Wednesday, August 28, 2013

Want to break some Android apps?


1st off, Hi. I'm @jhaddix the newest guy on this blog...

Android App testing requires some diverse skills depending on what you're trying to accomplish. Some app testing is like forensics, there's a ton of server side stuff with web services, and there's also times when you need to show failings in programmatic protections or features which requires reversing, debugging, or patching skills.

To develop these skills you need some practice targets. Here's a list of all known Android security challenges, both app level vulns and crackme-type (RE/patching):

In some cases the write-up and challenge starter info is included, in other cases you might have to Google around as some of these CTF's are old.

** Should you need some help with configuring an Android pentest / Crackme environment, cktricky  and CG have already written some pieces on that: http://carnal0wnage.attackresearch.com/search?q=android **

Hacme Bank Android - Foundstone 
http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx 

ExploitMe Android - Security Compass 
http://securitycompass.github.io/AndroidLabs/ 

InSecure Bank - Paladion 
http://www.paladion.net/downloadapp.html 

GoatDroid - OWASP and Nvisium Security
https://github.com/jackMannino/OWASP-GoatDroid-Project

IG Learner - Intrepidus Group 
https://play.google.com/store/apps/details?id=com.intrepidusgroup.learner 

Evil Planner Bsides Challenge and Mercury vulnerable test app - MWR Labs
https://labs.mwrinfosecurity.com/blog/2013/03/11/bsides-challenge/
https://labs.mwrinfosecurity.com/blog/2013/03/28/announcing-mercury-v2-2/

MoshZuk.apk 
Description - http://imthezuk.blogspot.com/2011/07/creating-vulnerable-android-application.html 
File - https://dl.dropboxusercontent.com/u/37776965/Work/MoshZuk.apk

Crackme.de’s and deurus's Android Crackmes 1-4 ++
http://crackmes.de/users/deurus/android_crackme01/ 
http://crackmes.de/users/deurus/android_crackme02/ 
http://crackmes.de/users/deurus/android_crackme03/ 
http://crackmes.de/users/deurus/android_crackme04/ 
http://crackmes.de/users/pnluck/android_signme/ 

Hackplayers.com Crackmes (in Spanish so an extra challenge) 
http://www.hackplayers.com/2010/12/reto-android-crackme1.html 
http://www.hackplayers.com/2011/12/reto-14-android-crackme2.html 

Nuit du Hack's 2k12 & 2k11 (pre-quals and finals) Android Crackme’s 
http://blog.w3challs.com/index.php?post/2012/07/02/NDH2k12-wargame-CrackMe-Android
http://blog.spiderboy.fr/tag/crackme/ 

Hack.Lu's CTF 2011 Reverse Engineering 300
http://shell-storm.org/repo/CTF/Hacklu-2011/Reversing/Space%20Station%200xB321054A%20(300)/

Androidcracking.blogspot.com's Crackme’s 
http://androidcracking.blogspot.com/2012/01/way-of-android-cracker-0-rewrite.html
http://androidcracking.blogspot.com/2010/10/way-of-android-cracker-1.html 

BlueBox Android Challenge 
http://bluebox.com/labs/android-security-challenge/

InsomniDroid 
Description - http://www.strazzere.com/blog/2012/03/488/ 
Partial Walkthrough - http://www.fortiguard.com/files/insomnichallenge.pdf 
(File) http://www.strazzere.com/crackmes/insomnidroid.apk

CSAW2011 CTF Android Challenges
Android 1 file - http://shell-storm.org/repo/CTF/CSAW-2011/Forensics/Android1%20-%20200%20Points/CSAW2011CTF.apk
Android 2 file - http://shell-storm.org/repo/CTF/CSAW-2011/Forensics/Android2%20-%20400%20Points/CSAW2011CTF.apk

Defcon 19 Quals b300 dex challenge
http://shell-storm.org/repo/CTF/Defcon-19-quals/Binary_L33tness/b300/b300_b258110ad2d6100c4b8

GreHack 2012 CTF Reverse Engineering 100
http://repo.shell-storm.org/CTF/GreHack-2012/reverse_engineering/100-GrehAndroidMe.apk/

Nullcon HackIM CTF 2012 RE 300
http://www.nullcon.net/challenge/data/Null%20Mobile.apk

C0C0N CTF 2011 RE level 100
http://www.nullcon.net/challenge/c0c0n/data/cocon_apk.zip

Atast CTF 2012 Bin 300
http://andromedactf.wordpress.com/2013/01/02/atast-ctf-2012-bin300chall5/

SecuInside 2011 CTF Level 7 (level 3 is also android but i am unable to find the bin)
Witeup - http://codeengn.com/archive/Reverse%20Engineering/Solution%20-%20CTF/2011%20SECUINSIDE%20CTF%20Write-up%20%5BCMU%5D.pdf
File - http://big-daddy.fr/repository/CTF2011/SecuInside-CTF/Q7/WonderfulWidget.apk

Happy hacking! Don't hesitate to leave a comment on any other Android challenges you find =)
Jhaddix

4 comments:

trotmaster said...

There's also a good demo application called Sieve by MWR. Good for demonstrating vulnerable IPC end points.
https://labs.mwrinfosecurity.com/system/assets/380/original/sieve.apk
Details here:
https://labs.mwrinfosecurity.com/blog/2013/03/28/announcing-mercury-v2-2/

Anonymous said...

One for your list, contains full walkthrough - https://labs.mwrinfosecurity.com/blog/2013/07/04/bsides-challenge-walkthrough/

Jhaddix said...

Thanks! Updated the post.

Anonymous said...

You missed this:
zCrackMe2 - ARM Crackme by the Zimperium guys http://blog.zimperium.com/arm-crackme-competition/

Very good one