Wednesday, August 28, 2013

Want to break some Android apps?

1st off, Hi. I'm @jhaddix the newest guy on this blog...

Android App testing requires some diverse skills depending on what you're trying to accomplish. Some app testing is like forensics, there's a ton of server side stuff with web services, and there's also times when you need to show failings in programmatic protections or features which requires reversing, debugging, or patching skills.

To develop these skills you need some practice targets. Here's a list of all known Android security challenges, both app level vulns and crackme-type (RE/patching):

In some cases the write-up and challenge starter info is included, in other cases you might have to Google around as some of these CTF's are old.

** Should you need some help with configuring an Android pentest / Crackme environment, cktricky  and CG have already written some pieces on that: **

Hacme Bank Android - Foundstone 

ExploitMe Android - Security Compass 

InSecure Bank - Paladion 

GoatDroid - OWASP and Nvisium Security

IG Learner - Intrepidus Group 

Evil Planner Bsides Challenge and Mercury vulnerable test app - MWR Labs

Description - 
File -’s and deurus's Android Crackmes 1-4 ++ Crackmes (in Spanish so an extra challenge) 

Nuit du Hack's 2k12 & 2k11 (pre-quals and finals) Android Crackme’s 

Hack.Lu's CTF 2011 Reverse Engineering 300's Crackme’s 

BlueBox Android Challenge

Description - 
Partial Walkthrough - 

CSAW2011 CTF Android Challenges
Android 1 file -
Android 2 file -

Defcon 19 Quals b300 dex challenge

GreHack 2012 CTF Reverse Engineering 100

Nullcon HackIM CTF 2012 RE 300

C0C0N CTF 2011 RE level 100

Atast CTF 2012 Bin 300

SecuInside 2011 CTF Level 7 (level 3 is also android but i am unable to find the bin)
Witeup -
File -

Happy hacking! Don't hesitate to leave a comment on any other Android challenges you find =)