MASTG-APP-0014: InsecureShop
Deprecated App
This app is deprecated and should not be used anymore. Reason: The app is no longer relevant or was replaced by other apps.
Please check the following apps that cover this app:
No apps are covering this app.
InsecureShop is an intentionally designed Android application that showcases vulnerabilities, aiming to educate developers and security experts about common pitfalls within modern Android apps. It serves as a dynamic platform for refining Android pentesting skills.
The majority of these vulnerabilities can be exploited on non-rooted devices, posing risks from both remote users and malicious third-party applications. Notably, the app doesn't utilize any APIs. InsecureShop presents an opportunity to explore a range of vulnerabilities:
- Hardcoded Credentials: Embedded login credentials within the code.
- Insufficient URL Validation: Allows loading of arbitrary URLs via Deeplinks.
- Arbitrary Code Execution: Enables the execution of code from third-party packages.
- Access to Protected Components: Permits third-party apps to launch secure components.
- Insecure Broadcast Receiver: Registration of a broadcast enabling URL injection.
- Insecure Content Provider: Accessible content provider putting user data at risk.
Complementing these learning experiences, InsecureShop provided documentation about the implemented vulnerabilities and their associated code. This documentation, however, refrains from offering complete solutions for each vulnerability showcased within the InsecureShop app. The documentation website is not accessible anymore.