Compare commits
11 Commits
1.0.0_3.5.
...
master
Author | SHA1 | Date |
---|---|---|
Achim D. Brucker | 30f76ee118 | |
Achim D. Brucker | 5a7d28491b | |
Achim D. Brucker | 193e952f4e | |
Achim D. Brucker | 0dd088ab86 | |
Achim D. Brucker | cd039fe66e | |
Achim D. Brucker | 47c3e0bd6c | |
Achim D. Brucker | e2099ceac8 | |
Achim D. Brucker | 31975c4ef9 | |
Achim D. Brucker | ccd08fc5c0 | |
Achim D. Brucker | 80455a0c1d | |
Achim D. Brucker | 4d3f6c6ee6 |
|
@ -25,3 +25,7 @@ proguard/
|
||||||
|
|
||||||
# Log Files
|
# Log Files
|
||||||
*.log
|
*.log
|
||||||
|
|
||||||
|
# Node/NPM
|
||||||
|
DVHMA-Featherweight/node_modules/
|
||||||
|
DVHMA-Featherweight/package-lock.json
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
<?xml version='1.0' encoding='utf-8'?>
|
<?xml version='1.0' encoding='utf-8'?>
|
||||||
<widget id="de.zertapps.dvhma.featherweight" version="1.0.0-3.5.0" xmlns="http://www.w3.org/ns/widgets" xmlns:cdv="http://cordova.apache.org/ns/1.0">
|
<widget id="de.zertapps.dvhma.featherweight" version="1.0.0-6.3.0" xmlns="http://www.w3.org/ns/widgets" xmlns:cdv="http://cordova.apache.org/ns/1.0">
|
||||||
<name>Featherweight DVHMA</name>
|
<name>Featherweight DVHMA</name>
|
||||||
<author href="https://logicalhacking.com"></author>
|
<author href="https://logicalhacking.com" />
|
||||||
<description>
|
<description>
|
||||||
Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for Android) that intentionally contains vulnerabilities.
|
Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for Android) that intentionally contains vulnerabilities.
|
||||||
|
|
||||||
|
@ -9,4 +9,7 @@
|
||||||
</description>
|
</description>
|
||||||
<content src="index.html" />
|
<content src="index.html" />
|
||||||
<access origin="*" />
|
<access origin="*" />
|
||||||
|
<plugin name="de.zertapps.dvhma.plugins.storage" spec="../plugins/DVHMA-Storage" />
|
||||||
|
<plugin name="de.zertapps.dvhma.plugins.webintent" spec="../plugins/DVHMA-WebIntent" />
|
||||||
|
<engine name="android" spec="~7.0.0" />
|
||||||
</widget>
|
</widget>
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
<?xml version='1.0' encoding='utf-8'?>
|
<?xml version='1.0' encoding='utf-8'?>
|
||||||
<widget id="de.zertapps.dvhma.openui5" version="1.0.0-3.5.0" xmlns="http://www.w3.org/ns/widgets" xmlns:cdv="http://cordova.apache.org/ns/1.0">
|
<widget id="de.zertapps.dvhma.openui5" version="1.0.0-6.3.0" xmlns="http://www.w3.org/ns/widgets" xmlns:cdv="http://cordova.apache.org/ns/1.0">
|
||||||
<name>OpenUI5 DVHMA</name>
|
<name>OpenUI5 DVHMA</name>
|
||||||
<author href="https://logicalhacking.com"></author>
|
<author href="https://logicalhacking.com"></author>
|
||||||
<description>
|
<description>
|
||||||
|
|
42
README.md
42
README.md
|
@ -1,4 +1,5 @@
|
||||||
# DVHMA
|
# DVHMA
|
||||||
|
|
||||||
Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for
|
Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for
|
||||||
Android) that *intentionally* contains vulnerabilities. Its purpose is
|
Android) that *intentionally* contains vulnerabilities. Its purpose is
|
||||||
to enable security professionals to test their tools and techniques
|
to enable security professionals to test their tools and techniques
|
||||||
|
@ -6,28 +7,37 @@ legally, help developers better understand the common pitfalls in
|
||||||
developing hybrid mobile apps securely.
|
developing hybrid mobile apps securely.
|
||||||
|
|
||||||
## Motivation and Scope
|
## Motivation and Scope
|
||||||
|
|
||||||
This app is developed to study pitfalls in developing hybrid apps,
|
This app is developed to study pitfalls in developing hybrid apps,
|
||||||
e.g., using Apache Cordova or SAP Kapsel, securely. Currently, the
|
e.g., using [Apache Cordova](https://cordova.apache.org/) or
|
||||||
main focus is to develop a deeper understanding of injection
|
[SAP Kapsel](https://blogs.sap.com/2013/10/21/an-introduction-to-smp-kapsel/),
|
||||||
vulnerabilities that exploit the JavaScript to Java bridge.
|
securely. Currently, the main focus is to develop a deeper
|
||||||
|
understanding of injection vulnerabilities that exploit the JavaScript
|
||||||
|
to Java bridge.
|
||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
|
|
||||||
### Prerequisites
|
### Prerequisites
|
||||||
|
|
||||||
We assume that the
|
We assume that the
|
||||||
|
|
||||||
* Android SDK (https://developer.android.com/sdk/index.html) and
|
* Android SDK (https://developer.android.com/sdk/index.html) and
|
||||||
* Apache Cordova (https://cordova.apache.org/), version 3.5 or later
|
* Apache Cordova (https://cordova.apache.org/), version 8.0.0 (later
|
||||||
are installed.
|
versions might work)
|
||||||
|
|
||||||
Moreover, we assume a basic familiarity with the build system of
|
Moreover, we assume a basic familiarity with the build system of
|
||||||
Apache Cordova.
|
Apache Cordova.
|
||||||
|
|
||||||
### Building DVHMA
|
### Building DVHMA
|
||||||
|
|
||||||
#### Setting Environment Variables
|
#### Setting Environment Variables
|
||||||
|
|
||||||
export ANDROID_HOME=<Android SDK Installation Directory>
|
export ANDROID_HOME=<Android SDK Installation Directory>
|
||||||
export PATH=$ANDROID_HOME/tools:$PATH
|
export PATH=$ANDROID_HOME/tools:$PATH
|
||||||
export PATH=$ANDROID_HOME/platform-tools:$PATH
|
export PATH=$ANDROID_HOME/platform-tools:$PATH
|
||||||
|
|
||||||
#### Compiling DVHMA
|
#### Compiling DVHMA
|
||||||
|
|
||||||
cd DVHMA-Featherweight
|
cd DVHMA-Featherweight
|
||||||
cordova plugin add ../plugins/DVHMA-Storage
|
cordova plugin add ../plugins/DVHMA-Storage
|
||||||
cordova plugin add ../plugins/DVHMA-WebIntent
|
cordova plugin add ../plugins/DVHMA-WebIntent
|
||||||
|
@ -35,9 +45,11 @@ Apache Cordova.
|
||||||
cordova compile android
|
cordova compile android
|
||||||
|
|
||||||
#### Running DVHMA in an Emulator
|
#### Running DVHMA in an Emulator
|
||||||
|
|
||||||
cordova run android
|
cordova run android
|
||||||
|
|
||||||
## Team Members
|
## Team Members
|
||||||
|
|
||||||
The development of this application started as part of the project
|
The development of this application started as part of the project
|
||||||
[ZertApps](http://www.zertapps.de). ZertApps was a collaborative
|
[ZertApps](http://www.zertapps.de). ZertApps was a collaborative
|
||||||
research project funded by the German Ministry for Research and
|
research project funded by the German Ministry for Research and
|
||||||
|
@ -50,4 +62,24 @@ The core developers of DVHMA are:
|
||||||
* [Michael Herzberg](http://www.dcs.shef.ac.uk/cgi-bin/makeperson?M.Herzberg)
|
* [Michael Herzberg](http://www.dcs.shef.ac.uk/cgi-bin/makeperson?M.Herzberg)
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
This project is under the Apache 2.0 License.
|
This project is under the Apache 2.0 License.
|
||||||
|
|
||||||
|
SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
## Master Repository
|
||||||
|
|
||||||
|
The master git repository for this project is hosted by the [Software
|
||||||
|
Assurance & Security Research Team](https://logicalhacking.com) at
|
||||||
|
<https://git.logicalhacking.com/DASCA/DVHMA/>.
|
||||||
|
|
||||||
|
## Publications
|
||||||
|
|
||||||
|
* Achim D. Brucker and Michael Herzberg. [On the Static Analysis of
|
||||||
|
Hybrid Mobile Apps: A Report on the State of Apache Cordova
|
||||||
|
Nation.](https://www.brucker.ch/bibliography/download/2016/brucker.ea-cordova-security-2016.pdf)
|
||||||
|
In International Symposium on Engineering Secure Software
|
||||||
|
and Systems (ESSoS). Lecture Notes in Computer Science (9639), pages
|
||||||
|
72-88, Springer-Verlag, 2016.
|
||||||
|
https://www.brucker.ch/bibliography/abstract/brucker.ea-cordova-security-2016
|
||||||
|
doi: [10.1007/978-3-319-30806-7_5](http://dx.doi.org/10.1007/978-3-319-30806-7_5)
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
{
|
||||||
|
"name": "de.zertapps.dvhma.plugins.storage",
|
||||||
|
"version": "1.0.0",
|
||||||
|
"description": "DVHMA Storage Backend",
|
||||||
|
"cordova": {
|
||||||
|
"id": "de.zertapps.dvhma.plugins.storage",
|
||||||
|
"platforms": [
|
||||||
|
"android"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"keywords": [
|
||||||
|
"ecosystem:cordova",
|
||||||
|
"cordova-android"
|
||||||
|
],
|
||||||
|
"author": "",
|
||||||
|
"license": "Apache 2.0"
|
||||||
|
}
|
|
@ -0,0 +1,19 @@
|
||||||
|
{
|
||||||
|
"name": "de.zertapps.dvhma.plugins.webintent",
|
||||||
|
"version": "1.0.0",
|
||||||
|
"description": "Web intents for Cordova",
|
||||||
|
"cordova": {
|
||||||
|
"id": "de.zertapps.dvhma.plugins.webintent",
|
||||||
|
"platforms": [
|
||||||
|
"android"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"keywords": [
|
||||||
|
"cordova",
|
||||||
|
"webintent",
|
||||||
|
"ecosystem:cordova",
|
||||||
|
"cordova-android"
|
||||||
|
],
|
||||||
|
"author": "",
|
||||||
|
"license": "MIT"
|
||||||
|
}
|
Binary file not shown.
|
@ -0,0 +1,16 @@
|
||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIcBAABCgAGBQJXrC6NAAoJEFk91tz4x3BGchsQAKEJ1lNe6D9a1OX6lsV7CiNP
|
||||||
|
gC0z2zdnlBTrcJVqcvD9NE+pCMmhQYPAxenvCRMPVKxS/IotRddAgY9RnRU5AF1Q
|
||||||
|
DjVoiq6q/zEfPB4vtTFxyczG6KwngWFa1wzLr1NJ6ksJQmn89v7ocwjBwVLb0F+S
|
||||||
|
I47s0XH9ivhfzFwQOGUlDjJBUX58IaFUR4/shv7YdkBAnIWVk07cXP7aUbhS0XXF
|
||||||
|
iVnA5GtRrNSyQqZxrYRU4oXYL/5p0/9DJFdWzXmPyj6KljwQiIqxTMZ+B0TlpEA1
|
||||||
|
omkCDnKSaRSK9/+SnJtnhb07uw6Avc4O9QboqXW3Ckw4ZyRvpwzfm0YYhwJoQ6Hd
|
||||||
|
jDXyQ99zBjPecuxvEDyhbvrq4dc8oUf5xFO8YvjtexvbTtNoZradx5DJHvQK09KR
|
||||||
|
k6Q4v2jKh7ut01niGpVfbKbNAjjA8RsVSRCOOQstS80OSUq6KNSQOhX49QvJkjEn
|
||||||
|
+0SUoJZ4ey9RotpO11cY+pIvyPzeCqPcFBP3ZW/UqQXE1O5LPYDjmWQz9D4/NzQN
|
||||||
|
7j+CJilbKRgH/2wdER77Id2QzISAqcruoW+wJ2IGsfG33fwp/+Tljm4ZJzXK2ujh
|
||||||
|
oGFps5DtdW6iiUUAdNl8x9NrWqGpgzIfqHbOwRPNwKoanmroUyrD8oNWbKpmLusU
|
||||||
|
SRHaAfwv9HQTUnZ1dEKG
|
||||||
|
=F5nf
|
||||||
|
-----END PGP SIGNATURE-----
|
Binary file not shown.
|
@ -0,0 +1,16 @@
|
||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIcBAABCgAGBQJXrC6qAAoJEFk91tz4x3BGahYQAJ28bK7SdDEw7h9gQr2VUMx6
|
||||||
|
rRbr2rGxrv/8k2mxhPKpinnG7gvsOnfKF2gPvT7Hqi/nmUAKw9niXnREFyKjDDxo
|
||||||
|
Q4q0Bjix/+tO2V6hi5X0A1G5LIKHJbQ4pstCdRpwF/GKlU5DL5+VEJDouEM5DesQ
|
||||||
|
Y0EnnH7SQPo5RnKALSnXOUvjjK2EuKQOiBwqf7p8slQo00G9DfMePDBeFL7tmJsv
|
||||||
|
xgy8IO5kn1gSjsCL9xDbXpTxVWbskrvyYZT93kVnYagrCjyii/9nukPm1Jy9TNh8
|
||||||
|
aRT/lvNH4JoZqzXoMmM0/PlM6R/OxWJwTEbS+L3fwoKj/Ojj5Gsoi6EjcgG6Pxug
|
||||||
|
GLtEUs0DKv7Oub1BcVMqGI6F1Dbk1ZEd8K99LPg6fIHKNJwU0NzppRxmT6QYqm9m
|
||||||
|
jBj6tGwflF7yH1Tz5WSf7Q9UAfoUFbYAx8NkKa6sfbenkt78QBnjIzB2B0Gn68H4
|
||||||
|
fa6Z+0LYLS5qbvlmZqWZrRYJ1+FUvQDeM7lJLNAYe7jUs49/kkzgQizV+46/wUXx
|
||||||
|
qK4W4mhCqGffP2sKqXnDzUGV6vp7I/KER9ryKcfIECxB+S5ac8RLaju/OWTVq2XH
|
||||||
|
3eawhJFRp78R6Td7pv/h2/LezSEeglytGg9l5aQRNr1rNMlBRsQ5HxfxKcFytWqI
|
||||||
|
LrNZ7ASFiPA0A/JeAi4S
|
||||||
|
=2uOo
|
||||||
|
-----END PGP SIGNATURE-----
|
Loading…
Reference in New Issue