Vulnerable Banking Application for Android

Vulnerable Banking Application

Damn Vulnerable Bank

Damn Vulnerable Bank Android Application aims to provide an interface for everyone to get a detailed understanding of the internal and security aspects of android applications.

Features

  •  Sign up
  •  Login
  •  My profile interface
  •  Change password
  •  Settings interface to update backend URL
  •  Add fingerprint check before transferring/viewing funds
  •  Add pin check before transferring/viewing funds
  •  View balance
  •  Transfer money
    •  Via manual entry
    •  Via QR scan
  •  Add beneficiary
  •  Delete beneficiary
  •  View beneficiary
  •  View transactions history
  •  Download transactions history

List of vulnerabilities in the application

To keep things crisp and interesting, we hide this section. Do not toggle this button if you want a fun and challenging experience. Try to explore the application, find all the possible vulnerabilities, and then cross-check your findings with this list.

Spoiler Alert
  •  Root and emulator detection
  • Anti-debugging checks (prevents hooking with Frida, jdb, etc)
  •  SSL pinning – pin the certificate/public key
  •  Obfuscate the entire code
  •  Encrypt all requests and responses
  •  Hardcoded sensitive information
  •  Logcat leakage
  •  Insecure storage (saved credit card numbers maybe)
  •  Exported activities
  •  JWT token
  •  Webview integration
  •  Deep links
  •  IDOR

Backend to-do

  •  Add profile and change-password routes
  •  Create different secrets for admin and other users
  •  Add dynamic generation of secrets to verify JWT tokens
  •  Introduce bug in jwt verification
  • Find a way to store the database and mount it while using docker
  •  Dockerize environment

Download & Use

Copyright (c) 2020 Rewanth Cool