InjuredAndroid - A vulnerable Android application with CTF examples based on bug bounty findings, exploitation concepts, and pure creativity.
Setup for a physical device
- Download the latest debug or release injuredandroid.apk from the releases.
- Enable USB debugging on your Android test phone.
- Connect your phone and your pc with a usb cable.
- Install via adb.
adb install InjuredAndroid.apk. Note: You need to use the absolute path to the .apk file or be in the same directory.
Setup for an Android Emulator using Android Studio
- Download the apk file.
- Start the emulator from Android Studio (I recommend downloading an emulator with Google APIs so root adb can be enabled).
- Drag and drop the .apk file on the emulator and InjuredAndroid.apk will install.
Build from source
Build steps in progress. The flutter module makes this slightly more complicated.
Tips and CTF Overview
Decompiling the Android app is highly recommended.
- XSSTEST is just for fun and to raise awareness on how WebViews can be made vulnerable to XSS.
- The login flags just need the flag submitted.
- The flags without a submit that demonstrate concepts will automatically register in the "Flags Overview" Activity.
- The exclamatory buttons on the bottom right will give users up to three tips for each flag.
Good luck and have fun! :D
Looking at the source code of the applications in the InjuredAndroid directory, InjuredAndroid-FlagWalkthroughs.md file, or binary source code in the Binaries directory will spoil some if not all of the ctf challenges.
Full guide: https://github.com/B3nac/InjuredAndroid
- Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
- Blog2022.12.13What are the Common Security Weaknesses of Cloud Based Networks?
- Blog2022.10.12Vulnerability management with Wazuh open source XDR
- Blog2022.08.29Deception Technologies: Improving Incident Detection and Response by Alex Vakulov
- Blog2022.08.25Exploring the Heightened Importance of Cybersecurity in Mobile App Development by Jeff Kalwerisky
View all comments