GithubHelp home page GithubHelp logo

isabella232 / mstg-hacking-playground Goto Github PK

View Code? Open in Web Editor NEW

This project forked from owasp/mastg-hacking-playground

0.0 0.0 0.0 76.14 MB

License: GNU General Public License v3.0

Java 50.74% HTML 1.05% C 0.50% JavaScript 0.11% CMake 0.35% Kotlin 8.47% Dockerfile 0.26% Ruby 25.62% Swift 12.89%

mstg-hacking-playground's Introduction

MSTG Hacking Playground

Project Description

Welcome to the MSTG Playground. This is a collection of iOS and Android mobile apps, that are intentionally build insecure. These apps are used as examples to demonstrate different vulnerabilities explained in the the OWASP Mobile Security Testing Guide. The current release of the OWASP Mobile Security Testing Guide (MSTG) can be found here.

In order to give practical guidance to developers, security researches and penetration testers, a hacking playground was created that consists of different mobile App’s that contain different vulnerabilities that map to the MSTG test cases (there is no full coverage of all test cases, but you are invited to share your apps or extend the existing ones ;-)). This has two advantages:

  • A developer can identify vulnerable code in the provided App’s and can see the implications and risks if such patterns are used and can look for the best practices in the MSTG to mitigate the vulnerabilities.
  • Penetration testers / security researchers can identify bad practices, dangerous methods and classes they should look for when assessing a Mobile App and can gain more knowledge through the information provided in the MSTG.

It is also encouraged to use the App(s) for education purpose during trainings and workshops.

If you want to contribute to the MSTG, please look here or you can talk to us directly in the OWASP Slack Channel.

You are invited to extend the existing apps or even create your own one. Please ping Sven for any questions.

Android

MSTG Android Java App

The sources can be found here: https://github.com/OWASP/MSTG-Hacking-Playground/tree/master/Android/MSTG-Android-Java-App

Installation

This app is compatible with Android 4.4 and up. Once you checkout the repo you can install the debug build:

$ adb install Android/MSTG-Android-Java-App/app/build/outputs/apk/debug/app-debug.apk

The APK is also available in the release page.

Screenshot of app:

Test cases mapped to MSTG

Available Test Cases

Check the Wiki for a description of all available test cases in the MSTG-Android-Java-App.

MSTG Android Kotlin App

The sources can be found here: https://github.com/OWASP/MSTG-Hacking-Playground/tree/master/Android/MSTG-Android-Kotlin-App

Installation

In order to use the Kotlin App you need to deploy the Ruby on Rails backend

This app is compatible with Android 4.4 and up. Once you checkout the repo you can install the debug build:

$ adb install Android/MSTG-Android-Kotlin-App/app/build/outputs/apk/debug/app-debug.apk

The APK is also available in the release page.

Android Studio

Open the project directories Android/MSTG-Android-Kotlin-App/ or Android/MSTG-Android-Java-App/ in Android Studio. The apps can be compiled with Android Studio 3.5 (tested).

In order to get the MSTG-Android-Java-App running, besides the Android SDK, also the Android NDK needs to be available. If the NDK is not available, Android Studio will ask to download or specify a local path for the NDK when the project is opened. If parts of the SDK are missing, a prompt should show up to install the additional requirements. Afterwards the App can be build and can be run in an emulator or mobile device.

iOS

MSTG iOS Swift App

The sources can be found here: https://github.com/OWASP/MSTG-Hacking-Playground/tree/master/iOS/MSTG-JWT

Installation

In order to use the iOS App you need to deploy the Ruby on Rails backend

The IPA is also available in the release page.

There are several ways available on how to install an IPA; have a look at the MSTG to identify which one is the best for you.

Issues with the Hacking Playground

Currently, the code is being maintained by @sushi2k. If the app does not boot, or if there is another bug: file an issue at this repository.

Mobile Security Crackmes

Did you enjoy the Playground? There is more:

Go to the MSTG Crackmes and find out!

There are also various solutions available for the Crackmes, that can guide you through the reverse engineering process.

License

This project is using the GNU General Public License v3.0.

Acknowledgements

Wen Bin Kong (@kongwenbin) Nikhil Soni (@nikhil) Ryan Teoh (@ryantzj)

mstg-hacking-playground's People

Contributors

andycybersec avatar commjoen avatar jason-cooke avatar krsoninikhil avatar r-l-ee avatar rdewolfnviso avatar sushi2k avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.