INTRODUCTION
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgD0ib94ORihyN2-3MNW3vXkiVRFeXLnatB8elvo0oRs7qBBr6OjBML9oN-Omc5sh5XWEp3bhUjCsTl0Z-rhAzfNlev5vxkRsvWgQ39f2hpoIZaSSewg8dX8oAEB0M3JITR-juRJywNWELa/s1600/screenshot.18.jpg)
1 - What is DIVA?
- According with the developer Aseem Jakhar, DIVA (Damn Insecure and Vulnerable App) is an application intentionally designed to be insecure.
https://github.com/payatu/diva-android
- The goal of DIVA is to teach developers and security professionals flaws that are generally present in the Apps, due to poor or insecure coding practices.
- DIVA covers common vulnerabilities in Android apps, ranging from insecure logging , insecure storage, input validation, access control issues, and also a few vulnerabilities in native code, which makes it more interesting from the perspective of covering both Java and C vulnerabilities.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1mqazSH5kIct747oA3DP02CJvSgZD36L8dy10DdxeigwQfVjStCX5iSfsPA3BWgm0OJx4NWYT0YaVnsWX8xC15ztmvtqkXlPOrLHxHuogfnbShdkLoE-PjZTCBaM8byjvTarGiNBVMyoM/s1600/screenshot.1.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvP0MGEigWoJGshJeAfTuAyfo9OPEo_4EPyIHsKm34Er_U9X4hwVeWXPU9VxoxIunVGzHfCF7uPDCfg_jmWRd5cEj7RhcmDB5KZWy0LptvyaQW-m2dtETmts6dCkJMJB37OktDg3agBfEg/s640/screenshot.2.jpg)
2 - Installing DIVA from Santoku Linux to Android device
- Once downloaded and extracted the application to Santoku Linux, the file diva-beta.apk is available to be used and analyzed:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhB__7ZqhIKv5ZTSThZfZE_OZZ9RXTPgqnEviDxrQ_TuzSN1psd0Lm2TO6c2b42o7oJEP9nvV8iFVBFffxHpuDqxZDdr-cRbmdmUet2YVmRsj5kCtQ0YJMR9XdugaJzG7YFQeuubLYd3sPN/s1600/screenshot.3.jpg)
- Santoku connects to the mobile device:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtwuB1kkT40iMr1R_oenN_wCzcVTFBpSxApmRUKPYZ8HqS81KKt58wYNUT6TcT6b5P3pbBSNZhhQrFYEn3I0HG2MdS2ILAzyEsCpEmdf-9e3Wm2jH1uui_toXMf3lwEDVBPji2JXWkoyTw/s1600/screenshot.4.jpg)
- Installing DIVA on Nexus, using ADB (Android Debug Bridge):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7PG9gHUvLoUkbVgOv4cnxdGUOXjQvVayVjnQlvENLs2-KNlS_UHrwI3_q6M_W9oz1ByqxskiLCR6qLN5a0oObVcDlwS_EZKpPVmeSPhltQiO7grBw0Q0g8H_RndfmJ8NsZFGUgoiwEyVd/s1600/screenshot.5.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMuvnqW6M5_8Pu8Hm2WM9q9nn_zgMLiOgEp1UKwWzZJh99zmhq91PrJQK314bb0jEoMG6mFJe9aeLb2kmDJs_Lj9n6uMBHSokN0ffM_i5oYW7xpsa6Q53A1lClmjpKRfC9M34JGe559bQI/s640/screenshot.6.jpg)
- Launching the application:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0t8jxMo2OuodKQBogSEJ1YcJZT812u0jQ79uqKTagEP1Hza_AI9AyLTgEy2W_2aECn1b-7kbUAY4gVuHTSBuB7Sq6fUsPWX_qECLfAi6C4uth22EBvVHwac92L4QO6KhQmAJCthojWQn7/s400/screenshot.9.jpg)
- DIVA includes 13 challenges:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixePV_HPdSpKerVXVDsiGIiF_3uXqc9MDd-5t6EQIimPThOmNe5RqJtgK6axZISJ6M80w1rQ_Jjczjt1XQaVv5Q0i1pLNNzffZjIP5Q5xuOH9NqfO3Aj6ikN69NrG-949O1gVodlKNBs_d/s1600/screenshot.10.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuzWKpvJMFhxwFhh2DBM6O1C0OErRzAtHyD1Ox2ymBqVVBaQzg9Ro6-aqbqKwaJj0euSJtBAci2sIibk01tNtlJ-3QSMphb2JFiyj0gWT8bcjI7TazKGQRbJXBy64NuvHeGFamf-RBH7B2/s400/screenshot.11.jpg)
3 - Decompiling, reversing and analyzing the application
- To analyze and operate with DIVA's source code it is essential to decompile the application, for instance with jadx:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4U-rVyFk6GSD-UZjygtQWQZokyGxmLmeg-a0bBB3Gp4joC19UKlNG-Rbq2ox5BNJDxH9XgOWYBXjbkRUludWsHp4zzW_wNZ7y2HUFbdouQfpxQ4laweKWdAtnwyLMZAuI90Nx7O-pRdV_/s1600/screenshot.10.jpg)
- Executing jadx over diva-beta.apk. Although displaying some errors, the final result is successful:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx_Pts5U_g8ceMsOTNXlSL03_SXoxDCXD6WNZWfqYF26g4TJTMXvtzvEgdlSWi9ydEDBavc89GZsvgGyasesmoo1CnICIJnjvdj1j1UDc_KE04RnaK9DtrfdW9DhUq6FNUaXGnnXWDR2Yi/s1600/screenshot.11.jpg)
- As a result of executing jadx a diva-beta folder is created:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyKBCIHsF3VCVx7ZnjKRneud-RVMldTesRu9w8q12D1_TsKAZRveJt_PEy5T4KDOHmxhMNdMmPoQkb8qchIH3NWV_ov4DSD4BykknRd2QMhZ41C8QnRhJOLt_O2FA_LS9uX9NEulR1aohg/s1600/screenshot.12.jpg)
- The folder diva-beta contains all the components of the application:
- The manifest file tells that the package of the application is jakhar.assem.diva:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRrxgG4_e9azWqFIOe4Bs3OY8dzfeotHL-tFICcx6EjkmBqbhU5OpFqsHeVRARoCpPlrN-WpumbbuZqGe7ELfvzW1OC3aNOGoHXHtos1-NYbhW5jaud8znmIMaRPx3nPg66bSlYWYciXB6/s1600/screenshot.15.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitRREVYcaOwH3iors_-7qkSWIeAxjT3JZRkdG5IVcp6wfs96DlJAadgrSGuM1aEn8bkdi9ikQpXL-tqfYShWewfm8ogMc_0IpMjgYaLTVwheTlzs8w8B3EJ2s9SyGXVkwT7rOFNxewyrvX/s1600/screenshot.14.jpg)
- Going down the path of the folders indicated by the package:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR4o-iFqEpTpiarRtH7Bjo6JY4_hH1zykPGV3vbciGW9CFkUnf-Zq_L8AJtdLejcarLUeZA5Il43kNsbDjECNwixfljX37NEK-nvILVkPujdiW7FtxLkFTdMHn__c1D0rDmwoXC6bJQYkA/s1600/screenshot.16.jpg)
- Once reached to the inner folder diva, there is the Java source code of all the activities used by the application, which will be very useful to find a solution to each of the DIVA's challenges:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg07G2fSfzthzVN0H1dNlCscIFD0r5dbswA7gbatfuDwDCQEl7fCY7kCBeDVmm89hgKelxHIHwHjJq_j1V_paijpE0VkBSb7DqdjJ6PKhOwxlMPln_HE2Ki44UcVC9DHTDOk4DSoj05e5FR/s1600/screenshot.17.jpg)