Vulnerable Mobile Apps

📱 Best Vulnerable Mobile Apps for Learning Mobile App Pentesting

1. DVIA (Damn Vulnerable iOS App)

• Platform: iOS

• Covers: OWASP Mobile Top 10 — insecure storage, broken crypto, jailbreak detection, insecure logging, etc.

• Run on: Jailbroken device or iOS simulator

• GitHub: https://github.com/prateek147/DVIA-v2

---

2. DVIA-v2 (Damn Vulnerable iOS App v2)

• Updated version of DVIA for modern iOS testing.

• Newer examples: Secure enclave, FaceID/TouchID bypass, iOS 13+ support.

• More realistic: Mimics real-world apps better.

• GitHub: https://github.com/appsecco/dvios

---

3. Damn Vulnerable Android App (DVAA) / InsecureBank

• Platform: Android

• Focus: Client-side issues (hardcoded creds, insecure storage) & API vulnerabilities.

• Great for: Burp Suite + Frida + reverse engineering practice.

• GitHub: https://github.com/PolarisLab/InsecureBankv2

---

4. MOBSF + Custom APKs

• Tool: Mobile Security Framework (MobSF)

• Use case: Scan real APKs or vulnerable ones like InsecureBank, DroidGoat.

• Features: Static + dynamic + API testing (via emulator)

• GitHub: https://github.com/MobSF/Mobile-Security-Framework-MobSF

---

5. DroidGoat

• Platform: Android

• Focus: Full coverage of OWASP Mobile Top 10 for Android.

• Includes: Insecure logging, WebView abuse, SSL pinning, insecure data storage, etc.

• GitHub: https://github.com/droidgoat/DroidGoat

---

6. OWASP GoatDroid

• Platform: Android

• Architecture: Includes both app and vulnerable backend.

• Covers: Authentication bypass, hardcoded credentials, insecure web services, etc.

• Download: https://owasp.org/www-project-goatdroid/

---

7. Android-InsecureBank

• Platform: Android

• Includes: Backend + Android client with real-time insecure practices.

• Great for API testing + MITM via Burp Suite.

• GitHub: https://github.com/dineshshetty/Android-InsecureBankv2

---

🛠️ Tools You’ll Want for Mobile Pentesting

Tool	Purpose
Burp Suite	Intercept mobile traffic, test insecure APIs
MobSF	Static + dynamic analysis of APKs & iOS apps
Frida	Instrument and hook mobile apps at runtime
Jadx / Apktool	Reverse engineer APKs
Objection	Mobile exploitation framework for Android/iOS
Genymotion or Android Emulator	Run test environments
Charles Proxy / MITMProxy	Alternative intercept proxies
Frida CodeShare	Reuse community Frida scripts

---

🔍 Online Platforms and Training for Mobile App Security

🔹 Mobile Security Testing Guide (MSTG by OWASP)

• Comprehensive guide for Android/iOS security testing.

• Includes test cases, tools, and how-to guides.

• https://owasp.org/www-project-mobile-security-testing-guide/

---

🔹 PentesterLab – Mobile Challenges

• Real-world APK reverse engineering and insecure storage exercises.

• Paid, but offers some free mobile challenges.

• https://pentesterlab.com

---

🔹 TryHackMe — Mobile Hacking Room

• Offers a guided environment to test Android apps.

• Topics: APK reverse engineering, insecure storage, Burp proxying.

• https://tryhackme.com

---

🔹 HackTheBox — Mobile Challenges

• CTF-style APKs and iOS apps to reverse or exploit.

• https://hackthebox.com

---

Absolutely — here’s more for you: deeper cuts into vulnerable mobile apps, realistic mobile CTFs, and specialized tools you can use to sharpen your Android/iOS pentesting skills even further.

---

🔥 More Vulnerable Mobile Apps & CTFs (Android & iOS)

8. InsecureShop

• Platform: Android

• Focus: Multiple vulnerabilities — insecure storage, hardcoded secrets, root detection bypass, etc.

• Challenges: Comes with in-app hints and challenge-based learning.

• GitHub: https://github.com/ajinabraham/InsecureShop

---

9. BodgeIt Store (Mobile API Backend)

• What it is: While not a mobile app itself, you can build a simple mobile client for this vulnerable web service to test mobile API attacks.

• Use case: Learn how broken APIs can be exploited from mobile apps.

• GitHub: https://github.com/psiinon/bodgeit

---

10. Vulnerable Mobile Apps Collection (Awesome List)

• A curated GitHub list of vulnerable Android and iOS apps from multiple projects.

• Includes: DVIA, InsecureShop, GoatDroid, DroidGoat, OWASP projects, etc.

• GitHub: https://github.com/josephd10/awesome-vulnerable-apps#mobile-apps

---

11. OWASP MSTG Test App (iOS & Android)

• Companion app for the OWASP Mobile Security Testing Guide.

• Includes real vulnerable code examples mapped to MSTG test cases.

• GitHub:

  • Android: https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/Android

  • iOS: https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS

---

12. AndroidCrackMe & iOSCrackMe Collections

• Small apps designed to practice reverse engineering and logic bypasses.

• Focus on: Authentication bypass, string decryption, Frida hooks.

• Hosted under OWASP MSTG or CodeShare.

---

13. Reverse Engineering Challenges on CTF Platforms

These often include mobile apps (.apk or .ipa files):

---

🧪 Advanced Tools for Mobile Pentesting (Beyond the Basics)

Tool	Use Case
Frida + Objection	Runtime instrumentation, bypassing root detection, SSL pinning
MobSF Dynamic Analysis + API Proxy	Hook into emulator or physical device
Needle (by MWR Labs)	Full iOS pen testing framework (needs jailbroken device)
Apktool + JADX + Bytecode Viewer	Full APK decompilation & code inspection
QARK (Quick Android Review Kit)	Static analysis for APKs
drozer (now archived)	Android attack framework (good for exploiting IPC, content providers)

---

🧱 Setting Up Your Lab (If You Haven’t Already)

🖥️ For Android

• Android Studio AVD (emulator)

• Genymotion (GUI-friendly emulator)

• MobSF (dynamic mode with emulator or Genymotion)

• Burp Suite (with certificate installed on emulator/device)

• Frida + Objection

🍏 For iOS (more complex)

• Jailbroken device OR checkra1n-compatible test device

• macOS + Xcode + iOS Simulator

• Frida + Objection or Needle

• Burp with proxy configuration

---