The Carnal0wnage blog has put up a nice summary of Android hackme/crackme challenges for those interested.

http://carnal0wnage.attackresearch.com/2013/08/want-to-break-some-android-apps.html

 

Have fun!

 

--------------------------------------------

 

Android App testing requires some diverse skills depending on what you're trying to accomplish. Some app testing is like forensics, there's a ton of server side stuff with web services, and there's also times when you need to show failings in programmatic protections or features which requires reversing, debugging, or patching skills.To develop these skills you need some practice targets. Here's a list of all known Android security challenges, both app level vulns and crackme-type (RE/patching):In some cases the write-up and challenge starter info is included, in other cases you might have to Google around as some of these CTF's are old.** Should you need some help with configuring an Android pentest / Crackme environment, cktricky  and CG have already written some pieces on that: http://carnal0wnage.attackresearch.com/search?q=android **Android App testing requires some diverse skills depending on what you're trying to accomplish. Some app testing is like forensics, there's a ton of server side stuff with web services, and there's also times when you need to show failings in programmatic protections or features which requires reversing, debugging, or patching skills.To develop these skills you need some practice targets. Here's a list of all known Android security challenges, both app level vulns and crackme-type (RE/patching):In some cases the write-up and challenge starter info is included, in other cases you might have to Google around as some of these CTF's are old.** Should you need some help with configuring an Android pentest / Crackme environment, cktricky  and CG have already written some pieces on that: http://carnal0wnage.attackresearch.com/search?q=android **Hacme Bank Android - Foundstone
http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspxExploitMe Android - Security Compass
http://securitycompass.github.io/AndroidLabs/InSecure Bank - Paladion
http://www.paladion.net/downloadapp.htmlGoatDroid - OWASP and Nvisium Security
https://github.com/jackMannino/OWASP-GoatDroid-ProjectIG Learner - Intrepidus Group
https://play.google.com/store/apps/details?id=com.intrepidusgroup.learnerMoshZuk.apk
Description - http://imthezuk.blogspot.com/2011/07/creating-vulnerable-android-application.html
File - https://dl.dropboxusercontent.com/u/37776965/Work/MoshZuk.apkCrackme.de’s and deurus's Android Crackmes 1-4 ++
http://crackmes.de/users/deurus/android_crackme01/
http://crackmes.de/users/deurus/android_crackme02/
http://crackmes.de/users/deurus/android_crackme03/
http://crackmes.de/users/deurus/android_crackme04/
http://crackmes.de/users/pnluck/android_signme/Hackplayers.com Crackmes (in Spanish so an extra challenge)
http://www.hackplayers.com/2010/12/reto-android-crackme1.html
http://www.hackplayers.com/2011/12/reto-14-android-crackme2.htmlNuit du Hack's 2k12 & 2k11 (pre-quals and finals) Android Crackme’s
http://blog.w3challs.com/index.php?post/2012/07/02/NDH2k12-wargame-CrackMe-Android
http://blog.spiderboy.fr/tag/crackme/Hack.Lu's CTF 2011 Reverse Engineering 300
http://shell-storm.org/repo/CTF/Hacklu-2011/Reversing/Space%20Station%200xB321054A%20(300)/Androidcracking.blogspot.com's Crackme’s
http://androidcracking.blogspot.com/2012/01/way-of-android-cracker-0-rewrite.html
http://androidcracking.blogspot.com/2010/10/way-of-android-cracker-1.htmlBlueBox Android Challenge
http://bluebox.com/labs/android-security-challenge/InsomniDroid
Description - http://www.strazzere.com/blog/2012/03/488/
Partial Walkthrough - http://www.fortiguard.com/files/insomnichallenge.pdf
(File) http://www.strazzere.com/crackmes/insomnidroid.apkCSAW2011 CTF Android Challenges
Android 1 file - http://shell-storm.org/repo/CTF/CSAW-2011/Forensics/Android1%20-%20200%20Points/CSAW2011CTF.apk
Android 2 file - http://shell-storm.org/repo/CTF/CSAW-2011/Forensics/Android2%20-%20400%20Points/CSAW2011CTF.apkDefcon 19 Quals b300 dex challenge
http://shell-storm.org/repo/CTF/Defcon-19-quals/Binary_L33tness/b300/b300_b258110ad2d6100c4b8GreHack 2012 Reverse Engineering 100
http://repo.shell-storm.org/CTF/GreHack-2012/reverse_engineering/100-GrehAndroidMe.apk/Nullcon HackIM 2012 RE 300
http://www.nullcon.net/challenge/data/Null%20Mobile.apkC0C0N 2011 RE level 100
http://www.nullcon.net/challenge/c0c0n/data/cocon_apk.zipAtast CTF 2012 Bin 300
http://andromedactf.wordpress.com/2013/01/02/atast-ctf-2012-bin300chall5/SecuInside 2011 CTF Level 7 (level 3 is also android but i am unable to find the bin)
Witeup - http://codeengn.com/archive/Reverse%20Engineering/Solution%20-%20CTF/2011%20SECUINSIDE%20CTF%20Write-up%20%5BCMU%5D.pdf
File - http://big-daddy.fr/repository/CTF2011/SecuInside-CTF/Q7/WonderfulWidget.apk

Edited August 29, 201311 yr by Loki

latest on the list is dexgaurd any one who can defeat it and can make tutorial ?

 

it encode everthing like class,assets,resouce in arrays and decode it at runtime so reallt need tutorials from pro crakcer ?

 

even decompiling from apktool wont work

Android Hackmes are intentionally vulnerable Android applications designed for security training and penetration testing. They help developers and ethical hackers practice identifying and exploiting security flaws in mobile apps, such as insecure storage, weak encryption, or improper authentication. They're often used in CTFs (Capture The Flag) and learning platforms like Hack The Box or OverTheWire.