SlideShare a Scribd company logo

Meet the DIVA - by: Sandeep & Ankit

OWASP Delhi
OWASP Delhi

DIVAs is an Android app created by Aseem Jakhar that contains intentional security vulnerabilities for developers to find and address. It has issues like insecure logging, data storage, input validation, and access control. Analyzing the app requires tools like Genymotion, Dex2jar, JD-GUI, APKTOOL and commands like adb, jadx, and sqlite3 to interact with the app and diagnose the vulnerabilities.

Internet
1 of 5
Download to read offline
 DIVA (Damn insecure and vulnerable App) is an Android App intentionally designed to be insecure  The vulnerabilities exist from a developer’s perspective  Source: https://github.com/payat u/diva-android  Created by Aseem Jakhar
Current Challenges include: ◦ Insecure Logging ◦ Hardcoding Issues – Part 1 ◦ Insecure Data Storage – Part 1 ◦ Insecure Data Storage – Part 2 ◦ Insecure Data Storage – Part 3 ◦ Insecure Data Storage – Part 4 ◦ Input Validation Issues – Part 1 ◦ Input Validation Issues – Part 2 ◦ Access Control Issues – Part 1 ◦ Access Control Issues – Part 2 ◦ Access Control Issues – Part 3 ◦ Hardcoding Issues – Part 2 ◦ Input Validation Issues – Part 3
For the purpose of the walkthrough of the challenges we need the following tools: ◦ Genymotion or Android Studio AVD ◦ Dex2jar or jadx ◦ JD-GUI ◦ APKTOOL
jadx –d out_folder diva.apk adb devices adb logcat adb shell cd, ls, ls –a, cat sqlite3 database_name select * from table_name;

Recommended

Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthinkspa
 
Telecommuting 101 - Tips and Tricks for working from home
Telecommuting 101 - Tips and Tricks for working from homeTelecommuting 101 - Tips and Tricks for working from home
Telecommuting 101 - Tips and Tricks for working from home
Seth Fendley
 
Matki
MatkiMatki
Matki
fountaindirect
 
Software Testing
Software TestingSoftware Testing
Software TestingAJEET KUMAR YADAV
 
Setting up a cost effective Application Security program from scratch by Tusn...
Setting up a cost effective Application Security program from scratch by Tusn...Setting up a cost effective Application Security program from scratch by Tusn...
Setting up a cost effective Application Security program from scratch by Tusn...
OWASP Delhi
 
досвід людської особи
досвід людської особидосвід людської особи
досвід людської особи
biblioteka_c
 
HSE-MS Basic
HSE-MS BasicHSE-MS Basic
HSE-MS Basic
Meisam J Moghadam
 

Recommended

Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthinkspa
 
Telecommuting 101 - Tips and Tricks for working from home
Telecommuting 101 - Tips and Tricks for working from homeTelecommuting 101 - Tips and Tricks for working from home
Telecommuting 101 - Tips and Tricks for working from home
Seth Fendley
 
Matki
MatkiMatki
Matki
fountaindirect
 
Software Testing
Software TestingSoftware Testing
Software TestingAJEET KUMAR YADAV
 
Setting up a cost effective Application Security program from scratch by Tusn...
Setting up a cost effective Application Security program from scratch by Tusn...Setting up a cost effective Application Security program from scratch by Tusn...
Setting up a cost effective Application Security program from scratch by Tusn...
OWASP Delhi
 
досвід людської особи
досвід людської особидосвід людської особи
досвід людської особи
biblioteka_c
 
HSE-MS Basic
HSE-MS BasicHSE-MS Basic
HSE-MS Basic
Meisam J Moghadam
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
OWASP Delhi
 
Izzuddin
IzzuddinIzzuddin
Izzuddin
DinGea
 
Civic sports
Civic sportsCivic sports
Civic sports
Jack740
 
перелік комплексних навчально тематичних екскурсій
перелік комплексних навчально тематичних екскурсійперелік комплексних навчально тематичних екскурсій
перелік комплексних навчально тематичних екскурсій
biblioteka_c
 
سمینار آشنائی Ims
سمینار آشنائی Ims سمینار آشنائی Ims
سمینار آشنائی Ims
Meisam J Moghadam
 
Visualizing Critique: Strategies for Critical Reflection
Visualizing Critique: Strategies for Critical ReflectionVisualizing Critique: Strategies for Critical Reflection
Visualizing Critique: Strategies for Critical Reflection
Mhermano
 
謎コンテンツ制作者向けアンケート第1段:集計結果
謎コンテンツ制作者向けアンケート第1段:集計結果謎コンテンツ制作者向けアンケート第1段:集計結果
謎コンテンツ制作者向けアンケート第1段:集計結果Uran Bird
 
Ist110s Library Search Skills
Ist110s Library Search SkillsIst110s Library Search Skills
Ist110s Library Search Skills
ISTOnlineLearning
 
Jeremiah Jones Resume SBA
Jeremiah Jones Resume SBAJeremiah Jones Resume SBA
Jeremiah Jones Resume SBAJeremiah "Jay" Jones
 
Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNull mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-Exploitation
Nitesh Malviya
 
Code to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftCode to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the Left
Jamie Coleman
 
Code to Cloud Workshop.pptx
Code to Cloud Workshop.pptxCode to Cloud Workshop.pptx
Code to Cloud Workshop.pptx
Jamie Coleman
 
Ii 1300-java essentials for android
Ii 1300-java essentials for androidIi 1300-java essentials for android
Ii 1300-java essentials for android
Adrian Mikeliunas
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
Roshan Kumar Gami
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
Android Attacks
Android AttacksAndroid Attacks
Android AttacksMichael Scovetta
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)
Sam Bowne
 
CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)
Sam Bowne
 
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Rizal Aditya
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
OWASPKerala
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel Hacking
Develer S.r.l.
 

More Related Content

Viewers also liked

Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
OWASP Delhi
 
Izzuddin
IzzuddinIzzuddin
Izzuddin
DinGea
 
Civic sports
Civic sportsCivic sports
Civic sports
Jack740
 
перелік комплексних навчально тематичних екскурсій
перелік комплексних навчально тематичних екскурсійперелік комплексних навчально тематичних екскурсій
перелік комплексних навчально тематичних екскурсій
biblioteka_c
 
سمینار آشنائی Ims
سمینار آشنائی Ims سمینار آشنائی Ims
سمینار آشنائی Ims
Meisam J Moghadam
 
Visualizing Critique: Strategies for Critical Reflection
Visualizing Critique: Strategies for Critical ReflectionVisualizing Critique: Strategies for Critical Reflection
Visualizing Critique: Strategies for Critical Reflection
Mhermano
 
謎コンテンツ制作者向けアンケート第1段:集計結果
謎コンテンツ制作者向けアンケート第1段:集計結果謎コンテンツ制作者向けアンケート第1段:集計結果
謎コンテンツ制作者向けアンケート第1段:集計結果Uran Bird
 
Ist110s Library Search Skills
Ist110s Library Search SkillsIst110s Library Search Skills
Ist110s Library Search Skills
ISTOnlineLearning
 

Viewers also liked (9)

Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
 
Izzuddin
IzzuddinIzzuddin
Izzuddin
 
Civic sports
Civic sportsCivic sports
Civic sports
 
перелік комплексних навчально тематичних екскурсій
перелік комплексних навчально тематичних екскурсійперелік комплексних навчально тематичних екскурсій
перелік комплексних навчально тематичних екскурсій
 
سمینار آشنائی Ims
سمینار آشنائی Ims سمینار آشنائی Ims
سمینار آشنائی Ims
 
Visualizing Critique: Strategies for Critical Reflection
Visualizing Critique: Strategies for Critical ReflectionVisualizing Critique: Strategies for Critical Reflection
Visualizing Critique: Strategies for Critical Reflection
 
謎コンテンツ制作者向けアンケート第1段:集計結果
謎コンテンツ制作者向けアンケート第1段:集計結果謎コンテンツ制作者向けアンケート第1段:集計結果
謎コンテンツ制作者向けアンケート第1段:集計結果
 
Ist110s Library Search Skills
Ist110s Library Search SkillsIst110s Library Search Skills
Ist110s Library Search Skills
 
Jeremiah Jones Resume SBA
Jeremiah Jones Resume SBAJeremiah Jones Resume SBA
Jeremiah Jones Resume SBA
 

Similar to Meet the DIVA - by: Sandeep & Ankit

Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNull mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-Exploitation
Nitesh Malviya
 
Code to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftCode to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the Left
Jamie Coleman
 
Code to Cloud Workshop.pptx
Code to Cloud Workshop.pptxCode to Cloud Workshop.pptx
Code to Cloud Workshop.pptx
Jamie Coleman
 
Ii 1300-java essentials for android
Ii 1300-java essentials for androidIi 1300-java essentials for android
Ii 1300-java essentials for android
Adrian Mikeliunas
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
Roshan Kumar Gami
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)
Sam Bowne
 
CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)
Sam Bowne
 
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Rizal Aditya
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
OWASPKerala
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel Hacking
Develer S.r.l.
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration Testing
Surabaya Blackhat
 
Java & The Android Stack: A Security Analysis
Java & The Android Stack: A Security AnalysisJava & The Android Stack: A Security Analysis
Java & The Android Stack: A Security Analysis
Pragati Rai
 
Code to Cloud Workshop
Code to Cloud WorkshopCode to Cloud Workshop
Code to Cloud Workshop
Jamie Coleman
 
Barcode scanning on Android
Barcode scanning on AndroidBarcode scanning on Android
Barcode scanning on Android
Pietro F. Maggi
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
tdc-globalcode
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Márcio Rosa
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
viaForensics
 

Similar to Meet the DIVA - by: Sandeep & Ankit (20)

Null mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-ExploitationNull mumbai-Android-Insecure-Data-Storage-Exploitation
Null mumbai-Android-Insecure-Data-Storage-Exploitation
 
Code to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the LeftCode to Cloud Workshop, Shifting Security to the Left
Code to Cloud Workshop, Shifting Security to the Left
 
Code to Cloud Workshop.pptx
Code to Cloud Workshop.pptxCode to Cloud Workshop.pptx
Code to Cloud Workshop.pptx
 
Ii 1300-java essentials for android
Ii 1300-java essentials for androidIi 1300-java essentials for android
Ii 1300-java essentials for android
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Android Attacks
Android AttacksAndroid Attacks
Android Attacks
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
 
CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)CNIT 128: Android Implementation Issues (Part 2)
CNIT 128: Android Implementation Issues (Part 2)
 
CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)
 
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
Simulation and Tutorial M2 Insecure Data Storage by OWASP Mobile 2016
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel Hacking
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration Testing
 
Java & The Android Stack: A Security Analysis
Java & The Android Stack: A Security AnalysisJava & The Android Stack: A Security Analysis
Java & The Android Stack: A Security Analysis
 
Code to Cloud Workshop
Code to Cloud WorkshopCode to Cloud Workshop
Code to Cloud Workshop
 
Barcode scanning on Android
Barcode scanning on AndroidBarcode scanning on Android
Barcode scanning on Android
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
 
Droidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensicsDroidcon it-2014-marco-grassi-viaforensics
Droidcon it-2014-marco-grassi-viaforensics
 

More from OWASP Delhi

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
OWASP Delhi
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report Writing
OWASP Delhi
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air Gap
OWASP Delhi
 
UDP Hunter
UDP HunterUDP Hunter
UDP Hunter
OWASP Delhi
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container Escapes
OWASP Delhi
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using Terraform
OWASP Delhi
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat Intelligence
OWASP Delhi
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
OWASP Delhi
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
OWASP Delhi
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC Overview
OWASP Delhi
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash Goel
OWASP Delhi
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
OWASP Delhi
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit Batra
OWASP Delhi
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
OWASP Delhi
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
OWASP Delhi
 

More from OWASP Delhi (20)

Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
 
Securing dns records from subdomain takeover
Securing dns records from subdomain takeoverSecuring dns records from subdomain takeover
Securing dns records from subdomain takeover
 
Effective Cyber Security Report Writing
Effective Cyber Security Report WritingEffective Cyber Security Report Writing
Effective Cyber Security Report Writing
 
Data sniffing over Air Gap
Data sniffing over Air GapData sniffing over Air Gap
Data sniffing over Air Gap
 
UDP Hunter
UDP HunterUDP Hunter
UDP Hunter
 
Demystifying Container Escapes
Demystifying Container EscapesDemystifying Container Escapes
Demystifying Container Escapes
 
Automating WAF using Terraform
Automating WAF using TerraformAutomating WAF using Terraform
Automating WAF using Terraform
 
Actionable Threat Intelligence
Actionable Threat IntelligenceActionable Threat Intelligence
Actionable Threat Intelligence
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Securing AWS environments by Ankit Giri
Securing AWS environments by Ankit GiriSecuring AWS environments by Ankit Giri
Securing AWS environments by Ankit Giri
 
DMARC Overview
DMARC OverviewDMARC Overview
DMARC Overview
 
Cloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash GoelCloud assessments by :- Aakash Goel
Cloud assessments by :- Aakash Goel
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
 
IETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit BatraIETF's Role and Mandate in Internet Governance by Mohit Batra
IETF's Role and Mandate in Internet Governance by Mohit Batra
 
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraMalicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj Mishra
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj MishraThwarting The Surveillance in Online Communication by Adhokshaj Mishra
Thwarting The Surveillance in Online Communication by Adhokshaj Mishra
 

Recently uploaded

Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
nhiyenphan2005
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 

Recently uploaded (20)

Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 

Meet the DIVA - by: Sandeep & Ankit

  • 1.
  • 2.  DIVA (Damn insecure and vulnerable App) is an Android App intentionally designed to be insecure  The vulnerabilities exist from a developer’s perspective  Source: https://github.com/payat u/diva-android  Created by Aseem Jakhar
  • 3. Current Challenges include: ◦ Insecure Logging ◦ Hardcoding Issues – Part 1 ◦ Insecure Data Storage – Part 1 ◦ Insecure Data Storage – Part 2 ◦ Insecure Data Storage – Part 3 ◦ Insecure Data Storage – Part 4 ◦ Input Validation Issues – Part 1 ◦ Input Validation Issues – Part 2 ◦ Access Control Issues – Part 1 ◦ Access Control Issues – Part 2 ◦ Access Control Issues – Part 3 ◦ Hardcoding Issues – Part 2 ◦ Input Validation Issues – Part 3
  • 4. For the purpose of the walkthrough of the challenges we need the following tools: ◦ Genymotion or Android Studio AVD ◦ Dex2jar or jadx ◦ JD-GUI ◦ APKTOOL
  • 5. jadx –d out_folder diva.apk adb devices adb logcat adb shell cd, ls, ls –a, cat sqlite3 database_name select * from table_name;