DVAC: An intentionally vulnerable Android Application

vulnerable Android Application

The Damne Vulnerable Android Components – DVAC

Damn Vulnerable Android Components (DVAC) is an educational Android application intentionally designed to expose and demonstrate vulnerabilities related to various Android components such as Activities, Intents, Content Providers, and Broadcast Receivers. It is structured as a password manager application to manage and store passwords securely (LOL).

Inspired by the pioneering work of the Sieve application, which focused on similar vulnerabilities but is now outdated and incompatible with newer Android versions, DVAC aims to fill the gap by providing a modern, up-to-date platform for learning about Android security. DVAC provides a hands-on learning experience for beginners in Android pentesting and cybersecurity and is developed while keeping beginners who find it difficult to get proper lab for learning Android pentesting.

Vulnerabilities

There are a total of 14 vulnerabilities in Damn Vulnerable Android Components –

  1. Hardcoded Credentials
  2. Bypass Login via Exported Activity
  3. Insecure Storage
  4. Insecure Exported Activity With Intent - Changing the password
  5. Changing the Password via Broadcast Receiver
  6. SQL Injection Content Provider
  7. Path Traversal Content Provider
  8. Exposed Service Over Ports
  9. Exposed Service Over Messaging
  10. Privilege Escalation - Pending Intent
  11. Denial Of Service via Broadcast Receiver
  12. Broadcast Sniffing
  13. Access Non-Exported Activity
  14. Access Non-Exported Content Provider

Why DVAC?

The development of DVAC was inspired by the Sieve APK, another vulnerable application focusing on Android component vulnerabilities. However, Sieve is outdated and does not function properly on newer versions of Android. DVAC aims to provide similar functionality while working on modern Android versions.

Download & Install

Copyright (C) 2024 zinja-coder