Posted August 29, 201311 yr The Carnal0wnage blog has put up a nice summary of Android hackme/crackme challenges for those interested.http://carnal0wnage.attackresearch.com/2013/08/want-to-break-some-android-apps.html Have fun! -------------------------------------------- Android App testing requires some diverse skills depending on what you're trying to accomplish. Some app testing is like forensics, there's a ton of server side stuff with web services, and there's also times when you need to show failings in programmatic protections or features which requires reversing, debugging, or patching skills.To develop these skills you need some practice targets. Here's a list of all known Android security challenges, both app level vulns and crackme-type (RE/patching):In some cases the write-up and challenge starter info is included, in other cases you might have to Google around as some of these CTF's are old.** Should you need some help with configuring an Android pentest / Crackme environment, cktricky and CG have already written some pieces on that: http://carnal0wnage.attackresearch.com/search?q=android **Android App testing requires some diverse skills depending on what you're trying to accomplish. Some app testing is like forensics, there's a ton of server side stuff with web services, and there's also times when you need to show failings in programmatic protections or features which requires reversing, debugging, or patching skills.To develop these skills you need some practice targets. Here's a list of all known Android security challenges, both app level vulns and crackme-type (RE/patching):In some cases the write-up and challenge starter info is included, in other cases you might have to Google around as some of these CTF's are old.** Should you need some help with configuring an Android pentest / Crackme environment, cktricky and CG have already written some pieces on that: http://carnal0wnage.attackresearch.com/search?q=android **Hacme Bank Android - Foundstonehttp://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspxExploitMe Android - Security Compasshttp://securitycompass.github.io/AndroidLabs/InSecure Bank - Paladionhttp://www.paladion.net/downloadapp.htmlGoatDroid - OWASP and Nvisium Securityhttps://github.com/jackMannino/OWASP-GoatDroid-ProjectIG Learner - Intrepidus Grouphttps://play.google.com/store/apps/details?id=com.intrepidusgroup.learnerMoshZuk.apkDescription - http://imthezuk.blogspot.com/2011/07/creating-vulnerable-android-application.htmlFile - https://dl.dropboxusercontent.com/u/37776965/Work/MoshZuk.apkCrackme.de’s and deurus's Android Crackmes 1-4 ++http://crackmes.de/users/deurus/android_crackme01/http://crackmes.de/users/deurus/android_crackme02/http://crackmes.de/users/deurus/android_crackme03/http://crackmes.de/users/deurus/android_crackme04/http://crackmes.de/users/pnluck/android_signme/Hackplayers.com Crackmes (in Spanish so an extra challenge)http://www.hackplayers.com/2010/12/reto-android-crackme1.htmlhttp://www.hackplayers.com/2011/12/reto-14-android-crackme2.htmlNuit du Hack's 2k12 & 2k11 (pre-quals and finals) Android Crackme’shttp://blog.w3challs.com/index.php?post/2012/07/02/NDH2k12-wargame-CrackMe-Androidhttp://blog.spiderboy.fr/tag/crackme/Hack.Lu's CTF 2011 Reverse Engineering 300http://shell-storm.org/repo/CTF/Hacklu-2011/Reversing/Space%20Station%200xB321054A%20(300)/Androidcracking.blogspot.com's Crackme’shttp://androidcracking.blogspot.com/2012/01/way-of-android-cracker-0-rewrite.htmlhttp://androidcracking.blogspot.com/2010/10/way-of-android-cracker-1.htmlBlueBox Android Challengehttp://bluebox.com/labs/android-security-challenge/InsomniDroidDescription - http://www.strazzere.com/blog/2012/03/488/Partial Walkthrough - http://www.fortiguard.com/files/insomnichallenge.pdf(File) http://www.strazzere.com/crackmes/insomnidroid.apkCSAW2011 CTF Android ChallengesAndroid 1 file - http://shell-storm.org/repo/CTF/CSAW-2011/Forensics/Android1%20-%20200%20Points/CSAW2011CTF.apkAndroid 2 file - http://shell-storm.org/repo/CTF/CSAW-2011/Forensics/Android2%20-%20400%20Points/CSAW2011CTF.apkDefcon 19 Quals b300 dex challengehttp://shell-storm.org/repo/CTF/Defcon-19-quals/Binary_L33tness/b300/b300_b258110ad2d6100c4b8GreHack 2012 Reverse Engineering 100http://repo.shell-storm.org/CTF/GreHack-2012/reverse_engineering/100-GrehAndroidMe.apk/Nullcon HackIM 2012 RE 300http://www.nullcon.net/challenge/data/Null%20Mobile.apkC0C0N 2011 RE level 100http://www.nullcon.net/challenge/c0c0n/data/cocon_apk.zipAtast CTF 2012 Bin 300http://andromedactf.wordpress.com/2013/01/02/atast-ctf-2012-bin300chall5/SecuInside 2011 CTF Level 7 (level 3 is also android but i am unable to find the bin)Witeup - http://codeengn.com/archive/Reverse%20Engineering/Solution%20-%20CTF/2011%20SECUINSIDE%20CTF%20Write-up%20%5BCMU%5D.pdfFile - http://big-daddy.fr/repository/CTF2011/SecuInside-CTF/Q7/WonderfulWidget.apk Edited August 29, 201311 yr by Loki
November 11, 201410 yr latest on the list is dexgaurd any one who can defeat it and can make tutorial ? it encode everthing like class,assets,resouce in arrays and decode it at runtime so reallt need tutorials from pro crakcer ? even decompiling from apktool wont work
June 16Jun 16 Android Hackmes are intentionally vulnerable Android applications designed for security training and penetration testing. They help developers and ethical hackers practice identifying and exploiting security flaws in mobile apps, such as insecure storage, weak encryption, or improper authentication. They're often used in CTFs (Capture The Flag) and learning platforms like Hack The Box or OverTheWire.
Create an account or sign in to comment