Compare commits
10 Commits
1.0.0_6.3.
...
master
Author | SHA1 | Date |
---|---|---|
Achim D. Brucker | 30f76ee118 | |
Achim D. Brucker | 5a7d28491b | |
Achim D. Brucker | 193e952f4e | |
Achim D. Brucker | 0dd088ab86 | |
Achim D. Brucker | cd039fe66e | |
Achim D. Brucker | 47c3e0bd6c | |
Achim D. Brucker | e2099ceac8 | |
Achim D. Brucker | 31975c4ef9 | |
Achim D. Brucker | ccd08fc5c0 | |
Achim D. Brucker | 80455a0c1d |
|
@ -25,3 +25,7 @@ proguard/
|
||||||
|
|
||||||
# Log Files
|
# Log Files
|
||||||
*.log
|
*.log
|
||||||
|
|
||||||
|
# Node/NPM
|
||||||
|
DVHMA-Featherweight/node_modules/
|
||||||
|
DVHMA-Featherweight/package-lock.json
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
<?xml version='1.0' encoding='utf-8'?>
|
<?xml version='1.0' encoding='utf-8'?>
|
||||||
<widget id="de.zertapps.dvhma.featherweight" version="1.0.0-6.3.0" xmlns="http://www.w3.org/ns/widgets" xmlns:cdv="http://cordova.apache.org/ns/1.0">
|
<widget id="de.zertapps.dvhma.featherweight" version="1.0.0-6.3.0" xmlns="http://www.w3.org/ns/widgets" xmlns:cdv="http://cordova.apache.org/ns/1.0">
|
||||||
<name>Featherweight DVHMA</name>
|
<name>Featherweight DVHMA</name>
|
||||||
<author href="https://logicalhacking.com"></author>
|
<author href="https://logicalhacking.com" />
|
||||||
<description>
|
<description>
|
||||||
Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for Android) that intentionally contains vulnerabilities.
|
Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for Android) that intentionally contains vulnerabilities.
|
||||||
|
|
||||||
|
@ -9,4 +9,7 @@
|
||||||
</description>
|
</description>
|
||||||
<content src="index.html" />
|
<content src="index.html" />
|
||||||
<access origin="*" />
|
<access origin="*" />
|
||||||
|
<plugin name="de.zertapps.dvhma.plugins.storage" spec="../plugins/DVHMA-Storage" />
|
||||||
|
<plugin name="de.zertapps.dvhma.plugins.webintent" spec="../plugins/DVHMA-WebIntent" />
|
||||||
|
<engine name="android" spec="~7.0.0" />
|
||||||
</widget>
|
</widget>
|
||||||
|
|
42
README.md
42
README.md
|
@ -1,4 +1,5 @@
|
||||||
# DVHMA
|
# DVHMA
|
||||||
|
|
||||||
Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for
|
Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for
|
||||||
Android) that *intentionally* contains vulnerabilities. Its purpose is
|
Android) that *intentionally* contains vulnerabilities. Its purpose is
|
||||||
to enable security professionals to test their tools and techniques
|
to enable security professionals to test their tools and techniques
|
||||||
|
@ -6,28 +7,37 @@ legally, help developers better understand the common pitfalls in
|
||||||
developing hybrid mobile apps securely.
|
developing hybrid mobile apps securely.
|
||||||
|
|
||||||
## Motivation and Scope
|
## Motivation and Scope
|
||||||
|
|
||||||
This app is developed to study pitfalls in developing hybrid apps,
|
This app is developed to study pitfalls in developing hybrid apps,
|
||||||
e.g., using Apache Cordova or SAP Kapsel, securely. Currently, the
|
e.g., using [Apache Cordova](https://cordova.apache.org/) or
|
||||||
main focus is to develop a deeper understanding of injection
|
[SAP Kapsel](https://blogs.sap.com/2013/10/21/an-introduction-to-smp-kapsel/),
|
||||||
vulnerabilities that exploit the JavaScript to Java bridge.
|
securely. Currently, the main focus is to develop a deeper
|
||||||
|
understanding of injection vulnerabilities that exploit the JavaScript
|
||||||
|
to Java bridge.
|
||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
|
|
||||||
### Prerequisites
|
### Prerequisites
|
||||||
|
|
||||||
We assume that the
|
We assume that the
|
||||||
|
|
||||||
* Android SDK (https://developer.android.com/sdk/index.html) and
|
* Android SDK (https://developer.android.com/sdk/index.html) and
|
||||||
* Apache Cordova (https://cordova.apache.org/), version 6.3.0 or later
|
* Apache Cordova (https://cordova.apache.org/), version 8.0.0 (later
|
||||||
are installed.
|
versions might work)
|
||||||
|
|
||||||
Moreover, we assume a basic familiarity with the build system of
|
Moreover, we assume a basic familiarity with the build system of
|
||||||
Apache Cordova.
|
Apache Cordova.
|
||||||
|
|
||||||
### Building DVHMA
|
### Building DVHMA
|
||||||
|
|
||||||
#### Setting Environment Variables
|
#### Setting Environment Variables
|
||||||
|
|
||||||
export ANDROID_HOME=<Android SDK Installation Directory>
|
export ANDROID_HOME=<Android SDK Installation Directory>
|
||||||
export PATH=$ANDROID_HOME/tools:$PATH
|
export PATH=$ANDROID_HOME/tools:$PATH
|
||||||
export PATH=$ANDROID_HOME/platform-tools:$PATH
|
export PATH=$ANDROID_HOME/platform-tools:$PATH
|
||||||
|
|
||||||
#### Compiling DVHMA
|
#### Compiling DVHMA
|
||||||
|
|
||||||
cd DVHMA-Featherweight
|
cd DVHMA-Featherweight
|
||||||
cordova plugin add ../plugins/DVHMA-Storage
|
cordova plugin add ../plugins/DVHMA-Storage
|
||||||
cordova plugin add ../plugins/DVHMA-WebIntent
|
cordova plugin add ../plugins/DVHMA-WebIntent
|
||||||
|
@ -35,9 +45,11 @@ Apache Cordova.
|
||||||
cordova compile android
|
cordova compile android
|
||||||
|
|
||||||
#### Running DVHMA in an Emulator
|
#### Running DVHMA in an Emulator
|
||||||
|
|
||||||
cordova run android
|
cordova run android
|
||||||
|
|
||||||
## Team Members
|
## Team Members
|
||||||
|
|
||||||
The development of this application started as part of the project
|
The development of this application started as part of the project
|
||||||
[ZertApps](http://www.zertapps.de). ZertApps was a collaborative
|
[ZertApps](http://www.zertapps.de). ZertApps was a collaborative
|
||||||
research project funded by the German Ministry for Research and
|
research project funded by the German Ministry for Research and
|
||||||
|
@ -50,4 +62,24 @@ The core developers of DVHMA are:
|
||||||
* [Michael Herzberg](http://www.dcs.shef.ac.uk/cgi-bin/makeperson?M.Herzberg)
|
* [Michael Herzberg](http://www.dcs.shef.ac.uk/cgi-bin/makeperson?M.Herzberg)
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
This project is under the Apache 2.0 License.
|
This project is under the Apache 2.0 License.
|
||||||
|
|
||||||
|
SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
## Master Repository
|
||||||
|
|
||||||
|
The master git repository for this project is hosted by the [Software
|
||||||
|
Assurance & Security Research Team](https://logicalhacking.com) at
|
||||||
|
<https://git.logicalhacking.com/DASCA/DVHMA/>.
|
||||||
|
|
||||||
|
## Publications
|
||||||
|
|
||||||
|
* Achim D. Brucker and Michael Herzberg. [On the Static Analysis of
|
||||||
|
Hybrid Mobile Apps: A Report on the State of Apache Cordova
|
||||||
|
Nation.](https://www.brucker.ch/bibliography/download/2016/brucker.ea-cordova-security-2016.pdf)
|
||||||
|
In International Symposium on Engineering Secure Software
|
||||||
|
and Systems (ESSoS). Lecture Notes in Computer Science (9639), pages
|
||||||
|
72-88, Springer-Verlag, 2016.
|
||||||
|
https://www.brucker.ch/bibliography/abstract/brucker.ea-cordova-security-2016
|
||||||
|
doi: [10.1007/978-3-319-30806-7_5](http://dx.doi.org/10.1007/978-3-319-30806-7_5)
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
{
|
||||||
|
"name": "de.zertapps.dvhma.plugins.storage",
|
||||||
|
"version": "1.0.0",
|
||||||
|
"description": "DVHMA Storage Backend",
|
||||||
|
"cordova": {
|
||||||
|
"id": "de.zertapps.dvhma.plugins.storage",
|
||||||
|
"platforms": [
|
||||||
|
"android"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"keywords": [
|
||||||
|
"ecosystem:cordova",
|
||||||
|
"cordova-android"
|
||||||
|
],
|
||||||
|
"author": "",
|
||||||
|
"license": "Apache 2.0"
|
||||||
|
}
|
|
@ -0,0 +1,19 @@
|
||||||
|
{
|
||||||
|
"name": "de.zertapps.dvhma.plugins.webintent",
|
||||||
|
"version": "1.0.0",
|
||||||
|
"description": "Web intents for Cordova",
|
||||||
|
"cordova": {
|
||||||
|
"id": "de.zertapps.dvhma.plugins.webintent",
|
||||||
|
"platforms": [
|
||||||
|
"android"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"keywords": [
|
||||||
|
"cordova",
|
||||||
|
"webintent",
|
||||||
|
"ecosystem:cordova",
|
||||||
|
"cordova-android"
|
||||||
|
],
|
||||||
|
"author": "",
|
||||||
|
"license": "MIT"
|
||||||
|
}
|
Loading…
Reference in New Issue