Vulnerable Banking Application for Android
Damn Vulnerable Bank
Damn Vulnerable Bank Android Application aims to provide an interface for everyone to get a detailed understanding of the internal and security aspects of android applications.
Features
- Sign up
- Login
- My profile interface
- Change password
- Settings interface to update backend URL
- Add fingerprint check before transferring/viewing funds
- Add pin check before transferring/viewing funds
- View balance
- Transfer money
- Via manual entry
- Via QR scan
- Add beneficiary
- Delete beneficiary
- View beneficiary
- View transactions history
- Download transactions history
List of vulnerabilities in the application
To keep things crisp and interesting, we hide this section. Do not toggle this button if you want a fun and challenging experience. Try to explore the application, find all the possible vulnerabilities, and then cross-check your findings with this list.
Spoiler Alert
- Root and emulator detection
- Anti-debugging checks (prevents hooking with Frida, jdb, etc)
- SSL pinning – pin the certificate/public key
- Obfuscate the entire code
- Encrypt all requests and responses
- Hardcoded sensitive information
- Logcat leakage
- Insecure storage (saved credit card numbers maybe)
- Exported activities
- JWT token
- Webview integration
- Deep links
- IDOR
Backend to-do
- Add profile and change-password routes
- Create different secrets for admin and other users
- Add dynamic generation of secrets to verify JWT tokens
- Introduce bug in jwt verification
- Find a way to store the database and mount it while using docker
- Dockerize environment
Download & Use
Copyright (c) 2020 Rewanth Cool
