VulnerAppDLH is a deliberately insecure Android application designed as a training ground and testbed for the Droid-LLM-Hunter security analysis tool. It implements a wide range of common Android vulnerabilities based on the OWASP Mobile Top 10 and MASVS standards, serving as a perfect target to demonstrate DLH's detection capabilities.
This repository includes detailed verification reports generated by Droid-LLM-Hunter:
- π‘οΈ GENERATE_EXPLOIT.md: Contains the full list of verified vulnerabilities, mapping to report folders, and executed exploit scripts (Python/Shell/HTML/JS).
- π VULNER_DLH.md: A technical encyclopedia of all vulnerability rules supported by DLH, including technical impact, detection logic.
- π Implemented Vulnerabilities
- π οΈ Build & Installation
- π Scanning with Droid-LLM-Hunter
- πΊοΈ Development Roadmap
- π Technical Details
VulnerApp contains the following intentional security flaws, each isolated in its own Activity for clear demonstration:
- Component:
SecretsActivity - Vulnerability:
- Hardcoded AWS Access Keys and API Tokens in source code.
- Storing sensitive user credentials (plaintext) in
SharedPreferences. - Logging sensitive tokens to
Logcat.
- MASVS: MASVS-STORAGE-1, MASVS-CODE-2
- Component:
SQLInjectionActivity - Vulnerability:
- Constructs SQL queries using raw string concatenation with user input.
- Allows attackers to manipulate database queries (e.g.,
' OR '1'='1).
- MASVS: MASVS-CODE-4
- Component:
WebViewActivity - Vulnerability:
- Cross-Site Scripting (XSS): JavaScript enabled (
setJavaScriptEnabled(true)). - Local File Access: Access to file system allowed (
setAllowUniversalAccessFromFileURLs(true)). - JavascriptInterface: Exposes sensitive native methods (
getSecrets) to web content. - Deep Link: Vulnerable to loading malicious URLs via
dlh://webview.
- Cross-Site Scripting (XSS): JavaScript enabled (
- MASVS: MASVS-PLATFORM-2, MASVS-CODE-4
- Component:
GraphQLInjectionActivity - Vulnerability:
- Constructs GraphQL queries by concatenating user strings directly into the query body.
- Susceptible to query injection/mutation attacks.
- MASVS: MASVS-CODE-4
- Component:
InsecureFileActivity - Vulnerability:
- World-Readable Files: Creates files with
MODE_WORLD_READABLE(deprecated but dangerous). - Path Traversal: allows reading arbitrary files via unchecked user input filenames.
- World-Readable Files: Creates files with
- MASVS: MASVS-STORAGE-2
- Component:
CryptoActivity - Vulnerability:
- Weak Randomness: Uses
java.util.Randomfor Session Tokens (predictable). - Auth Bypass: Simulates biometric authentication that sets a simple boolean flag in memory.
- Weak Randomness: Uses
- MASVS: MASVS-CRYPTO-1, MASVS-AUTH-1
- Component:
UnprotectedExportedActivity,SpoofableReceiver - Vulnerability:
- Deep Link Hijacking:
vulnerapp://*accepts any host, prone to intent interception. - Intent Spoofing: Exported Broadcast Receiver accepts actions from any app without permission checks.
- Deep Link Hijacking:
- MASVS: MASVS-PLATFORM-1
You need Android Studio or Gradle installed.
Use the wrapper script or local gradle to build the debug APK:
git clone https://github.com/roomkangali/VulnerAppDLH.git
cd VulnerAppDLH
./gradlew assembleDebugThe output APK will be located at:
app/build/outputs/apk/debug/app-debug.apk
adb install app/build/outputs/apk/debug/app-debug.apkTo analyze this app using Droid-LLM-Hunter (DLH) and verify the vulnerabilities:
Ensure you are in the root directory of droid-llm-hunter.
Execute the scanner against the built APK:
python3 dlh.py scan VulnerAppDLH.apkDLH will generate a report in the output/ directory (e.g., VulnerAppDLH.apk_results.json).
Hardcoded SecretsSQL InjectionGraphQL InjectionWebView XSSInsecure Storage- etc.
- Dynamic Rule Updates: This application will be updated with new vulnerability scenarios as new detection rules are added to Droid-LLM-Hunter (DLH).
- Jetpack Compose Security (
jetpack_compose_security) π΄- Status: High Effort / High Risk (Deferred)
- Reasoning: The current project relies on the standard XML ("Legacy View") system. Migrating or adding Jetpack Compose support requires:
- Significant changes to
build.gradle(enablingcompose true). - Adding heavy dependencies (Compose UI, Material3, Compiler Extensions).
- Significant changes to
- Package Name:
com.dlh.vulnerapp - Min SDK: 24
- Target SDK: 34
- Language: Kotlin
- Architecture: MVVM (Simplified for demonstration)
Disclaimer: This application is INTENTIONALLY VULNERABLE. Do not install it on a production device containing sensitive data. Do not use portions of this code in real applications.