practices\n- **Frida Challenges** for dynamic instrumentation practice\n- **Real-world Scenarios** that mirror actual application vulnerabilities\n- **Progressive Difficulty** from beginner to advanced levels\n- **Clean UI/UX** with a hacker-themed terminal interface\n\n## 📸 Screenshots\n\n\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"screenshots/screenshot1.png\" alt=\"Main Screen\" width=\"250\"/\u003e\n  \u003cimg src=\"screenshots/screenshot2.png\" alt=\"Challenge View\" width=\"250\"/\u003e\n  \u003cimg src=\"screenshots/screenshot3.png\" alt=\"Deep Link Challenge\" width=\"250\"/\u003e\n\u003c/div\u003e\n\n## 🚀 Installation\n\n### Prerequisites\n\n- Android device or emulator (API 23+)\n- ADB (Android Debug Bridge) installed\n- (Optional) Frida for dynamic analysis challenges\n\n### Download \u0026 Install\n\n#### Option 1: Direct APK Installation\n```bash\n# Download the latest APK from releases\nwget https://github.com/t0thkr1s/allsafe/releases/latest/download/allsafe.apk\n\n# Install via ADB\nadb install allsafe.apk\n```\n\n#### Option 2: Build from Source\n```bash\n# Clone the repository\ngit clone https://github.com/t0thkr1s/allsafe.git\ncd allsafe\n\n# Build the APK\n./gradlew assembleDebug\n\n# Install the APK\nadb install app/build/outputs/apk/debug/app-debug.apk\n```\n\n## 🎮 Challenges\n\nThe application contains various security challenges organized by difficulty:\n\n### Challenges\n\n### 1. Insecure Logging\n\nSimple information disclosure vulnerability. Use the `logcat` command-line tool to discover sensitive information.\n\n###### Resources \u0026 HackerOne Reports:\n\n- [Logcat Tool](https://developer.android.com/studio/command-line/logcat)\n- [Coinbase OAuth Response Code Leak](https://hackerone.com/reports/5314)\n\n\u003cdetails\u003e\n\u003csummary\u003eShow me how it's done!\u003c/summary\u003e\n\u003cbr\u003e\n\u003ccode\u003eadb shell 'pidof infosecadventures.allsafe'\u003c/code\u003e\n\u003cbr\u003e\u003cbr\u003e\nTake output and substitue for \u003cpid\u003e\n\u003cbr\u003e\u003cbr\u003e\n\u003ccode\u003eadb shell 'logcat --pid [PID] | grep secret'\u003c/code\u003e\n\u003cbr\u003e\u003cbr\u003e\n\u003c/details\u003e\n\n---\n\n### 2. Hardcoded Credentials\n\nSome credentials are left in the code. Your task is to reverse engineer the app and find sensitive information.\n\n###### Resources \u0026 HackerOne Reports:\n\n- [Zomato Hardcoded Credentials](https://hackerone.com/reports/246995)\n- [8x8 Hardcoded Credentials](https://hackerone.com/reports/412772)\n- [Reverb Hardcoded API Secret](https://hackerone.com/reports/351555)\n\n---\n\n### 3. Root Detection\n\nThis is purely for Frida practice. Make the code believe that your device is not rooted!\n\n\u003cdetails\u003e\n\u003csummary\u003eShow me how it's done!\u003c/summary\u003e\n\u003cbr\u003e\nhttps://youtu.be/Gg-3Sw79gEI\n\u003cbr\u003e\u003cbr\u003e\n\u003c/details\u003e\n\n---\n\n### 4. Arbitrary Code Execution\n\nLoading modules securely with third-party apps are not easy. Write a PoC application and exploit the vulnerability!\n\n###### Resources \u0026 HackerOne Reports:\n\n- [Arbitrary Code Execution via Third-Party Package Contexts](https://blog.oversecured.com/Android-arbitrary-code-execution-via-third-party-package-contexts/)\n\n---\n\n### 5. Secure Flag Bypass\n\nAnother Frida-based task. No real vulnerability here, just have fun bypassing the secure flag!\n\n###### Resources \u0026 HackerOne Reports:\n\n- [Android FLAG_SECURE Reference](https://developer.android.com/reference/android/view/WindowManager.LayoutParams#FLAG_SECURE)\n\n---\n\n### 6. Certificate Pinning Bypass\n\nCertificate pinning is implemented using the OkHttp library. You have to bypass it in order to view the traffic with Burp Suite.\n\n###### Resources \u0026 HackerOne Reports:\n\n- [Certificate and Public Key Pinning](https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning)\n- [Coinbase Vulnerabilities](https://hackerone.com/reports/5786)\n\n---\n\n### 7. Insecure Broadcast Receiver\n\nThere's a vulnerable broadcast recevier in the application. Trigger it with the correct data and you're done!\n\n###### Resources \u0026 HackerOne Reports:\n\n- [Android Broadcasts Overview](https://developer.android.com/guide/components/broadcasts)\n- [ok.ru Broadcast Receiver Exploitation](https://hackerone.com/reports/97295)\n- [Bitwarden Vulnerable Broadcast Receiver](https://hackerone.com/reports/289000)\n\n---\n\n### 8. Deep Link Exploitation\n\nSimilar to the insecure broadcast receiver, you need to provide the right query parameter to complete this task!\n\n###### Resources \u0026 HackerOne Reports:\n\n- [Android Deep Linking](https://developer.android.com/training/app-links/deep-linking)\n- [Grab Insecure Deep Link](https://hackerone.com/reports/401793)\n- [Periscope Deep Link CSRF](https://hackerone.com/reports/583987)\n\n---\n\n### 9. SQL Injection\n\nJust a regular SQL injection that you'd find in web applications. No need to reverse the code to bypass the login mechanism.\n\n###### Resources \u0026 HackerOne Reports:\n\n- [SQL Injection in Content Provider](https://hackerone.com/reports/291764)\n\n---\n\n### 10. Vulnerable WebView\n\nYou can also complete this task without decompiling the application. Pop an alert dialog and read files!\n\n###### Resources \u0026 HackerOne Reports:\n\n- [ownCloud WebView XSS](https://hackerone.com/reports/87835)\n\n---\n\n### 11. Smali Patching\n\nIn this task, you have to modify the execution flow of the application by editing the Smali code. Finally, rebuild and sign the APK!\n\n###### Resources \u0026 HackerOne Reports:\n\n- [Uber APK Signer](https://github.com/patrickfav/uber-apk-signer)\n\n---\n\n### 12. Native Library\n\nThe application uses a native library that validates the entered password. Reverse engineer the library to find the password then use Frida to hook the native method.\n\n###### Resources \u0026 HackerOne Reports:\n\n- [Ghidra](https://github.com/NationalSecurityAgency/ghidra)\n- [Cutter](https://github.com/rizinorg/cutter)\n\n\u003cdetails\u003e\n\u003csummary\u003eShow me how it's done!\u003c/summary\u003e\n\u003cbr\u003e\n# TODO\n\u003cbr\u003e\u003cbr\u003e\n\u003c/details\u003e\n\n## 🔧 Useful Tools \u0026 Resources\n\n### Frida Scripts\nCheck out my collection of Frida scripts for Android pentesting:\n[https://github.com/t0thkr1s/frida](https://github.com/t0thkr1s/frida)\n\n### Recommended Tools\n- **Static Analysis:** [JADX](https://github.com/skylot/jadx), [Apktool](https://ibotpeaches.github.io/Apktool/)\n- **Dynamic Analysis:** [Frida](https://frida.re/), [Objection](https://github.com/sensepost/objection)\n- **Network Analysis:** [Burp Suite](https://portswigger.net/burp), [OWASP ZAP](https://www.zaproxy.org/)\n- **Reverse Engineering:** [Ghidra](https://ghidra-sre.org/), [IDA Pro](https://hex-rays.com/ida-pro/)\n\n## 🤝 Contributing\n\nContributions are welcome! Whether you've found a bug, have a suggestion, or want to add a new challenge:\n\n1. Fork the repository\n2. Create your feature branch (`git checkout -b feature/AmazingFeature`)\n3. Commit your changes (`git commit -m 'Add some AmazingFeature'`)\n4. Push to the branch (`git push origin feature/AmazingFeature`)\n5. Open a Pull Request\n\n## 💖 Support\n\nIf you found this project helpful or valuable, please consider:\n\n- ⭐ Giving it a star on GitHub\n- 🐛 Reporting bugs or suggesting improvements\n- 💰 Supporting through cryptocurrency donations:\n\n**Bitcoin (BTC)**  \n`bc1qd44kvj6zatjgn27n45uxd3nprzt6rm9x9g2yc8`\n\n**Ethereum (ETH)**  \n`0x1835a58E866a668C48Ee63d32432C7Fe28aF54b4`\n\n## 📚 Learning Resources\n\n- [OWASP Mobile Security Testing Guide](https://owasp.org/www-project-mobile-security-testing-guide/)\n- [Android Security Documentation](https://source.android.com/security)\n- [Frida Documentation](https://frida.re/docs/home/)\n- [HackerOne Android Reports](https://hackerone.com/hacktivity?querystring=android)\n\n## 📝 Writeups\n\n- [Aybora Ünveren](https://ayboraa.github.io/Mobile%20Security/writeups/allsafe/)\n- [Soliman Almansor](https://medium.com/@soliman_almansor/all-safe-challenges-599a09cce447)\n- [Thirukrishnan](https://infosecwriteups.com/allsafe-intentionally-vulnerable-android-application-part-1-5603d75b78c9)\n- [Recep Emir Yardım](https://sahipkirann.github.io/Mobile%20Security/Allsafe%20Android%20App%20Writeup/)\n\n## ⚠️ Disclaimer\n\nThis application is designed for **educational purposes only**. It should only be used in controlled environments where you have explicit permission. The developers assume no liability and are not responsible for any misuse or damage caused by this application.\n\n**Do not use this application:**\n- On devices you don't own\n- In production environments\n- For illegal purposes\n- Without proper authorization\n\n## 📄 License\n\nThis project is licensed under the GNU General Public License v3.0 - see the [LICENSE](LICENSE) file for details.\n\n---\n\n\u003cdiv align=\"center\"\u003e\n  \u003csub\u003eBuilt with ❤️ for the security community\u003c/sub\u003e\n  \u003cbr\u003e\n  \u003csub\u003eHappy Hacking! 🚀\u003c/sub\u003e\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ft0thkr1s%2Fallsafe-android","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ft0thkr1s%2Fallsafe-android","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ft0thkr1s%2Fallsafe-android/lists"}