android app vulnerability learning (1)

Posted by tetley at 2020-04-17

Diva (damn secure and vulnerable APP) is a purposely designed android app with many vulnerabilities. Its purpose is to let developers, security engineers, QA, etc. understand some common security problems of android app. Similar to DVWA, it can also be regarded as a vulnerability drilling system. Download address:


testing environment

1. Install JDK, many tools need to use Java environment;

2. Install Android development tool (ADT, Android studio), download address:

Drozer download address:

Dex2jar download address:

Jd-gui download address:


Or use androl4b virtual machine, download address:


Part 1 unsafe log output

This problem is mainly because sensitive information is output to the logcat of the app in the app code. To view the logcat of the app record, you can use the following command:

1.adb logcat

2. Input user credentials and observe log output.

3. Source code: log. E ()

It can be seen that the user's input is output to the log. Look at the specific vulnerability code. Open the logactivity.class file with the jd-gui. The relevant code is shown in the figure:

Part 2 hardcoded 1 (class source file)

Many development partners can use variable variables when developing apps. However, due to the lack of relevant security development awareness and the use of hard coding, there are certain security risks. The specific definition of hard coding can refer to Baidu. Developers should try to avoid hard coding in the development process. First look at the code hardcodeactivity.class involved in question 2. The JD GUI is opened. The relevant codes are as follows:

View hardcodeactivity.class:

The attacker only needs to enter the secret key vendorsecretkey in the app to access successfully, as shown in the figure:

Part 3 insecure storage 1 (shared_prefs / xxx. XML)

Insecure data storage is also one of the common security problems of app, mainly in three ways:

1. Save sensitive data to configuration file;

2. Store sensitive data in the local SQLite3 database;

3. Save sensitive data in temporary file or SD card.

The data stored by the SharedPreferences class will be stored in. XML


Under the directory. As shown in the picture:

cd /data/data/jakhar.aseen.diva/shared_prefs

Part 4 insecure storage 2 (databases / xxx. DB)

Sensitive information of the user is stored in the local database. Generally, the database directory corresponding to the app:

/data/data/apppackagename/databases /data/data/jakhar.aseem.diva/databases

As shown in the picture:

cd /data/data/jakhar.aseen.diva/databases cd /data/data/jakhar.aseen.diva/

Part 6 insecure storage 4 (SD card)

Stored in SD card, vulnerability code fragment:


Welcome to leave a message and communicate with me.