Guide: https://rewanthtammana.com/damn-vulnerable-bank/
Damn Vulnerable Bank is designed to be an intentionally vulnerable android application. Numerous resources are available on the internet to get started with android application security. This application provides an interface to assess the security knowledge you gained over time. There are multiple vulnerabilities in the application and we documented all of them in this guide. Take your own sweet time to explore the application and detect all the vulnerabilities.
- Sign up
- Login
- My profile interface
- Change password
- Settings interface to update backend URL
- Add fingerprint check before transferring/viewing funds
- Add pin check before transferring/viewing funds
- View balance
- Transfer money
- Via manual entry
- Via QR scan
- Add beneficiary
- Delete beneficiary
- View beneficiary
- View transactions history
- Download transactions history
To keep things crisp and interesting, we hidden this section. Do not toggle this button if you want a fun and challenging experience. Try to explore the application, find all the possible vulnerabilities and then cross check your findings with this list.
Spoiler Alert
- Root and emulator detection
- Anti-debugging checks (prevents hooking with frida, jdb, etc)
- SSL pinning - pin the certificate/public key
- Obfuscate the entire code
- Encrypt all requests and responses
- Hardcoded sensitive information
- Logcat leakage
- Insecure storage (saved credit card numbers maybe)
- Exported activities
- JWT token
- Webview integration
- Deep links
- IDOR
- Add profile and change-password routes
- Create different secrets for admin and other users
- Add dynamic generation of secrets to verify JWT tokens
- Introduce bug in jwt verification
- Find a way to store database and mount it while using docker
- Dockerize environment
Thanks to these amazing people
| Rewanth Tammana (Rest API) | Github | |
| Akshansh Jaiswal (Android App) | Github | |
| Hrushikesh Kakade (Android App & Containerization) | Github |