DVHMA/README.md

# DVHMA

Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for
Android) that *intentionally* contains vulnerabilities. Its purpose is
to enable security professionals to test their tools and techniques
legally, help developers better understand the common pitfalls in
developing hybrid mobile apps securely.

## Motivation and Scope

This app is developed to study pitfalls in developing hybrid apps,
e.g., using [Apache Cordova](https://cordova.apache.org/) or
[SAP Kapsel](https://blogs.sap.com/2013/10/21/an-introduction-to-smp-kapsel/),
securely. Currently, the main focus is to develop a deeper
understanding of injection vulnerabilities that exploit the JavaScript
to Java bridge.

## Installation

### Prerequisites

We assume that the

* Android SDK (https://developer.android.com/sdk/index.html) and 
* Apache Cordova (https://cordova.apache.org/), version 8.0.0 (later
  versions might work) 

Moreover, we assume a basic familiarity with the build system of 
Apache Cordova.

### Building DVHMA

#### Setting Environment Variables

    export ANDROID_HOME=<Android SDK Installation Directory>
    export PATH=$ANDROID_HOME/tools:$PATH
    export PATH=$ANDROID_HOME/platform-tools:$PATH

#### Compiling DVHMA

    cd DVHMA-Featherweight
    cordova plugin add ../plugins/DVHMA-Storage
    cordova plugin add ../plugins/DVHMA-WebIntent 
    cordova platform add android
    cordova compile android

#### Running DVHMA in an Emulator

    cordova run android 

## Team Members

The development of this application started as part of the project 
[ZertApps](http://www.zertapps.de). ZertApps was a collaborative 
research project funded by the German Ministry for Research and 
Education. It is now developed and maintained by the [Software 
Assurance & Security Research Team](https://logicalhacking.com) 
at The University of Sheffield, UK. 

The core developers of DVHMA are:
* [Achim D. Brucker](http://www.brucker.ch/)
* [Michael Herzberg](http://www.dcs.shef.ac.uk/cgi-bin/makeperson?M.Herzberg)

## License

This project is under the Apache 2.0 License. 

SPDX-License-Identifier: Apache-2.0

## Master Repository

The master git repository for this project is hosted by the [Software
Assurance & Security Research Team](https://logicalhacking.com) at
<https://git.logicalhacking.com/DASCA/DVHMA/>.

## Publications

* Achim D. Brucker and Michael Herzberg. [On the Static Analysis of
  Hybrid Mobile Apps: A Report on the State of Apache Cordova
  Nation.](https://www.brucker.ch/bibliography/download/2016/brucker.ea-cordova-security-2016.pdf)
  In International Symposium on Engineering Secure Software
  and Systems (ESSoS). Lecture Notes in Computer Science (9639), pages
  72-88, Springer-Verlag, 2016.
  https://www.brucker.ch/bibliography/abstract/brucker.ea-cordova-security-2016
  doi: [10.1007/978-3-319-30806-7_5](http://dx.doi.org/10.1007/978-3-319-30806-7_5)
Initial commit 2015-05-13 09:43:05 +00:00			`# DVHMA`
Improved Markdown. 2018-08-04 13:44:25 +00:00
Added motivation, team members, and license information. 2015-05-13 10:36:07 +00:00			`Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for`
			`Android) that intentionally contains vulnerabilities. Its purpose is`
			`to enable security professionals to test their tools and techniques`
			`legally, help developers better understand the common pitfalls in`
			`developing hybrid mobile apps securely.`

			`## Motivation and Scope`
Improved Markdown. 2018-08-04 13:44:25 +00:00
Added motivation, team members, and license information. 2015-05-13 10:36:07 +00:00			`This app is developed to study pitfalls in developing hybrid apps,`
Added links to Apache Cordova and SAP Kapsel. 2016-10-26 22:22:51 +00:00			`e.g., using [Apache Cordova](https://cordova.apache.org/) or`
			`[SAP Kapsel](https://blogs.sap.com/2013/10/21/an-introduction-to-smp-kapsel/),`
			`securely. Currently, the main focus is to develop a deeper`
			`understanding of injection vulnerabilities that exploit the JavaScript`
			`to Java bridge.`
Added motivation, team members, and license information. 2015-05-13 10:36:07 +00:00
Added installation instructions. 2015-05-13 20:08:46 +00:00			`## Installation`
Improved Markdown. 2018-08-04 13:44:25 +00:00
Added installation instructions. 2015-05-13 20:08:46 +00:00			`### Prerequisites`
Improved Markdown. 2018-08-04 13:44:25 +00:00
Added installation instructions. 2015-05-13 20:08:46 +00:00			`We assume that the`
Improved Markdown. 2018-08-04 13:44:25 +00:00
Added installation instructions. 2015-05-13 20:08:46 +00:00			`* Android SDK (https://developer.android.com/sdk/index.html) and`
Updated recommended Cordova version. 2018-04-21 19:13:28 +00:00			`* Apache Cordova (https://cordova.apache.org/), version 8.0.0 (later`
			`versions might work)`
Improved layout. 2015-06-28 18:34:17 +00:00
			`Moreover, we assume a basic familiarity with the build system of`
			`Apache Cordova.`
Added installation instructions. 2015-05-13 20:08:46 +00:00
			`### Building DVHMA`
Improved Markdown. 2018-08-04 13:44:25 +00:00
Added installation instructions. 2015-05-13 20:08:46 +00:00			`#### Setting Environment Variables`
Improved Markdown. 2018-08-04 13:44:25 +00:00
Added installation instructions. 2015-05-13 20:08:46 +00:00			`export ANDROID_HOME=<Android SDK Installation Directory>`
			`export PATH=$ANDROID_HOME/tools:$PATH`
			`export PATH=$ANDROID_HOME/platform-tools:$PATH`

			`#### Compiling DVHMA`
Improved Markdown. 2018-08-04 13:44:25 +00:00
Added installation instructions. 2015-05-13 20:08:46 +00:00			`cd DVHMA-Featherweight`
			`cordova plugin add ../plugins/DVHMA-Storage`
			`cordova plugin add ../plugins/DVHMA-WebIntent`
Fixed build instructions. 2016-08-09 10:34:21 +00:00			`cordova platform add android`
Added installation instructions. 2015-05-13 20:08:46 +00:00			`cordova compile android`

			`#### Running DVHMA in an Emulator`
Improved Markdown. 2018-08-04 13:44:25 +00:00
Added installation instructions. 2015-05-13 20:08:46 +00:00			`cordova run android`

Added motivation, team members, and license information. 2015-05-13 10:36:07 +00:00			`## Team Members`
Improved Markdown. 2018-08-04 13:44:25 +00:00
Updated developers/maintainers. 2016-07-27 05:17:34 +00:00			`The development of this application started as part of the project`
			`[ZertApps](http://www.zertapps.de). ZertApps was a collaborative`
			`research project funded by the German Ministry for Research and`
			`Education. It is now developed and maintained by the [Software`
			`Assurance & Security Research Team](https://logicalhacking.com)`
			`at The University of Sheffield, UK.`

			`The core developers of DVHMA are:`
Updated contact information. 2016-07-24 20:01:17 +00:00			`* [Achim D. Brucker](http://www.brucker.ch/)`
			`* [Michael Herzberg](http://www.dcs.shef.ac.uk/cgi-bin/makeperson?M.Herzberg)`
Added motivation, team members, and license information. 2015-05-13 10:36:07 +00:00
			`## License`
Improved Markdown. 2018-08-04 13:44:25 +00:00
Improved layout. 2015-06-28 18:34:17 +00:00			`This project is under the Apache 2.0 License.`
Added publication reference. 2016-11-26 15:25:04 +00:00
Added SPDX License Identifier. 2018-08-04 13:47:05 +00:00			`SPDX-License-Identifier: Apache-2.0`

Added master repository URL. 2018-08-04 13:49:34 +00:00			`## Master Repository`

			`The master git repository for this project is hosted by the [Software`
			`Assurance & Security Research Team](https://logicalhacking.com) at`
			`<https://git.logicalhacking.com/DASCA/DVHMA/>.`

Added publication reference. 2016-11-26 15:25:04 +00:00			`## Publications`
Improved Markdown. 2018-08-04 13:44:25 +00:00
Added publication reference. 2016-11-26 15:25:04 +00:00			`* Achim D. Brucker and Michael Herzberg. [On the Static Analysis of`
			`Hybrid Mobile Apps: A Report on the State of Apache Cordova`
			`Nation.](https://www.brucker.ch/bibliography/download/2016/brucker.ea-cordova-security-2016.pdf)`
			`In International Symposium on Engineering Secure Software`
			`and Systems (ESSoS). Lecture Notes in Computer Science (9639), pages`
			`72-88, Springer-Verlag, 2016.`
			`https://www.brucker.ch/bibliography/abstract/brucker.ea-cordova-security-2016`
			`doi: [10.1007/978-3-319-30806-7_5](http://dx.doi.org/10.1007/978-3-319-30806-7_5)`