Vulnerable Mobile Apps

📱 Best Vulnerable Mobile Apps for Learning Mobile App Pentesting

1. DVIA (Damn Vulnerable iOS App)

Platform: iOS
Covers: OWASP Mobile Top 10 — insecure storage, broken crypto, jailbreak detection, insecure logging, etc.
Run on: Jailbroken device or iOS simulator
GitHub: https://github.com/prateek147/DVIA-v2

2. DVIA-v2 (Damn Vulnerable iOS App v2)

Updated version of DVIA for modern iOS testing.
Newer examples: Secure enclave, FaceID/TouchID bypass, iOS 13+ support.
More realistic: Mimics real-world apps better.
GitHub: https://github.com/appsecco/dvios

3. Damn Vulnerable Android App (DVAA) / InsecureBank

Platform: Android
Focus: Client-side issues (hardcoded creds, insecure storage) & API vulnerabilities.
Great for: Burp Suite + Frida + reverse engineering practice.
GitHub: https://github.com/PolarisLab/InsecureBankv2

4. MOBSF + Custom APKs

Tool: Mobile Security Framework (MobSF)
Use case: Scan real APKs or vulnerable ones like InsecureBank, DroidGoat.
Features: Static + dynamic + API testing (via emulator)
GitHub: https://github.com/MobSF/Mobile-Security-Framework-MobSF

5. DroidGoat

Platform: Android
Focus: Full coverage of OWASP Mobile Top 10 for Android.
Includes: Insecure logging, WebView abuse, SSL pinning, insecure data storage, etc.
GitHub: https://github.com/droidgoat/DroidGoat

6. OWASP GoatDroid

Platform: Android
Architecture: Includes both app and vulnerable backend.
Covers: Authentication bypass, hardcoded credentials, insecure web services, etc.
Download: https://owasp.org/www-project-goatdroid/

7. Android-InsecureBank

Platform: Android
Includes: Backend + Android client with real-time insecure practices.
Great for API testing + MITM via Burp Suite.
GitHub: https://github.com/dineshshetty/Android-InsecureBankv2

🛠️ Tools You’ll Want for Mobile Pentesting

Tool

Purpose

Burp Suite

Intercept mobile traffic, test insecure APIs

MobSF

Static + dynamic analysis of APKs & iOS apps

Frida

Instrument and hook mobile apps at runtime

Jadx / Apktool

Reverse engineer APKs

Objection

Mobile exploitation framework for Android/iOS

Genymotion or Android Emulator

Run test environments

Charles Proxy / MITMProxy

Alternative intercept proxies

Frida CodeShare

Reuse community Frida scripts

🔍 Online Platforms and Training for Mobile App Security

🔹 Mobile Security Testing Guide (MSTG by OWASP)

Comprehensive guide for Android/iOS security testing.
Includes test cases, tools, and how-to guides.
https://owasp.org/www-project-mobile-security-testing-guide/

🔹 PentesterLab – Mobile Challenges

Real-world APK reverse engineering and insecure storage exercises.
Paid, but offers some free mobile challenges.
https://pentesterlab.com

🔹 TryHackMe — Mobile Hacking Room

Offers a guided environment to test Android apps.
Topics: APK reverse engineering, insecure storage, Burp proxying.
https://tryhackme.com

🔹 HackTheBox — Mobile Challenges

CTF-style APKs and iOS apps to reverse or exploit.
https://hackthebox.com

Absolutely — here’s more for you: deeper cuts into vulnerable mobile apps, realistic mobile CTFs, and specialized tools you can use to sharpen your Android/iOS pentesting skills even further.

🔥 More Vulnerable Mobile Apps & CTFs (Android & iOS)

8. InsecureShop

Platform: Android
Focus: Multiple vulnerabilities — insecure storage, hardcoded secrets, root detection bypass, etc.
Challenges: Comes with in-app hints and challenge-based learning.
GitHub: https://github.com/ajinabraham/InsecureShop

9. BodgeIt Store (Mobile API Backend)

What it is: While not a mobile app itself, you can build a simple mobile client for this vulnerable web service to test mobile API attacks.
Use case: Learn how broken APIs can be exploited from mobile apps.
GitHub: https://github.com/psiinon/bodgeit

10. Vulnerable Mobile Apps Collection (Awesome List)

A curated GitHub list of vulnerable Android and iOS apps from multiple projects.
Includes: DVIA, InsecureShop, GoatDroid, DroidGoat, OWASP projects, etc.
GitHub: https://github.com/josephd10/awesome-vulnerable-apps#mobile-apps

11. OWASP MSTG Test App (iOS & Android)

Companion app for the OWASP Mobile Security Testing Guide.
Includes real vulnerable code examples mapped to MSTG test cases.
GitHub:
- Android: https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/Android
- iOS: https://github.com/OWASP/owasp-mstg/tree/master/Crackmes/iOS

12. AndroidCrackMe & iOSCrackMe Collections

Small apps designed to practice reverse engineering and logic bypasses.
Focus on: Authentication bypass, string decryption, Frida hooks.
Hosted under OWASP MSTG or CodeShare.

13. Reverse Engineering Challenges on CTF Platforms

These often include mobile apps (.apk or .ipa files):

🧪 Advanced Tools for Mobile Pentesting (Beyond the Basics)

Tool

Use Case

Frida + Objection

Runtime instrumentation, bypassing root detection, SSL pinning

MobSF Dynamic Analysis + API Proxy

Hook into emulator or physical device

Needle (by MWR Labs)

Full iOS pen testing framework (needs jailbroken device)

Apktool + JADX + Bytecode Viewer

Full APK decompilation & code inspection

QARK (Quick Android Review Kit)

Static analysis for APKs

drozer (now archived)

Android attack framework (good for exploiting IPC, content providers)

🧱 Setting Up Your Lab (If You Haven’t Already)

🖥️ For Android

Android Studio AVD (emulator)
Genymotion (GUI-friendly emulator)
MobSF (dynamic mode with emulator or Genymotion)
Burp Suite (with certificate installed on emulator/device)
Frida + Objection

🍏 For iOS (more complex)

Jailbroken device OR checkra1n-compatible test device
macOS + Xcode + iOS Simulator
Frida + Objection or Needle
Burp with proxy configuration

PreviousMind Map NextActive Directory penetration testing

Last updated 9 days ago

Was this helpful?