VyAPI: A cloud based vulnerable hybrid Android App
VyAPI – The Modern Cloud-Based Vulnerable Hybrid Android App
VyAPI is a vulnerable hybrid Android app that’s vulnerable by design. We call it VyAPI because it’s flaws are pervasive and it communicates not just via IPC calls but API calls, too.
Amazon Cognito has been used to handle authentication, authorization and user management. AWS Amplify Console has been used to consume the Authentication APIs provided by AWS Amplify Authentication module. Room persistence library has been used to handle data in the local SQLite database. Glide API has been used to load images. AndroidX libraries and JAVA programming language have been used to develop the business logic of VyAPI Android app.
We know how to attack activities, but, what could change with fragments coming into the picture? There might be a case where we just have one activity, but multiple fragments (each rendering a different functionality) in our Android app. VyAPI will allow you to experience this behavior of our modern-day Android apps.
VyAPI is different not only in terms of its look and feel but also in terms of the latest technologies being used to build it. Following primary tools and technologies have been used to develop VyAPI
- AWS Amplify CLI
- AWS Mobile SDK for Android 10
- Amazon Cognito
- OpenJDK 1.8.0_152-release
- Glide v4
- Room Persistence Library
- Gradle 5.1.1
Modern technologies are eliminating security risks by blocking vulnerable features by default. However, not all vulnerabilities could go away that easily. Also, with new technologies come new security vulnerabilities. Security misconfigurations, business logic flaws, and poor coding practices are evergreen vulnerabilities. VyAPI is the vulnerable hybrid Android app which can be used by our security enthusiasts to get a hands-on experience of a variety of modern and legacy Android app vulnerabilities.
The first version of VyAPI has been released and it includes following deliberate security vulnerabilities for the purpose of security training of Android security professionals
- Broken Authorization due to security misconfigurations in Amazon Cognito
- Vulnerable Activity
- Vulnerable Broadcast Receiver
- Vulnerable Service
- SQL Injection through Content Provider
- Hard-Coded Secret
- Business Logic Flaw
- Insecure Coding Practices
Copyright (c) 2019 Appsecco Ltd.