Damn Vulnerable Bank Android Application aims to provide an interface for everyone to get a detailed understanding with internals and security aspects of android application.
- Clone the repository and run the Backend Server as per instructions in the link.
- We have released the Apk so after downloading install it via adb or manual.
- After Installation open the App and add Backend IP in Homescreen
- Test running status by pressing health check
- Now create an account by signup option and then login with your credentials
- Now you can see the dashboard and perform banking operations
- Admin credentials is
admin:admin
which will be used to approve benificiary
- Sign up
- Login
- My profile interface
- Change password
- Settings interface to update backend URL
- Add fingerprint check before transferring/viewing funds
- Add pin check before transferring/viewing funds
- View balance
- Transfer money
- Via manual entry
- Via QR scan
- Add beneficiary
- Delete beneficiary
- View beneficiary
- View transactions history
- Download transactions history
- Root and emulator detection
- Anti-debugging checks (prevents hooking with frida, jdb, etc)
- SSL pinning - pin the certificate/public key
- Obfuscate the entire code
- Hardcoded sensitive information
- Logcat leakage
- Insecure storage (saved credit card numbers maybe)
- Exported activities
- JWT token
- Webview integration
- Deep links
- IDOR
- Add profile and change-password routes
- Create different secrets for admin and other users
- Add dynamic generation of secrets to verify JWT tokens
- Introduce bug in jwt verficiation
- Find a way to store database and mount it while using docker
- Dockerize environment
- Go to Build options and select Generate Signed Bundled/Apk
- Then select Apk as option and click next
- Now we need a keystore to sign an apk
- Create a new keystore and remember its password
- After creating select that keystore and enter password
- Now select Build variant as Realese and signature version as V2
- Now we can build the apk successfully
Thanks to these amazing people
Rewanth Cool (Rest API) | Github | |
Hrushikesh Kakade (Android App) | Github | |
Akshansh Jaiswal (Android App) | Github |