Compare commits
10 Commits
1.0.0_6.3.
...
master
Author | SHA1 | Date |
---|---|---|
Achim D. Brucker | 30f76ee118 | |
Achim D. Brucker | 5a7d28491b | |
Achim D. Brucker | 193e952f4e | |
Achim D. Brucker | 0dd088ab86 | |
Achim D. Brucker | cd039fe66e | |
Achim D. Brucker | 47c3e0bd6c | |
Achim D. Brucker | e2099ceac8 | |
Achim D. Brucker | 31975c4ef9 | |
Achim D. Brucker | ccd08fc5c0 | |
Achim D. Brucker | 80455a0c1d |
|
@ -25,3 +25,7 @@ proguard/
|
|||
|
||||
# Log Files
|
||||
*.log
|
||||
|
||||
# Node/NPM
|
||||
DVHMA-Featherweight/node_modules/
|
||||
DVHMA-Featherweight/package-lock.json
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<widget id="de.zertapps.dvhma.featherweight" version="1.0.0-6.3.0" xmlns="http://www.w3.org/ns/widgets" xmlns:cdv="http://cordova.apache.org/ns/1.0">
|
||||
<name>Featherweight DVHMA</name>
|
||||
<author href="https://logicalhacking.com"></author>
|
||||
<author href="https://logicalhacking.com" />
|
||||
<description>
|
||||
Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for Android) that intentionally contains vulnerabilities.
|
||||
|
||||
|
@ -9,4 +9,7 @@
|
|||
</description>
|
||||
<content src="index.html" />
|
||||
<access origin="*" />
|
||||
<plugin name="de.zertapps.dvhma.plugins.storage" spec="../plugins/DVHMA-Storage" />
|
||||
<plugin name="de.zertapps.dvhma.plugins.webintent" spec="../plugins/DVHMA-WebIntent" />
|
||||
<engine name="android" spec="~7.0.0" />
|
||||
</widget>
|
||||
|
|
42
README.md
42
README.md
|
@ -1,4 +1,5 @@
|
|||
# DVHMA
|
||||
|
||||
Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for
|
||||
Android) that *intentionally* contains vulnerabilities. Its purpose is
|
||||
to enable security professionals to test their tools and techniques
|
||||
|
@ -6,28 +7,37 @@ legally, help developers better understand the common pitfalls in
|
|||
developing hybrid mobile apps securely.
|
||||
|
||||
## Motivation and Scope
|
||||
|
||||
This app is developed to study pitfalls in developing hybrid apps,
|
||||
e.g., using Apache Cordova or SAP Kapsel, securely. Currently, the
|
||||
main focus is to develop a deeper understanding of injection
|
||||
vulnerabilities that exploit the JavaScript to Java bridge.
|
||||
e.g., using [Apache Cordova](https://cordova.apache.org/) or
|
||||
[SAP Kapsel](https://blogs.sap.com/2013/10/21/an-introduction-to-smp-kapsel/),
|
||||
securely. Currently, the main focus is to develop a deeper
|
||||
understanding of injection vulnerabilities that exploit the JavaScript
|
||||
to Java bridge.
|
||||
|
||||
## Installation
|
||||
|
||||
### Prerequisites
|
||||
|
||||
We assume that the
|
||||
|
||||
* Android SDK (https://developer.android.com/sdk/index.html) and
|
||||
* Apache Cordova (https://cordova.apache.org/), version 6.3.0 or later
|
||||
are installed.
|
||||
* Apache Cordova (https://cordova.apache.org/), version 8.0.0 (later
|
||||
versions might work)
|
||||
|
||||
Moreover, we assume a basic familiarity with the build system of
|
||||
Apache Cordova.
|
||||
|
||||
### Building DVHMA
|
||||
|
||||
#### Setting Environment Variables
|
||||
|
||||
export ANDROID_HOME=<Android SDK Installation Directory>
|
||||
export PATH=$ANDROID_HOME/tools:$PATH
|
||||
export PATH=$ANDROID_HOME/platform-tools:$PATH
|
||||
|
||||
#### Compiling DVHMA
|
||||
|
||||
cd DVHMA-Featherweight
|
||||
cordova plugin add ../plugins/DVHMA-Storage
|
||||
cordova plugin add ../plugins/DVHMA-WebIntent
|
||||
|
@ -35,9 +45,11 @@ Apache Cordova.
|
|||
cordova compile android
|
||||
|
||||
#### Running DVHMA in an Emulator
|
||||
|
||||
cordova run android
|
||||
|
||||
## Team Members
|
||||
|
||||
The development of this application started as part of the project
|
||||
[ZertApps](http://www.zertapps.de). ZertApps was a collaborative
|
||||
research project funded by the German Ministry for Research and
|
||||
|
@ -50,4 +62,24 @@ The core developers of DVHMA are:
|
|||
* [Michael Herzberg](http://www.dcs.shef.ac.uk/cgi-bin/makeperson?M.Herzberg)
|
||||
|
||||
## License
|
||||
|
||||
This project is under the Apache 2.0 License.
|
||||
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
## Master Repository
|
||||
|
||||
The master git repository for this project is hosted by the [Software
|
||||
Assurance & Security Research Team](https://logicalhacking.com) at
|
||||
<https://git.logicalhacking.com/DASCA/DVHMA/>.
|
||||
|
||||
## Publications
|
||||
|
||||
* Achim D. Brucker and Michael Herzberg. [On the Static Analysis of
|
||||
Hybrid Mobile Apps: A Report on the State of Apache Cordova
|
||||
Nation.](https://www.brucker.ch/bibliography/download/2016/brucker.ea-cordova-security-2016.pdf)
|
||||
In International Symposium on Engineering Secure Software
|
||||
and Systems (ESSoS). Lecture Notes in Computer Science (9639), pages
|
||||
72-88, Springer-Verlag, 2016.
|
||||
https://www.brucker.ch/bibliography/abstract/brucker.ea-cordova-security-2016
|
||||
doi: [10.1007/978-3-319-30806-7_5](http://dx.doi.org/10.1007/978-3-319-30806-7_5)
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
{
|
||||
"name": "de.zertapps.dvhma.plugins.storage",
|
||||
"version": "1.0.0",
|
||||
"description": "DVHMA Storage Backend",
|
||||
"cordova": {
|
||||
"id": "de.zertapps.dvhma.plugins.storage",
|
||||
"platforms": [
|
||||
"android"
|
||||
]
|
||||
},
|
||||
"keywords": [
|
||||
"ecosystem:cordova",
|
||||
"cordova-android"
|
||||
],
|
||||
"author": "",
|
||||
"license": "Apache 2.0"
|
||||
}
|
|
@ -0,0 +1,19 @@
|
|||
{
|
||||
"name": "de.zertapps.dvhma.plugins.webintent",
|
||||
"version": "1.0.0",
|
||||
"description": "Web intents for Cordova",
|
||||
"cordova": {
|
||||
"id": "de.zertapps.dvhma.plugins.webintent",
|
||||
"platforms": [
|
||||
"android"
|
||||
]
|
||||
},
|
||||
"keywords": [
|
||||
"cordova",
|
||||
"webintent",
|
||||
"ecosystem:cordova",
|
||||
"cordova-android"
|
||||
],
|
||||
"author": "",
|
||||
"license": "MIT"
|
||||
}
|
Loading…
Reference in New Issue