- Layout for this exercise:
1 - What is DIVA?
- According with the developer Aseem Jakhar, DIVA (Damn Insecure and Vulnerable App) is an application intentionally designed to be insecure.
- The goal of DIVA is to teach developers and security professionals flaws that are generally present in the Apps, due to poor or insecure coding practices.
- DIVA covers common vulnerabilities in Android apps, ranging from insecure logging , insecure storage, input validation, access control issues, and also a few vulnerabilities in native code, which makes it more interesting from the perspective of covering both Java and C vulnerabilities.
2 - Installing DIVA from Santoku Linux to Android device
- Once downloaded and extracted the application to Santoku Linux, the file diva-beta.apk is available to be used and analyzed:
- Santoku connects to the mobile device:
- Installing DIVA on Nexus, using ADB (Android Debug Bridge):
- Launching the application:
- DIVA includes 13 challenges:
3 - Decompiling, reversing and analyzing the application
- To analyze and operate with DIVA's source code it is essential to decompile the application, for instance with jadx:
- Executing jadx over diva-beta.apk. Although displaying some errors, the final result is successful:
- As a result of executing jadx a diva-beta folder is created:
- The folder diva-beta contains all the components of the application:
- The manifest file tells that the package of the application is jakhar.assem.diva:
- Going down the path of the folders indicated by the package:
- Once reached to the inner folder diva, there is the Java source code of all the activities used by the application, which will be very useful to find a solution to each of the DIVA's challenges: