2015-05-13 09:43:05 +00:00
|
|
|
# DVHMA
|
2018-08-04 13:44:25 +00:00
|
|
|
|
2015-05-13 10:36:07 +00:00
|
|
|
Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for
|
|
|
|
Android) that *intentionally* contains vulnerabilities. Its purpose is
|
|
|
|
to enable security professionals to test their tools and techniques
|
|
|
|
legally, help developers better understand the common pitfalls in
|
|
|
|
developing hybrid mobile apps securely.
|
|
|
|
|
|
|
|
## Motivation and Scope
|
2018-08-04 13:44:25 +00:00
|
|
|
|
2015-05-13 10:36:07 +00:00
|
|
|
This app is developed to study pitfalls in developing hybrid apps,
|
2016-10-26 22:22:51 +00:00
|
|
|
e.g., using [Apache Cordova](https://cordova.apache.org/) or
|
|
|
|
[SAP Kapsel](https://blogs.sap.com/2013/10/21/an-introduction-to-smp-kapsel/),
|
|
|
|
securely. Currently, the main focus is to develop a deeper
|
|
|
|
understanding of injection vulnerabilities that exploit the JavaScript
|
|
|
|
to Java bridge.
|
2015-05-13 10:36:07 +00:00
|
|
|
|
2015-05-13 20:08:46 +00:00
|
|
|
## Installation
|
2018-08-04 13:44:25 +00:00
|
|
|
|
2015-05-13 20:08:46 +00:00
|
|
|
### Prerequisites
|
2018-08-04 13:44:25 +00:00
|
|
|
|
2015-05-13 20:08:46 +00:00
|
|
|
We assume that the
|
2018-08-04 13:44:25 +00:00
|
|
|
|
2015-05-13 20:08:46 +00:00
|
|
|
* Android SDK (https://developer.android.com/sdk/index.html) and
|
2018-04-21 19:13:28 +00:00
|
|
|
* Apache Cordova (https://cordova.apache.org/), version 8.0.0 (later
|
|
|
|
versions might work)
|
2015-06-28 18:34:17 +00:00
|
|
|
|
|
|
|
Moreover, we assume a basic familiarity with the build system of
|
|
|
|
Apache Cordova.
|
2015-05-13 20:08:46 +00:00
|
|
|
|
|
|
|
### Building DVHMA
|
2018-08-04 13:44:25 +00:00
|
|
|
|
2015-05-13 20:08:46 +00:00
|
|
|
#### Setting Environment Variables
|
2018-08-04 13:44:25 +00:00
|
|
|
|
2015-05-13 20:08:46 +00:00
|
|
|
export ANDROID_HOME=<Android SDK Installation Directory>
|
|
|
|
export PATH=$ANDROID_HOME/tools:$PATH
|
|
|
|
export PATH=$ANDROID_HOME/platform-tools:$PATH
|
|
|
|
|
|
|
|
#### Compiling DVHMA
|
2018-08-04 13:44:25 +00:00
|
|
|
|
2015-05-13 20:08:46 +00:00
|
|
|
cd DVHMA-Featherweight
|
|
|
|
cordova plugin add ../plugins/DVHMA-Storage
|
|
|
|
cordova plugin add ../plugins/DVHMA-WebIntent
|
2016-08-09 10:34:21 +00:00
|
|
|
cordova platform add android
|
2015-05-13 20:08:46 +00:00
|
|
|
cordova compile android
|
|
|
|
|
|
|
|
#### Running DVHMA in an Emulator
|
2018-08-04 13:44:25 +00:00
|
|
|
|
2015-05-13 20:08:46 +00:00
|
|
|
cordova run android
|
|
|
|
|
2015-05-13 10:36:07 +00:00
|
|
|
## Team Members
|
2018-08-04 13:44:25 +00:00
|
|
|
|
2016-07-27 05:17:34 +00:00
|
|
|
The development of this application started as part of the project
|
|
|
|
[ZertApps](http://www.zertapps.de). ZertApps was a collaborative
|
|
|
|
research project funded by the German Ministry for Research and
|
|
|
|
Education. It is now developed and maintained by the [Software
|
|
|
|
Assurance & Security Research Team](https://logicalhacking.com)
|
|
|
|
at The University of Sheffield, UK.
|
|
|
|
|
|
|
|
The core developers of DVHMA are:
|
2016-07-24 20:01:17 +00:00
|
|
|
* [Achim D. Brucker](http://www.brucker.ch/)
|
|
|
|
* [Michael Herzberg](http://www.dcs.shef.ac.uk/cgi-bin/makeperson?M.Herzberg)
|
2015-05-13 10:36:07 +00:00
|
|
|
|
|
|
|
## License
|
2018-08-04 13:44:25 +00:00
|
|
|
|
2015-06-28 18:34:17 +00:00
|
|
|
This project is under the Apache 2.0 License.
|
2016-11-26 15:25:04 +00:00
|
|
|
|
2018-08-04 13:47:05 +00:00
|
|
|
SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
2018-08-04 13:49:34 +00:00
|
|
|
## Master Repository
|
|
|
|
|
|
|
|
The master git repository for this project is hosted by the [Software
|
|
|
|
Assurance & Security Research Team](https://logicalhacking.com) at
|
|
|
|
<https://git.logicalhacking.com/DASCA/DVHMA/>.
|
|
|
|
|
2016-11-26 15:25:04 +00:00
|
|
|
## Publications
|
2018-08-04 13:44:25 +00:00
|
|
|
|
2016-11-26 15:25:04 +00:00
|
|
|
* Achim D. Brucker and Michael Herzberg. [On the Static Analysis of
|
|
|
|
Hybrid Mobile Apps: A Report on the State of Apache Cordova
|
|
|
|
Nation.](https://www.brucker.ch/bibliography/download/2016/brucker.ea-cordova-security-2016.pdf)
|
|
|
|
In International Symposium on Engineering Secure Software
|
|
|
|
and Systems (ESSoS). Lecture Notes in Computer Science (9639), pages
|
|
|
|
72-88, Springer-Verlag, 2016.
|
|
|
|
https://www.brucker.ch/bibliography/abstract/brucker.ea-cordova-security-2016
|
|
|
|
doi: [10.1007/978-3-319-30806-7_5](http://dx.doi.org/10.1007/978-3-319-30806-7_5)
|