Saturday, December 31, 2016

ANDROID PT - DIVA / 0 - Introduction


- Layout for this exercise:

1 - What is DIVA? 

- According with the developer Aseem Jakhar, DIVA (Damn Insecure and Vulnerable App) is an application intentionally designed to be insecure.

- The goal of DIVA is to teach developers and security professionals flaws that are generally present in the Apps, due to poor or insecure coding practices.

- DIVA covers common vulnerabilities in Android apps, ranging from insecure logging , insecure storage, input validation, access control issues, and also a few vulnerabilities in native code, which makes it more interesting from the perspective of covering both Java and C vulnerabilities.

2 - Installing DIVA from Santoku Linux to Android device

- Once downloaded and extracted the application to Santoku Linux, the file diva-beta.apk is available to be used and analyzed:

- Santoku connects to the mobile device:

- Installing DIVA on Nexus, using ADB (Android Debug Bridge):

- Launching the application:

- DIVA includes 13 challenges:

3 - Decompiling, reversing and analyzing the application

- To analyze and operate with DIVA's source code it is essential to decompile the application, for instance with jadx:

- Executing jadx over diva-beta.apk. Although displaying some errors, the final result is successful:

- As a result of executing jadx a diva-beta folder is created:

- The folder diva-beta contains all the components of the application:

- The manifest file tells that the package of the application is jakhar.assem.diva:

- Going down the path of the folders indicated by the package:

- Once reached to the inner folder diva, there is the Java source code of all the activities used by the application, which will be very useful to find a solution to each of the DIVA's challenges: