AdSense

Saturday, December 31, 2016

ANDROID PT - DIVA / 0 - Introduction


INTRODUCTION

- Layout for this exercise:




1 - What is DIVA? 

- According with the developer Aseem Jakhar, DIVA (Damn Insecure and Vulnerable App) is an application intentionally designed to be insecure.


https://github.com/payatu/diva-android

- The goal of DIVA is to teach developers and security professionals flaws that are generally present in the Apps, due to poor or insecure coding practices.

- DIVA covers common vulnerabilities in Android apps, ranging from insecure logging , insecure storage, input validation, access control issues, and also a few vulnerabilities in native code, which makes it more interesting from the perspective of covering both Java and C vulnerabilities.































2 - Installing DIVA from Santoku Linux to Android device

- Once downloaded and extracted the application to Santoku Linux, the file diva-beta.apk is available to be used and analyzed:




- Santoku connects to the mobile device:





- Installing DIVA on Nexus, using ADB (Android Debug Bridge):







- Launching the application:




- DIVA includes 13 challenges:



























3 - Decompiling, reversing and analyzing the application

- To analyze and operate with DIVA's source code it is essential to decompile the application, for instance with jadx:





- Executing jadx over diva-beta.apk. Although displaying some errors, the final result is successful:




- As a result of executing jadx a diva-beta folder is created:





- The folder diva-beta contains all the components of the application:












- The manifest file tells that the package of the application is jakhar.assem.diva:











- Going down the path of the folders indicated by the package:





- Once reached to the inner folder diva, there is the Java source code of all the activities used by the application, which will be very useful to find a solution to each of the DIVA's challenges: