Skip to content

defdeveu/code.android.Vulnabank

Repository files navigation

VulnaBank

defdev's Android development security exam app

This deliberately vulnerable application (DVA) is exam material used in the ‘Development security in Android' blue level course by Zsombor Kovács (huobb0). The application has some serious security issues while providing ‘life like’ functionality (of a conceptual banking app).

Build/Run

Note, that the main purpose with this app is code review, so building and installation is possibly not the major concern in using it as a learning and practicing material.

  • git clone (the 'main' branch is sufficient for the purpose)
  • build and run

WARNING: This app yet uses discontinued Kotlin synthetics and Dagger for views and Kotlin 1.7 which means that:

  • Currently this lab is not compatible with JDK 21 and so the defaults of AS Ladybug+.
  • Above Koala set/download JDK/JBR 17 in AS Setting > Build... > Build tools > Gradle / Gradle project!
  • Note, that for successful builds the current project structure is target API 30, Java 17, Kotlin 1.7.21, kapt, appcompat max 1.3.1, core-ktx max 1.6.0, material 1.4.0.
  • Tested with Pixel 6 Pro API 31 emulator

Technology stack

  • Kotlin
  • MVVM app architecture
  • Room database implementation room
  • encryption library for room, if it is needed in the future safeRoom
  • Dagger 2 dependency injection
  • retrofit for server communication
  • Lifecycle extensions
  • Kotlin coroutines for background works

Application overview

Application overview

Structure

UI Structure
  • TransactionApplication: init the dependency injection and send LocalBroadcast when application comes foreground
  • LoginActivity: control the registration and login flow depends on AuthRepository state (user already registered)
    • RegisterFragment: show the registration view content
    • LoginFragment: show the login view content
  • MainAcivity: control the transaction list, settings and case when application comes foreground (catch the LocalBroadcast from Application)
    • TransactionListFragment: Main screen of the application. This UI shows the transaction list (query from local database and data published via viewModel). Pull to refresh implemented on this screen, but the list respond every transaction database changes.
    • TransactionInitFragment: Transaction init dialog which access-able with + button from transaction list. Local data validation implemented on this screen. When user press the OK button, the typed values passed to transactionListFragment and main screen handles the transaction sending to back-end
    • SettingsFragment: PIN management and SSL settings change (change between http and https servers)
Singleton dependencies - injected by DAGGER
  • TransactionRepository: SQLite database access interface
  • TransactionViewModelFactory: Transaction UI controller module
  • AuthRepository with SharedPreferences: Auth repository handles the registration, login, pin check and change via application shared preferences
  • CryptoUtil: Crypto util provides the AES, RSA and pin MD5 hash encrypt and decrypt
  • TransactionService: Retrofit communication module for transaction upload (contains OKHttp logging interceptor for logging post messages)

Use cases for testing

  • Registration and first run
    • Install and run VulnaBank application
    • Type correct pins (only 4 characters accepted in password and re-password field -> Register button goes enabled)
    • When two pin is not equals, local validation shows error message in re-password field
  • Login
    • Start the application
    • Type incorrect pin, press Login button, local validation error message shows
    • Type correct pin, press Login button, application enters the transaction screen
    • Send app to background with HOME button, select application from running apps, application shows the Login screen
  • Send transaction
    • Start and log into the application
    • Press + button at the bottom of the page
    • Press cancel in the dialog -> nothing happens
    • Fill the form with correct data (name field is mandatory, amount should be > 0, account number must be > than 8 numbers, comment is optional)
    • Press OK -> application navigates back to transactions screen, progress dialog appears and transaction list refreshes with successful or unsuccessful transaction
  • Settings
    • Start and log into the application
    • Press the menu button on the top right corner
    • Try to change password -> local validation displays if the new pins is not equals
    • Click to TLS verification enabled checkbox -> if it is selected, the application communicates via https (application restart needed)

social image

Credits

  • Implemented by Ferenc Sági (sagifer)
  • Idea and specification by Zsombor Kovács (huobb0)
  • Photo by 'Science in HD' used under the Unsplash License; derived work by Ksenia Kotelnikova; original: Seamans Guard, Stagg Field, University of Chicago...Credit: U.S. Department of Energy, Historian's Office