DIVA (Damn Insecure and Vulnerable App) is an Android application intentionally designed with critical security flaws. This practical audit covers static (SAST) and dynamic (DAST) analysis, demonstrating how development errors compromise user data and how to mitigate them.
In Android, each app runs in its own "Sandbox" with a unique User ID (UID). By default, an app cannot read another app's files. However, on a rooted device, an attacker can bypass the Sandbox and access the /data/data/ directory where apps store private information.
Developers use the Log class for debugging. If these logs are not removed in Production, any app with the READ_LOGS permission can read critical info.
adb shell
# DIVA processes credit cards and prints them in logcat:
logcat | grep "diva-log"Mitigation: Use tools like ProGuard or R8 to strip Log.d() calls during the Release build.
An APK can be easily decompiled. DIVA hides a "Vendor Key" directly in the Java code.
# 1. Open the APK with JADX (Dalvik to Java Decompiler):
jadx-gui diva.apk
# 2. Navigate to HardcodeActivity to see the plaintext string.As a mobile auditor, you need to access the guts of the Android filesystem and use the correct tools to extract information. Answer the analysis questions to complete the DIVA application audit.
>_ START CTF 25 CHALLENGEadb shell
su
cd /data/data/jakhar.aseem.diva/shared_prefs/
cat jakhar.aseem.diva_preferences.xmlMitigation: Use EncryptedSharedPreferences which automatically encrypts keys and values using the Android Keystore.
adb shell
su
cd /data/data/jakhar.aseem.diva/databases/
sqlite3 ids2
sqlite> SELECT * FROM myuser;Mitigation: Use SQLCipher, an open-source SQLite extension that provides transparent 256-bit AES encryption.
Storing files in /sdcard/ means ANY app with the READ_EXTERNAL_STORAGE permission can read them.
Local SQLite databases are vulnerable if user input strings are concatenated insecurely. Injecting ' OR '1'='1 returns all users.
Mitigation: Always use Prepared Statements.