├── .nojekyll
├── app
├── .gitignore
├── dynamic.jar
├── out
│ └── classes.dex
├── src
│ ├── main
│ │ ├── res
│ │ │ ├── values
│ │ │ │ ├── strings.xml
│ │ │ │ ├── themes.xml
│ │ │ │ └── colors.xml
│ │ │ ├── mipmap-hdpi
│ │ │ │ ├── ic_launcher.webp
│ │ │ │ └── ic_launcher_round.webp
│ │ │ ├── mipmap-mdpi
│ │ │ │ ├── ic_launcher.webp
│ │ │ │ └── ic_launcher_round.webp
│ │ │ ├── mipmap-xhdpi
│ │ │ │ ├── ic_launcher.webp
│ │ │ │ └── ic_launcher_round.webp
│ │ │ ├── mipmap-xxhdpi
│ │ │ │ ├── ic_launcher.webp
│ │ │ │ └── ic_launcher_round.webp
│ │ │ ├── mipmap-xxxhdpi
│ │ │ │ ├── ic_launcher.webp
│ │ │ │ └── ic_launcher_round.webp
│ │ │ ├── mipmap-anydpi
│ │ │ │ ├── ic_launcher.xml
│ │ │ │ └── ic_launcher_round.xml
│ │ │ ├── xml
│ │ │ │ ├── backup_rules.xml
│ │ │ │ └── data_extraction_rules.xml
│ │ │ └── drawable
│ │ │ │ ├── ic_launcher_foreground.xml
│ │ │ │ └── ic_launcher_background.xml
│ │ ├── java
│ │ │ └── dev
│ │ │ │ └── jamescullimore
│ │ │ │ └── android_security_training
│ │ │ │ ├── ui
│ │ │ │ └── theme
│ │ │ │ │ ├── Color.kt
│ │ │ │ │ ├── Type.kt
│ │ │ │ │ └── Theme.kt
│ │ │ │ ├── perm
│ │ │ │ ├── PermDemoHelper.kt
│ │ │ │ ├── DemoService.kt
│ │ │ │ └── DemoProvider.kt
│ │ │ │ ├── risks
│ │ │ │ └── RisksHelper.kt
│ │ │ │ ├── re
│ │ │ │ └── ReDemoHelper.kt
│ │ │ │ ├── deeplink
│ │ │ │ └── DeepLinkHelper.kt
│ │ │ │ ├── network
│ │ │ │ └── NetworkHelper.kt
│ │ │ │ ├── root
│ │ │ │ └── RootHelper.kt
│ │ │ │ ├── storage
│ │ │ │ └── StorageHelper.kt
│ │ │ │ ├── web
│ │ │ │ └── WebViewHelper.kt
│ │ │ │ ├── multiuser
│ │ │ │ └── MultiUserHelper.kt
│ │ │ │ ├── crypto
│ │ │ │ └── CryptoHelper.kt
│ │ │ │ ├── DemoReceiver.kt
│ │ │ │ └── ClearDataReceiver.kt
│ │ └── AndroidManifest.xml
│ ├── test
│ │ ├── snapshots
│ │ │ └── images
│ │ │ │ ├── __REHomePreview.png
│ │ │ │ ├── __E2EHomePreview.png
│ │ │ │ ├── __PermHomePreview.png
│ │ │ │ ├── __RisksScreenPreview.png
│ │ │ │ ├── __RootScreenPreview.png
│ │ │ │ ├── __WebScreenPreview.png
│ │ │ │ ├── __DeepLinksHomePreview.png
│ │ │ │ ├── __PinningScreenPreview.png
│ │ │ │ ├── __StorageScreenPreview.png
│ │ │ │ └── __MultiUserScreenPreview.png
│ │ └── java
│ │ │ └── dev
│ │ │ └── jamescullimore
│ │ │ └── android_security_training
│ │ │ ├── PaparazziConfig.kt
│ │ │ └── PreviewTestParameterTests.kt
│ ├── vuln
│ │ ├── assets
│ │ │ └── sensitive.txt
│ │ ├── res
│ │ │ └── xml
│ │ │ │ └── network_security_config_client_vuln.xml
│ │ ├── java
│ │ │ └── dev
│ │ │ │ └── jamescullimore
│ │ │ │ └── android_security_training
│ │ │ │ ├── risks
│ │ │ │ └── VulnRisksHelper.kt
│ │ │ │ ├── ExportedService.kt
│ │ │ │ ├── root
│ │ │ │ └── VulnRootHelper.kt
│ │ │ │ ├── perm
│ │ │ │ └── VulnPermDemoHelper.kt
│ │ │ │ ├── Provider.kt
│ │ │ │ ├── network
│ │ │ │ └── VulnNetworkHelper.kt
│ │ │ │ ├── deeplink
│ │ │ │ └── VulnDeepLinkHelper.kt
│ │ │ │ ├── crypto
│ │ │ │ └── VulnCryptoHelper.kt
│ │ │ │ └── re
│ │ │ │ └── VulnReDemoHelper.kt
│ │ └── AndroidManifest.xml
│ ├── secure
│ │ ├── AndroidManifest.xml
│ │ ├── java
│ │ │ └── dev
│ │ │ │ └── jamescullimore
│ │ │ │ └── android_security_training
│ │ │ │ ├── risks
│ │ │ │ └── SecureRisksHelper.kt
│ │ │ │ ├── perm
│ │ │ │ └── SecurePermDemoHelper.kt
│ │ │ │ ├── Provider.kt
│ │ │ │ ├── deeplink
│ │ │ │ └── SecureDeepLinkHelper.kt
│ │ │ │ ├── re
│ │ │ │ └── SecureReDemoHelper.kt
│ │ │ │ ├── network
│ │ │ │ └── SecureNetworkHelper.kt
│ │ │ │ └── web
│ │ │ │ └── SecureWebViewHelper.kt
│ │ └── res
│ │ │ └── xml
│ │ │ └── network_security_config_client_secure.xml
│ ├── storage
│ │ ├── AndroidManifest.xml
│ │ └── java
│ │ │ └── dev
│ │ │ └── jamescullimore
│ │ │ └── android_security_training
│ │ │ └── StorageActivity.kt
│ ├── e2e
│ │ ├── AndroidManifest.xml
│ │ └── java
│ │ │ └── dev
│ │ │ └── jamescullimore
│ │ │ └── android_security_training
│ │ │ └── E2EActivity.kt
│ ├── perm
│ │ ├── AndroidManifest.xml
│ │ └── java
│ │ │ └── dev
│ │ │ └── jamescullimore
│ │ │ └── android_security_training
│ │ │ └── PermActivity.kt
│ ├── re
│ │ ├── AndroidManifest.xml
│ │ └── java
│ │ │ └── dev
│ │ │ └── jamescullimore
│ │ │ └── android_security_training
│ │ │ └── REActivity.kt
│ ├── risks
│ │ └── AndroidManifest.xml
│ ├── root
│ │ ├── AndroidManifest.xml
│ │ └── java
│ │ │ └── dev
│ │ │ └── jamescullimore
│ │ │ └── android_security_training
│ │ │ └── RootActivity.kt
│ ├── users
│ │ ├── AndroidManifest.xml
│ │ └── java
│ │ │ └── dev
│ │ │ └── jamescullimore
│ │ │ └── android_security_training
│ │ │ └── MultiUserActivity.kt
│ ├── pinning
│ │ ├── AndroidManifest.xml
│ │ └── java
│ │ │ └── dev
│ │ │ └── jamescullimore
│ │ │ └── android_security_training
│ │ │ └── PinningActivity.kt
│ ├── androidTest
│ │ └── java
│ │ │ └── dev
│ │ │ └── jamescullimore
│ │ │ └── android_security_training
│ │ │ └── ExampleInstrumentedTest.kt
│ ├── web
│ │ ├── AndroidManifest.xml
│ │ └── java
│ │ │ └── dev
│ │ │ └── jamescullimore
│ │ │ └── android_security_training
│ │ │ └── WebActivity.kt
│ └── links
│ │ ├── AndroidManifest.xml
│ │ └── java
│ │ └── dev
│ │ └── jamescullimore
│ │ └── android_security_training
│ │ └── DeepLinksActivity.kt
├── build_classes
│ └── dev
│ │ └── training
│ │ └── dynamic
│ │ └── Hello.class
├── dev
│ └── training
│ │ └── dynamic
│ │ └── Hello.java
├── proguard-rules.pro
└── build.gradle.kts
├── _config.yml
├── abe.jar
├── seminar.jks
├── gradle
├── wrapper
│ ├── gradle-wrapper.jar
│ └── gradle-wrapper.properties
└── libs.versions.toml
├── html
└── payload.html
├── server_ecdh_pub.pem
├── server_ecdh.key
├── privapp-permissions-androidsecuritytraining.xml
├── .gitignore
├── frida
└── hook_secure_storage.js
├── settings.gradle.kts
├── .well-known
└── assetlinks.json
├── docs
├── topics
│ ├── README.md
│ ├── root
│ │ └── README.md
│ ├── storage
│ │ └── README.md
│ ├── perm
│ │ └── README.md
│ ├── pinning
│ │ └── README.md
│ ├── e2e
│ │ └── README.md
│ ├── re
│ │ └── README.md
│ ├── web
│ │ └── README.md
│ └── links
│ │ └── README.md
└── howtos
│ ├── rooted-emulator.md
│ ├── frida.md
│ └── mitmproxy.md
├── gradle.properties
├── gradlew.bat
└── README.md
/.nojekyll:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/app/.gitignore:
--------------------------------------------------------------------------------
1 | /build
--------------------------------------------------------------------------------
/_config.yml:
--------------------------------------------------------------------------------
1 | include: [".well-known"]
2 |
--------------------------------------------------------------------------------
/abe.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/abe.jar
--------------------------------------------------------------------------------
/seminar.jks:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/seminar.jks
--------------------------------------------------------------------------------
/app/dynamic.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/dynamic.jar
--------------------------------------------------------------------------------
/app/out/classes.dex:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/out/classes.dex
--------------------------------------------------------------------------------
/app/src/main/res/values/strings.xml:
--------------------------------------------------------------------------------
1 |
2 | Android Security Training
3 |
--------------------------------------------------------------------------------
/gradle/wrapper/gradle-wrapper.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/gradle/wrapper/gradle-wrapper.jar
--------------------------------------------------------------------------------
/app/src/main/res/mipmap-hdpi/ic_launcher.webp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/src/main/res/mipmap-hdpi/ic_launcher.webp
--------------------------------------------------------------------------------
/app/src/main/res/mipmap-mdpi/ic_launcher.webp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/src/main/res/mipmap-mdpi/ic_launcher.webp
--------------------------------------------------------------------------------
/app/src/main/res/mipmap-xhdpi/ic_launcher.webp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/src/main/res/mipmap-xhdpi/ic_launcher.webp
--------------------------------------------------------------------------------
/app/src/main/res/mipmap-xxhdpi/ic_launcher.webp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/src/main/res/mipmap-xxhdpi/ic_launcher.webp
--------------------------------------------------------------------------------
/app/src/main/res/mipmap-xxxhdpi/ic_launcher.webp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/src/main/res/mipmap-xxxhdpi/ic_launcher.webp
--------------------------------------------------------------------------------
/app/src/test/snapshots/images/__REHomePreview.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/src/test/snapshots/images/__REHomePreview.png
--------------------------------------------------------------------------------
/app/build_classes/dev/training/dynamic/Hello.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/build_classes/dev/training/dynamic/Hello.class
--------------------------------------------------------------------------------
/app/src/main/res/mipmap-hdpi/ic_launcher_round.webp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/src/main/res/mipmap-hdpi/ic_launcher_round.webp
--------------------------------------------------------------------------------
/app/src/main/res/mipmap-mdpi/ic_launcher_round.webp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/src/main/res/mipmap-mdpi/ic_launcher_round.webp
--------------------------------------------------------------------------------
/app/src/test/snapshots/images/__E2EHomePreview.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/src/test/snapshots/images/__E2EHomePreview.png
--------------------------------------------------------------------------------
/app/src/test/snapshots/images/__PermHomePreview.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/src/test/snapshots/images/__PermHomePreview.png
--------------------------------------------------------------------------------
/app/src/main/res/mipmap-xhdpi/ic_launcher_round.webp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/src/main/res/mipmap-xhdpi/ic_launcher_round.webp
--------------------------------------------------------------------------------
/app/src/main/res/mipmap-xxhdpi/ic_launcher_round.webp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/src/main/res/mipmap-xxhdpi/ic_launcher_round.webp
--------------------------------------------------------------------------------
/app/src/main/res/mipmap-xxxhdpi/ic_launcher_round.webp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/src/main/res/mipmap-xxxhdpi/ic_launcher_round.webp
--------------------------------------------------------------------------------
/app/src/test/snapshots/images/__RisksScreenPreview.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/src/test/snapshots/images/__RisksScreenPreview.png
--------------------------------------------------------------------------------
/app/src/test/snapshots/images/__RootScreenPreview.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/src/test/snapshots/images/__RootScreenPreview.png
--------------------------------------------------------------------------------
/app/src/test/snapshots/images/__WebScreenPreview.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/src/test/snapshots/images/__WebScreenPreview.png
--------------------------------------------------------------------------------
/app/src/test/snapshots/images/__DeepLinksHomePreview.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/src/test/snapshots/images/__DeepLinksHomePreview.png
--------------------------------------------------------------------------------
/app/src/test/snapshots/images/__PinningScreenPreview.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/src/test/snapshots/images/__PinningScreenPreview.png
--------------------------------------------------------------------------------
/app/src/test/snapshots/images/__StorageScreenPreview.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/src/test/snapshots/images/__StorageScreenPreview.png
--------------------------------------------------------------------------------
/html/payload.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | JS Injection Test
5 |
8 |
9 |
--------------------------------------------------------------------------------
/app/src/test/snapshots/images/__MultiUserScreenPreview.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/LethalMaus/AndroidSecurityTraining/HEAD/app/src/test/snapshots/images/__MultiUserScreenPreview.png
--------------------------------------------------------------------------------
/app/dev/training/dynamic/Hello.java:
--------------------------------------------------------------------------------
1 | package dev.training.dynamic;
2 |
3 | public class Hello {
4 | public static String greet() {
5 | return "Hello from dynamic DEX";
6 | }
7 | }
8 |
--------------------------------------------------------------------------------
/app/src/test/java/dev/jamescullimore/android_security_training/PaparazziConfig.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training
2 |
3 | annotation class PaparazziConfig(val maxPercentDifference: Double)
--------------------------------------------------------------------------------
/server_ecdh_pub.pem:
--------------------------------------------------------------------------------
1 | -----BEGIN PUBLIC KEY-----
2 | MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESHikZYG7KDqWy5VPFAV8Onu1+msM
3 | GGFxlwWBHRlM/1QlPnrJxvceqHbv98CaRMTQ+N0uaoiLddQjCvUnQoqyhQ==
4 | -----END PUBLIC KEY-----
5 |
--------------------------------------------------------------------------------
/app/src/main/res/values/themes.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
--------------------------------------------------------------------------------
/server_ecdh.key:
--------------------------------------------------------------------------------
1 | -----BEGIN EC PRIVATE KEY-----
2 | MHcCAQEEIB01qbnNckM7NTwXYEJl/GOdxge4rOLl97evOygKQbA1oAoGCCqGSM49
3 | AwEHoUQDQgAESHikZYG7KDqWy5VPFAV8Onu1+msMGGFxlwWBHRlM/1QlPnrJxvce
4 | qHbv98CaRMTQ+N0uaoiLddQjCvUnQoqyhQ==
5 | -----END EC PRIVATE KEY-----
6 |
--------------------------------------------------------------------------------
/app/src/vuln/assets/sensitive.txt:
--------------------------------------------------------------------------------
1 | DO NOT SHIP: Example API key leaked via assets for training.
2 | api_key=sk_live_REPLACE_IN_LAB # training demo value; replace with lab secret for exercises
3 | notes=This file exists only in vuln builds to demonstrate asset leakage.
4 |
--------------------------------------------------------------------------------
/gradle/wrapper/gradle-wrapper.properties:
--------------------------------------------------------------------------------
1 | #Fri Oct 17 08:56:32 CEST 2025
2 | distributionBase=GRADLE_USER_HOME
3 | distributionPath=wrapper/dists
4 | distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.3-bin.zip
5 | zipStoreBase=GRADLE_USER_HOME
6 | zipStorePath=wrapper/dists
7 |
--------------------------------------------------------------------------------
/privapp-permissions-androidsecuritytraining.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/app/src/secure/AndroidManifest.xml:
--------------------------------------------------------------------------------
1 |
2 |
4 |
5 |
8 |
9 |
10 |
--------------------------------------------------------------------------------
/app/src/main/res/mipmap-anydpi/ic_launcher.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/app/src/main/res/mipmap-anydpi/ic_launcher_round.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/app/src/main/java/dev/jamescullimore/android_security_training/ui/theme/Color.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training.ui.theme
2 |
3 | import androidx.compose.ui.graphics.Color
4 |
5 | val Purple80 = Color(0xFFD0BCFF)
6 | val PurpleGrey80 = Color(0xFFCCC2DC)
7 | val Pink80 = Color(0xFFEFB8C8)
8 |
9 | val Purple40 = Color(0xFF6650a4)
10 | val PurpleGrey40 = Color(0xFF625b71)
11 | val Pink40 = Color(0xFF7D5260)
--------------------------------------------------------------------------------
/app/src/main/res/values/colors.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | #FFBB86FC
4 | #FF6200EE
5 | #FF3700B3
6 | #FF03DAC5
7 | #FF018786
8 | #FF000000
9 | #FFFFFFFF
10 |
--------------------------------------------------------------------------------
/app/src/main/java/dev/jamescullimore/android_security_training/perm/PermDemoHelper.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training.perm
2 |
3 | import android.content.Context
4 |
5 | interface PermDemoHelper {
6 | fun uidGidAndSignatureInfo(context: Context): String
7 | fun tryStartProtectedService(context: Context): String
8 | fun tryQueryDemoProvider(context: Context, uri: String): String
9 | fun defaultDemoUri(context: Context): String
10 | }
11 |
--------------------------------------------------------------------------------
/app/src/secure/java/dev/jamescullimore/android_security_training/risks/SecureRisksHelper.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training.risks
2 |
3 | import android.view.Window
4 |
5 | class SecureRisksHelper : RisksHelper {
6 | override fun toggleFlagSecure(window: Window): String {
7 | // In secure builds, we block runtime toggling to avoid weakening protections.
8 | return "[SECURE] Action blocked: Runtime toggling of FLAG_SECURE is disabled in secure builds."
9 | }
10 | }
11 |
--------------------------------------------------------------------------------
/app/src/vuln/res/xml/network_security_config_client_vuln.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
--------------------------------------------------------------------------------
/app/src/main/res/xml/backup_rules.xml:
--------------------------------------------------------------------------------
1 |
8 |
9 |
13 |
--------------------------------------------------------------------------------
/app/src/storage/AndroidManifest.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Gradle files
2 | .gradle/
3 | build/
4 |
5 | # Local configuration file (sdk path, etc)
6 | local.properties
7 |
8 | # Log/OS Files
9 | *.log
10 |
11 | # Android Studio generated files and folders
12 | captures/
13 | .externalNativeBuild/
14 | .cxx/
15 | *.aab
16 | *.apk
17 | output-metadata.json
18 |
19 | # IntelliJ
20 | *.iml
21 | .idea/
22 | misc.xml
23 | deploymentTargetDropDown.xml
24 | render.experimental.xml
25 |
26 | # Keystore files
27 | *.keystore
28 |
29 | # Google Services (e.g. APIs or Firebase)
30 | google-services.json
31 |
32 | # Android Profiling
33 | *.hprof
--------------------------------------------------------------------------------
/app/src/main/java/dev/jamescullimore/android_security_training/risks/RisksHelper.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training.risks
2 |
3 | import android.view.Window
4 |
5 | /**
6 | * Helper for Risks topic behaviors that differ between secure and vuln flavors.
7 | */
8 | interface RisksHelper {
9 | /**
10 | * Toggle FLAG_SECURE on the provided Window.
11 | * - vuln flavor: actually toggles and returns a message describing the new state.
12 | * - secure flavor: does not change state and returns a blocked message.
13 | */
14 | fun toggleFlagSecure(window: Window): String
15 | }
16 |
--------------------------------------------------------------------------------
/frida/hook_secure_storage.js:
--------------------------------------------------------------------------------
1 | Java.perform(() => {
2 | const H = Java.use('dev.jamescullimore.android_security_training.storage.SecureStorageHelper');
3 |
4 | const saveTokenOverload = H.saveTokenSecure.overload(
5 | 'android.content.Context',
6 | 'java.lang.String',
7 | 'kotlin.coroutines.Continuation'
8 | );
9 |
10 | saveTokenOverload.implementation = function (ctx, token, cont) {
11 | console.log('[Frida] saveTokenSecure token =', token);
12 |
13 | const result = saveTokenOverload.call(this, ctx, token, cont);
14 | console.log('[Frida] original returned:', result);
15 | return result;
16 | };
17 | });
18 |
--------------------------------------------------------------------------------
/app/src/main/java/dev/jamescullimore/android_security_training/perm/DemoService.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training.perm
2 |
3 | import android.app.Service
4 | import android.content.Intent
5 | import android.os.IBinder
6 | import android.util.Log
7 |
8 | class DemoService : Service() {
9 | override fun onStartCommand(intent: Intent?, flags: Int, startId: Int): Int {
10 | Log.i("PermDemo", "DemoService started by ${intent?.`package`}")
11 | // Do nothing, just a demo
12 | stopSelf(startId)
13 | return START_NOT_STICKY
14 | }
15 |
16 | override fun onBind(intent: Intent?): IBinder? = null
17 | }
18 |
--------------------------------------------------------------------------------
/app/src/main/res/xml/data_extraction_rules.xml:
--------------------------------------------------------------------------------
1 |
6 |
7 |
8 |
12 |
13 |
19 |
--------------------------------------------------------------------------------
/settings.gradle.kts:
--------------------------------------------------------------------------------
1 | pluginManagement {
2 | repositories {
3 | google {
4 | content {
5 | includeGroupByRegex("com\\.android.*")
6 | includeGroupByRegex("com\\.google.*")
7 | includeGroupByRegex("androidx.*")
8 | }
9 | }
10 | mavenCentral()
11 | gradlePluginPortal()
12 | }
13 | }
14 | dependencyResolutionManagement {
15 | repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
16 | repositories {
17 | google()
18 | mavenCentral()
19 | }
20 | }
21 |
22 | rootProject.name = "Android Security Training"
23 | include(":app")
24 |
--------------------------------------------------------------------------------
/app/src/e2e/AndroidManifest.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/app/src/perm/AndroidManifest.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/app/src/re/AndroidManifest.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
--------------------------------------------------------------------------------
/app/src/risks/AndroidManifest.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/app/src/root/AndroidManifest.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/app/src/main/java/dev/jamescullimore/android_security_training/re/ReDemoHelper.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training.re
2 |
3 | import android.content.Context
4 |
5 | interface ReDemoHelper {
6 | fun getHardcodedSecret(): String
7 | fun readLeakyAsset(context: Context): String
8 | suspend fun tryDynamicDexLoad(context: Context, dexOrJarPath: String): String
9 | fun getSigningInfo(context: Context): String
10 | fun verifyExpectedSignature(context: Context): Boolean
11 | // Exposed for the lab UI: shows the current value of a method that students will modify and re-sign
12 | fun getMethodToBeChangedAndResignedValue(): Boolean
13 | }
14 |
--------------------------------------------------------------------------------
/app/src/users/AndroidManifest.xml:
--------------------------------------------------------------------------------
1 |
2 |
4 |
5 |
6 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/app/src/pinning/AndroidManifest.xml:
--------------------------------------------------------------------------------
1 |
2 |
4 |
5 |
6 |
7 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
--------------------------------------------------------------------------------
/.well-known/assetlinks.json:
--------------------------------------------------------------------------------
1 | [
2 | {
3 | "relation": ["delegate_permission/common.handle_all_urls"],
4 | "target": {
5 | "namespace": "android_app",
6 | "package_name": "dev.jamescullimore.android_security_training.secure",
7 | "sha256_cert_fingerprints": [
8 | "44EAEEE4FB4B0BE615B4DE5BBB2DEF2F5EDB81C8DEAB289BE16EEAE3E456614F"
9 | ]
10 | }
11 | },
12 | {
13 | "relation": ["delegate_permission/common.handle_all_urls"],
14 | "target": {
15 | "namespace": "android_app",
16 | "package_name": "dev.jamescullimore.android_security_training.vuln",
17 | "sha256_cert_fingerprints": [
18 | "118EE6961CEE9A9A4A6F2228ACB5B804C783D5642D3AD7B3DB8B4130F8EC082C"
19 | ]
20 | }
21 | }
22 | ]
--------------------------------------------------------------------------------
/app/src/main/java/dev/jamescullimore/android_security_training/deeplink/DeepLinkHelper.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training.deeplink
2 |
3 | import android.content.Context
4 | import android.content.Intent
5 |
6 | interface DeepLinkHelper {
7 | // Returns a human-readable summary of the incoming intent and validation outcome
8 | fun describeIncomingIntent(intent: Intent?): String
9 |
10 | // Processes an incoming VIEW intent: validates and returns a result string (no navigation side effects)
11 | fun handleIncomingIntent(intent: Intent): String
12 |
13 | // Example of safe internal navigation decision based on a URL string (used by UI button)
14 | fun safeNavigateExample(context: Context, uriString: String): String
15 | }
16 |
--------------------------------------------------------------------------------
/app/src/main/java/dev/jamescullimore/android_security_training/network/NetworkHelper.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training.network
2 |
3 | /**
4 | * Simple interface to perform a demo HTTPS request and return a short string result.
5 | * Implementations will differ per securityProfile flavor (secure vs vuln).
6 | */
7 | interface NetworkHelper {
8 | suspend fun fetchDemo(url: String = DEFAULT_URL): String
9 |
10 | /** Optional: allow runtime toggle for pinning demo modes ("bad" | "good" | "ct"). Default no-op. */
11 | fun setPinningMode(mode: String) { /* default no-op for implementations that don't support it */ }
12 |
13 | companion object {
14 | const val DEFAULT_URL: String = "https://api.github.com/"
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/app/src/vuln/java/dev/jamescullimore/android_security_training/risks/VulnRisksHelper.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training.risks
2 |
3 | import android.view.Window
4 | import android.view.WindowManager
5 |
6 | class VulnRisksHelper : RisksHelper {
7 | override fun toggleFlagSecure(window: Window): String {
8 | val isSet = (window.attributes.flags and WindowManager.LayoutParams.FLAG_SECURE) != 0
9 | return if (isSet) {
10 | window.clearFlags(WindowManager.LayoutParams.FLAG_SECURE)
11 | "Disabled FLAG_SECURE. Screenshots allowed."
12 | } else {
13 | window.addFlags(WindowManager.LayoutParams.FLAG_SECURE)
14 | "Enabled FLAG_SECURE. Screenshots/recents should be blocked."
15 | }
16 | }
17 | }
18 |
--------------------------------------------------------------------------------
/app/src/vuln/java/dev/jamescullimore/android_security_training/ExportedService.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training
2 |
3 | import android.app.Service
4 | import android.content.Intent
5 | import android.os.IBinder
6 | import android.widget.Toast
7 |
8 | // Intentionally exported in the vulnerable flavor for training/demo purposes
9 | class ExportedService : Service() {
10 | override fun onStartCommand(intent: Intent?, flags: Int, startId: Int): Int {
11 | // Simple side effect so it’s visible when started from adb
12 | Toast.makeText(this, "[VULN] ExportedService started", Toast.LENGTH_LONG).show()
13 | // Auto-stop after showing the toast
14 | stopSelf(startId)
15 | return START_NOT_STICKY
16 | }
17 |
18 | override fun onBind(intent: Intent?): IBinder? = null
19 | }
20 |
--------------------------------------------------------------------------------
/app/src/androidTest/java/dev/jamescullimore/android_security_training/ExampleInstrumentedTest.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training
2 |
3 | import androidx.test.platform.app.InstrumentationRegistry
4 | import androidx.test.ext.junit.runners.AndroidJUnit4
5 |
6 | import org.junit.Test
7 | import org.junit.runner.RunWith
8 |
9 | import org.junit.Assert.*
10 |
11 | /**
12 | * Instrumented test, which will execute on an Android device.
13 | *
14 | * See [testing documentation](http://d.android.com/tools/testing).
15 | */
16 | @RunWith(AndroidJUnit4::class)
17 | class ExampleInstrumentedTest {
18 | @Test
19 | fun useAppContext() {
20 | // Context of the app under test.
21 | val appContext = InstrumentationRegistry.getInstrumentation().targetContext
22 | assertEquals("dev.jamescullimore.android_security_training", appContext.packageName)
23 | }
24 | }
--------------------------------------------------------------------------------
/app/src/main/java/dev/jamescullimore/android_security_training/root/RootHelper.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training.root
2 |
3 | import android.content.Context
4 |
5 | /** Root detection/training interface for Anti-Root topic. */
6 | interface RootHelper {
7 | data class RootSignal(val name: String, val detected: Boolean, val details: String? = null)
8 |
9 | fun getSignals(context: Context): List
10 | fun isRooted(context: Context): Boolean
11 | fun deviceInfo(): String
12 |
13 | /** Placeholder string for classroom: integrate Play Integrity in real exercises. */
14 | fun playIntegrityStatus(context: Context): String
15 |
16 | /** Simple tamper check (e.g., signing cert digest). Implemented in secure helper. */
17 | fun tamperCheck(context: Context): Boolean
18 |
19 | /** In vuln builds this enables a trivial bypass; secure builds ignore. */
20 | fun setBypassEnabled(enabled: Boolean)
21 | }
--------------------------------------------------------------------------------
/docs/topics/README.md:
--------------------------------------------------------------------------------
1 | # Topics: how to run the labs
2 |
3 | > Note: Each topic now has its own dedicated README. Use these quick links:
4 | > - 1. Certificate pinning & HTTPS — [pinning/README.md](pinning/README.md)
5 | > - 2. End‑to‑end encryption (E2E) — [e2e/README.md](e2e/README.md)
6 | > - 3. Reverse‑engineering resistance — [re/README.md](re/README.md)
7 | > - 4. Runtime permissions — [perm/README.md](perm/README.md)
8 | > - 5. App links & deep links — [links/README.md](links/README.md)
9 | > - 6. Secure storage — [storage/README.md](storage/README.md)
10 | > - 7. Root/Jailbreak detection — [root/README.md](root/README.md)
11 | > - 8. WebView & exported components — [web/README.md](web/README.md)
12 | > - 9. Multi‑user/AAOS considerations — [users/README.md](users/README.md)
13 | > - 10. Risk modeling & dangerous defaults — [risks/README.md](risks/README.md)
14 |
15 | Each topic below tells you what to try (lab guide), what “secure” does vs. “vuln”, best practices to take away, and extra reading.
16 |
17 | [Back to main README](../../README.md)
18 |
--------------------------------------------------------------------------------
/app/src/secure/res/xml/network_security_config_client_secure.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 | api.github.com
21 |
22 |
23 |
24 |
25 |
--------------------------------------------------------------------------------
/app/src/web/AndroidManifest.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
--------------------------------------------------------------------------------
/app/src/main/java/dev/jamescullimore/android_security_training/storage/StorageHelper.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training.storage
2 |
3 | import android.content.Context
4 |
5 | interface StorageHelper {
6 | // Preferences
7 | suspend fun saveTokenSecure(context: Context, token: String): String
8 | suspend fun loadTokenSecure(context: Context): String
9 |
10 | suspend fun saveTokenInsecure(context: Context, token: String): String
11 | suspend fun loadTokenInsecure(context: Context): String
12 |
13 | // Files
14 | suspend fun writeSecureFile(context: Context, filename: String, content: String): String
15 | suspend fun writeInsecureFile(context: Context, filename: String, content: String): String
16 | suspend fun readInsecureFile(context: Context, filename: String): String
17 |
18 | // SQLite demo (plaintext DB for training)
19 | suspend fun dbPut(context: Context, key: String, value: String): String
20 | suspend fun dbGet(context: Context, key: String): String
21 | suspend fun dbList(context: Context): String
22 | suspend fun dbDelete(context: Context, key: String): String
23 | }
24 |
--------------------------------------------------------------------------------
/app/src/main/java/dev/jamescullimore/android_security_training/ui/theme/Type.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training.ui.theme
2 |
3 | import androidx.compose.material3.Typography
4 | import androidx.compose.ui.text.TextStyle
5 | import androidx.compose.ui.text.font.FontFamily
6 | import androidx.compose.ui.text.font.FontWeight
7 | import androidx.compose.ui.unit.sp
8 |
9 | // Set of Material typography styles to start with
10 | val Typography = Typography(
11 | bodyLarge = TextStyle(
12 | fontFamily = FontFamily.Default,
13 | fontWeight = FontWeight.Normal,
14 | fontSize = 16.sp,
15 | lineHeight = 24.sp,
16 | letterSpacing = 0.5.sp
17 | )
18 | /* Other default text styles to override
19 | titleLarge = TextStyle(
20 | fontFamily = FontFamily.Default,
21 | fontWeight = FontWeight.Normal,
22 | fontSize = 22.sp,
23 | lineHeight = 28.sp,
24 | letterSpacing = 0.sp
25 | ),
26 | labelSmall = TextStyle(
27 | fontFamily = FontFamily.Default,
28 | fontWeight = FontWeight.Medium,
29 | fontSize = 11.sp,
30 | lineHeight = 16.sp,
31 | letterSpacing = 0.5.sp
32 | )
33 | */
34 | )
--------------------------------------------------------------------------------
/app/src/main/java/dev/jamescullimore/android_security_training/web/WebViewHelper.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training.web
2 |
3 | import android.content.Context
4 | import android.webkit.WebView
5 |
6 | interface WebViewHelper {
7 | data class State(
8 | val notes: String = "",
9 | val lastJsMessage: String? = null,
10 | val lastBroadcast: String? = null,
11 | val pendingIntentInfo: String? = null,
12 | )
13 |
14 | fun configure(context: Context, webView: WebView): String
15 | fun loadTrusted(context: Context, webView: WebView): String
16 |
17 | // New: explicit untrusted loaders separated for demo clarity
18 | fun loadUntrustedHttp(context: Context, webView: WebView): String
19 | fun loadUntrusted(context: Context, webView: WebView): String // file traversal demo (legacy name kept)
20 |
21 | // New functions requested: load local HTML payload and handle incoming VIEW intents
22 | fun loadLocalPayload(context: Context, webView: WebView): String
23 | fun loadFromIntent(context: Context, webView: WebView, url: String): String
24 |
25 | fun runDemoJs(context: Context, webView: WebView): String
26 | fun sendInternalBroadcast(context: Context): String
27 | fun exposePendingIntent(context: Context): String
28 | }
29 |
--------------------------------------------------------------------------------
/app/src/vuln/java/dev/jamescullimore/android_security_training/root/VulnRootHelper.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training.root
2 |
3 | import android.content.Context
4 | import android.os.Build
5 |
6 | class VulnRootHelper : RootHelper {
7 | private var bypass: Boolean = false
8 |
9 | override fun getSignals(context: Context): List {
10 | // Provide minimal/no signals and leak info for training
11 | val list = mutableListOf()
12 | list += RootHelper.RootSignal("signals disabled (vuln)", false, "Training-only: not checking root signals")
13 | return list
14 | }
15 |
16 | override fun isRooted(context: Context): Boolean {
17 | // Intentionally return false or allow toggled bypass
18 | return if (bypass) false else false
19 | }
20 |
21 | override fun deviceInfo(): String = "SDK=${Build.VERSION.SDK_INT}; brand=${Build.BRAND}; model=${Build.MODEL}"
22 |
23 | override fun playIntegrityStatus(context: Context): String = "Play Integrity: not integrated in vuln build (training demo); no enforcement."
24 |
25 | override fun tamperCheck(context: Context): Boolean = true // Does nothing in vuln builds
26 |
27 | override fun setBypassEnabled(enabled: Boolean) { bypass = enabled }
28 | }
--------------------------------------------------------------------------------
/gradle.properties:
--------------------------------------------------------------------------------
1 | # Project-wide Gradle settings.
2 | # IDE (e.g. Android Studio) users:
3 | # Gradle settings configured through the IDE *will override*
4 | # any settings specified in this file.
5 | # For more details on how to configure your build environment visit
6 | # http://www.gradle.org/docs/current/userguide/build_environment.html
7 | # Specifies the JVM arguments used for the daemon process.
8 | # The setting is particularly useful for tweaking memory settings.
9 | org.gradle.jvmargs=-Xmx2048m -Dfile.encoding=UTF-8
10 | # When configured, Gradle will run in incubating parallel mode.
11 | # This option should only be used with decoupled projects. For more details, visit
12 | # https://developer.android.com/r/tools/gradle-multi-project-decoupled-projects
13 | # org.gradle.parallel=true
14 | # AndroidX package structure to make it clearer which packages are bundled with the
15 | # Android operating system, and which are packaged with your app's APK
16 | # https://developer.android.com/topic/libraries/support-library/androidx-rn
17 | android.useAndroidX=true
18 | # Kotlin code style for this project: "official" or "obsolete":
19 | kotlin.code.style=official
20 | # Enables namespacing of each library's R class so that its R class includes only the
21 | # resources declared in the library itself and none from the library's dependencies,
22 | # thereby reducing the size of the R class for that library
23 | android.nonTransitiveRClass=true
--------------------------------------------------------------------------------
/app/src/main/java/dev/jamescullimore/android_security_training/multiuser/MultiUserHelper.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training.multiuser
2 |
3 | import android.content.Context
4 |
5 | interface MultiUserHelper {
6 | /** Returns a multi-line string with user/app/uid info and environment notes. */
7 | fun getRuntimeInfo(context: Context): String
8 |
9 | /** Best-effort listing of users/profiles (may require privileges on production devices). */
10 | fun listUsersBestEffort(context: Context): String
11 |
12 | // Per-user scoped token storage (secure)
13 | fun savePerUserToken(context: Context, token: String): String
14 | fun loadPerUserToken(context: Context): String
15 |
16 | // Intentionally global/insecure storage to illustrate leakage across users/profiles (vuln path)
17 | fun saveGlobalTokenInsecure(context: Context, token: String): String
18 | fun loadGlobalTokenInsecure(context: Context): String
19 |
20 | /** Attempt cross-user read (will fail without special permissions; used to show SecurityException handling). */
21 | fun tryCrossUserRead(context: Context, targetUserId: Int): String
22 |
23 | /** Attempt to send a broadcast to another user. */
24 | fun trySendBroadcastAsUser(context: Context, targetUserId: Int, action: String): String
25 |
26 | /** Attempt to create a Context for another user. */
27 | fun tryCreateContextAsUser(context: Context, targetUserId: Int): String
28 | }
29 |
--------------------------------------------------------------------------------
/app/src/main/java/dev/jamescullimore/android_security_training/perm/DemoProvider.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training.perm
2 |
3 | import android.content.ContentProvider
4 | import android.content.ContentValues
5 | import android.database.Cursor
6 | import android.database.MatrixCursor
7 | import android.net.Uri
8 | import android.os.Bundle
9 |
10 | class DemoProvider : ContentProvider() {
11 | override fun onCreate(): Boolean = true
12 |
13 | override fun query(
14 | uri: Uri,
15 | projection: Array?,
16 | selection: String?,
17 | selectionArgs: Array?,
18 | sortOrder: String?
19 | ): Cursor? {
20 | // No real storage; return a single-row MatrixCursor with a greeting
21 | val c = MatrixCursor(arrayOf("value"))
22 | c.addRow(arrayOf("hello from DemoProvider: ${uri.path}"))
23 | return c
24 | }
25 |
26 | override fun getType(uri: Uri): String? = "vnd.android.cursor.item/vnd.demo.value"
27 | override fun insert(uri: Uri, values: ContentValues?): Uri? = null
28 | override fun delete(uri: Uri, selection: String?, selectionArgs: Array?): Int = 0
29 | override fun update(uri: Uri, values: ContentValues?, selection: String?, selectionArgs: Array?): Int = 0
30 |
31 | override fun call(method: String, arg: String?, extras: Bundle?): Bundle? {
32 | return Bundle().apply { putString("result", "method=$method") }
33 | }
34 | }
35 |
--------------------------------------------------------------------------------
/app/src/main/java/dev/jamescullimore/android_security_training/crypto/CryptoHelper.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training.crypto
2 |
3 | import javax.crypto.SecretKey
4 |
5 | interface CryptoHelper {
6 | // Symmetric key generation (for demo only; in real apps prefer Android Keystore-backed keys)
7 | fun generateSymmetricKey(): SecretKey
8 |
9 | // Secure encryption using AES-GCM
10 | data class AesGcmResult(
11 | val iv: ByteArray,
12 | val cipherText: ByteArray,
13 | val tag: ByteArray,
14 | val algorithm: String = "AES/GCM/NoPadding"
15 | )
16 | fun encryptAesGcm(plaintext: ByteArray, aad: ByteArray? = null): AesGcmResult
17 |
18 | // Optional decrypt to validate round-trip (used locally)
19 | fun decryptAesGcm(result: AesGcmResult, aad: ByteArray? = null): ByteArray
20 |
21 | // Message authentication using HMAC-SHA256
22 | fun hmacSha256(data: ByteArray): ByteArray
23 |
24 | // Weak/incorrect examples for training (DO NOT USE IN PRODUCTION)
25 | fun encodeBase64Only(input: ByteArray): ByteArray
26 | fun encryptWeakAesEcb(plaintext: ByteArray): ByteArray
27 |
28 | // ECDH key agreement example (expects a real server P-256 public key in PEM/X.509 SPKI format)
29 | data class EcdhInfo(
30 | val publicKeyPem: String,
31 | val sharedSecretBytes: Int,
32 | val derivedKeyBytes: Int
33 | )
34 | fun performEcdhKeyAgreement(serverEcPublicKeyPem: String): EcdhInfo
35 |
36 | // Send an encrypted API payload over HTTPS (integration demo). Returns HTTP status + snippet.
37 | suspend fun postEncryptedJson(url: String, jsonPlaintext: String): String
38 | }
39 |
--------------------------------------------------------------------------------
/app/src/links/AndroidManifest.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
--------------------------------------------------------------------------------
/docs/howtos/rooted-emulator.md:
--------------------------------------------------------------------------------
1 | ## Getting a rooted emulator (for certain labs)
2 | To enable root access: Pick an emulator system image that is NOT labelled "Google Play". (The label text and other UI details vary by Android Studio version.)
3 |
4 | Exception: As of 2020-10-08, the Release R "Android TV" system image will not run as root. Workaround: Use the Release Q (API level 29) Android TV system image instead.
5 |
6 | Test it: Launch the emulator, then run `adb root`.
7 |
8 | Command:
9 | ```
10 | adb root
11 | ```
12 | Expected output:
13 | ```
14 | restarting adbd as root
15 | ```
16 | or
17 | ```
18 | adbd is already running as root
19 | ```
20 | Not acceptable:
21 | ```
22 | adbd cannot run as root in production builds
23 | ```
24 |
25 | Alternate test:
26 | ```
27 | adb shell
28 | $ su
29 | #
30 | ```
31 | If the shell shows `#` after `su`, you have root. If it stays `$`, root is not available.
32 |
33 | Steps: To install and use an emulator image that can run as root:
34 |
35 | - In Android Studio, use the menu command Tools > AVD Manager.
36 | - Click the + Create Virtual Device... button.
37 | - Select the virtual Hardware, and click Next.
38 | - Select a System Image.
39 | - Pick any image that does NOT say "(Google Play)" in the Target column.
40 | - If you depend on Google APIs (Google Sign In, Google Fit, etc.), pick an image marked with "(Google APIs)".
41 | - You might have to switch from the "Recommended" group to the "x86 Images" or "Other Images" group to find one.
42 | - Click the Download button if needed.
43 | - Finish creating your new AVD.
44 | - Tip: Start the AVD Name with the API level number so the list of Virtual Devices will sort by API level.
45 | - Launch your new AVD. (You can click the green "play" triangle in the AVD window.)
46 |
--------------------------------------------------------------------------------
/docs/howtos/frida.md:
--------------------------------------------------------------------------------
1 | ## Frida
2 |
3 | - Install Frida: https://frida.re/docs/installation/
4 | - Set up for Android (device/emulator and frida-server): https://frida.re/docs/android/
5 | - Example scripts for this lab are in the `frida/` folder of this repo.
6 |
7 | ### Quick start (attach/spawn)
8 | - List device processes (verify connection):
9 | ```
10 | frida-ps -U
11 | ```
12 | - Spawn the secure build with a script (example: hook secure storage):
13 | ```
14 | frida -U -f dev.jamescullimore.android_security_training.secure -l frida/hook_secure_storage.js
15 | ```
16 | - Tip: add `--no-pause` to let the app run immediately after spawn.
17 | - Attach to a running app instead of spawning (alternative):
18 | ```
19 | frida -U -n dev.jamescullimore.android_security_training.secure -l frida/hook_secure_storage.js
20 | ```
21 | - Trace common libc calls (example: `open`) for the secure build:
22 | ```
23 | frida-trace -U -i open -N dev.jamescullimore.android_security_training.secure
24 | ```
25 | - Alternate syntax (attach by name on some versions):
26 | ```
27 | frida-trace -U -i open -n dev.jamescullimore.android_security_training.secure
28 | ```
29 |
30 | ### Notes
31 | - Package IDs:
32 | - Secure variants: `dev.jamescullimore.android_security_training.secure`
33 | - Vulnerable variants: `dev.jamescullimore.android_security_training.vuln`
34 | - Scripts live in the `frida/` directory (for example: `frida/hook_secure_storage.js`).
35 | - If you don’t see classes/methods right after spawning, use `--no-pause` or interact with the target screen so code paths load.
36 | - On Google APIs emulators, Frida works fine for app‑level hooking even if `adbd` runs as root but the app cannot `su` — this is expected (see Root section for details).
37 |
--------------------------------------------------------------------------------
/app/src/main/res/drawable/ic_launcher_foreground.xml:
--------------------------------------------------------------------------------
1 |
7 |
8 |
9 |
15 | 
6 | 
7 |
8 | ## Table of contents
9 | - [Purpose and scope](#purpose-and-scope)
10 | - [Prerequisites (tools) and before‑you‑start](#prerequisites-tools-and-beforeyoustart-steps)
11 | - [Quick start](#quick-start)
12 | - [Build variants (how this project is organized)](#build-variants-how-this-project-is-organized)
13 | - [Topics: how to run the labs (index)](docs/topics/README.md)
14 | - [1. Certificate pinning & HTTPS](docs/topics/pinning/README.md)
15 | - [2. End‑to‑end encryption (E2E)](docs/topics/e2e/README.md)
16 | - [3. Reverse‑engineering resistance](docs/topics/re/README.md)
17 | - [4. Runtime permissions](docs/topics/perm/README.md)
18 | - [5. App links & deep links](docs/topics/links/README.md)
19 | - [6. Secure storage](docs/topics/storage/README.md)
20 | - [7. Root/Jailbreak detection](docs/topics/root/README.md)
21 | - [8. WebView & exported components](docs/topics/web/README.md)
22 | - [9. Multi‑user/AAOS considerations](docs/topics/users/README.md)
23 | - [10. Risk modeling & dangerous defaults](docs/topics/risks/README.md)
24 | - [MITM proxy quick setup (mitmproxy + emulator)](docs/howtos/mitmproxy.md)
25 | - [Getting a rooted emulator](docs/howtos/rooted-emulator.md)
26 | - [Frida](docs/howtos/frida.md)
27 | - [Troubleshooting](#troubleshooting)
28 |
29 | ## Purpose and scope
30 | - Goal: Help Android developers learn modern security practices through code you can run, inspect, and modify.
31 | - How: Build one topic at a time and toggle secure vs. vulnerable behavior. Use a proxy or other tools to observe differences.
32 | - Outcome: Understand why attacks work against the vulnerable build and how the secure build stops them.
33 |
34 | ## Prerequisites (tools) and before‑you‑start steps
35 | - Android Studio (latest stable) with Android SDK and emulator images installed.
36 | - Java 21 toolchain (Gradle wrapper config uses JDK 21 compatibility).
37 | - A device or emulator. For interception/root labs, prefer an emulator you control (see rooted emulator section).
38 | - Optional but recommended for labs:
39 | - mitmproxy, Burp Suite, or OWASP ZAP
40 | - Wireshark or tcpdump
41 | - jadx, jadx‐gui and apktool installed
42 | - DB Browser for SQLite (to inspect pulled SQLite .db files) https://sqlitebrowser.org/
43 | - (optional) [Frida](docs/howtos/frida.md)
44 | - sqlite3 CLI (alternative) — download from https://www.sqlite.org/download.html
45 | - Before you start:
46 | 1) Clone this repo and open it in Android Studio.
47 | 2) Let Gradle sync and index completely.
48 | 3) Decide which topic you want to run first (see Build variants), then pick a secure or vuln profile.
49 | 4) If you plan to demo MITM, configure your proxy and device/emulator networking first.
50 |
51 | ## Quick start
52 | 1) Open the project in Android Studio (latest stable).
53 | 2) In Build Variants, choose a pair like `vulnPinning` (to see the issue) then `securePinning` (to see the fix).
54 | 3) Run on an emulator or device and follow the on‑screen actions for the selected topic.
55 | 4) For network labs, configure your proxy before launching the vulnerable build.
56 |
57 | ## Build variants (how this project is organized)
58 | - Two flavor dimensions in `app/build.gradle.kts`:
59 | - securityProfile: `secure` (best practices) or `vuln` (intentionally unsafe). Release builds are disabled for `vuln`.
60 | - topic: `pinning`, `e2e`, `re`, `perm`, `links`, `storage`, `root`, `web`, `users`, `risks`.
61 | - The final build variant is ``, for example:
62 | - `securePinning`, `vulnPinning`
63 | - `secureWeb`, `vulnWeb`, etc.
64 | - Routing is handled by per‑flavor providers so the right helper is compiled for each variant.
65 |
66 | ## Troubleshooting
67 | - Build with the Gradle wrapper from Android Studio. If secure pinning fails, check device time and that pins match the current server keys.
68 | - Deep links require a matching `assetlinks.json` on your domain. Update host/path if you change it.
69 | - For MITM demos, remember: secure flavors do not trust user CAs; use vuln flavors.
70 | - If the emulator won’t run as root, confirm you didn’t pick a Google Play image (see section above).
71 | - Expect‑CT (legacy): https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT
--------------------------------------------------------------------------------
/app/src/links/java/dev/jamescullimore/android_security_training/DeepLinksActivity.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training
2 |
3 | import android.content.Intent
4 | import android.os.Bundle
5 | import androidx.activity.ComponentActivity
6 | import androidx.activity.compose.setContent
7 | import androidx.activity.enableEdgeToEdge
8 | import androidx.compose.foundation.layout.Column
9 | import androidx.compose.foundation.layout.Spacer
10 | import androidx.compose.foundation.layout.fillMaxSize
11 | import androidx.compose.foundation.layout.height
12 | import androidx.compose.foundation.layout.padding
13 | import androidx.compose.foundation.rememberScrollState
14 | import androidx.compose.foundation.verticalScroll
15 | import androidx.compose.material3.Button
16 | import androidx.compose.material3.MaterialTheme
17 | import androidx.compose.material3.OutlinedTextField
18 | import androidx.compose.material3.Scaffold
19 | import androidx.compose.material3.Text
20 | import androidx.compose.runtime.*
21 | import androidx.compose.ui.Modifier
22 | import androidx.compose.ui.platform.LocalContext
23 | import androidx.compose.ui.tooling.preview.Preview
24 | import androidx.compose.ui.unit.dp
25 | import dev.jamescullimore.android_security_training.deeplink.DeepLinkHelper
26 | import dev.jamescullimore.android_security_training.ui.theme.AndroidSecurityTrainingTheme
27 | import androidx.core.net.toUri
28 |
29 | class DeepLinksActivity : ComponentActivity() {
30 | private val currentIntentState = mutableStateOf(null)
31 |
32 | override fun onCreate(savedInstanceState: Bundle?) {
33 | super.onCreate(savedInstanceState)
34 | currentIntentState.value = intent
35 | enableEdgeToEdge()
36 | setContent {
37 | AndroidSecurityTrainingTheme {
38 | DeepLinksHome(currentIntent = currentIntentState.value)
39 | }
40 | }
41 | }
42 |
43 | override fun onNewIntent(intent: Intent) {
44 | super.onNewIntent(intent)
45 | currentIntentState.value = intent
46 | }
47 | }
48 |
49 | @Composable
50 | fun DeepLinksHome(currentIntent: Intent?) {
51 | val context = LocalContext.current
52 | val helper: DeepLinkHelper = remember { provideDeepLinkHelper() }
53 | var received by remember { mutableStateOf(helper.describeIncomingIntent(currentIntent)) }
54 | var uriText by remember { mutableStateOf("https://lab.example.com/welcome?code=abc&state=123") }
55 | val verifiedBase = "https://lethalmaus.github.io/AndroidSecurityTraining"
56 | val verifiedUrl = "$verifiedBase/welcome?code=abc&state=123"
57 | var result by remember { mutableStateOf("Deep Links demo: craft and send VIEW intents") }
58 |
59 | // Update the displayed received-intent summary whenever a new intent arrives
60 | LaunchedEffect(currentIntent) {
61 | received = helper.describeIncomingIntent(currentIntent)
62 | }
63 |
64 | Scaffold(modifier = Modifier.fillMaxSize()) { innerPadding ->
65 | Column(
66 | modifier = Modifier.padding(innerPadding).verticalScroll(rememberScrollState())
67 | .padding(16.dp)
68 | ) {
69 | Text(text = "Deep Links", style = MaterialTheme.typography.headlineSmall)
70 | Spacer(Modifier.height(8.dp))
71 | Text("Received Intent:\n$received")
72 | Spacer(Modifier.height(8.dp))
73 | OutlinedTextField(
74 | value = uriText,
75 | onValueChange = { uriText = it },
76 | label = { Text("URI to VIEW") })
77 | Spacer(Modifier.height(4.dp))
78 | Button(onClick = {
79 | uriText = if (uriText.startsWith(verifiedBase)) {
80 | "https://lab.example.com/welcome?code=abc&state=123"
81 | } else {
82 | verifiedUrl
83 | }
84 | }) { Text(if (uriText.startsWith(verifiedBase)) "Switch to Unverified URL" else "Switch to Verified URL") }
85 | Spacer(Modifier.height(4.dp))
86 | Text(text = if (uriText.startsWith(verifiedBase)) "Mode: Verified app link (should be accepted)" else "Mode: Unverified/custom link (should be rejected)")
87 | Spacer(Modifier.height(4.dp))
88 | Button(onClick = {
89 | val test = Intent(
90 | Intent.ACTION_VIEW,
91 | uriText.toUri()
92 | ).addCategory(Intent.CATEGORY_BROWSABLE)
93 | test.setClass(context, DeepLinksActivity::class.java)
94 | context.startActivity(test)
95 | result = "Sent VIEW intent"
96 | }) { Text("Send VIEW Intent") }
97 | Spacer(Modifier.height(8.dp))
98 | Button(onClick = {
99 | result = helper.safeNavigateExample(context, uriText)
100 | }) { Text("Navigate Internally (Secure Path)") }
101 | Spacer(Modifier.height(16.dp))
102 | Text("Result:\n$result")
103 | Spacer(Modifier.height(8.dp))
104 | Text(
105 | text = "Note: Secure builds validate scheme/host/path and auto-verify app links; Vulnerable builds accept broad http(s) links and echo untrusted data.",
106 | style = MaterialTheme.typography.bodySmall
107 | )
108 | }
109 | }
110 | }
111 |
112 | @Preview
113 | @Composable
114 | internal fun DeepLinksHomePreview() {
115 | DeepLinksHome(currentIntent = null)
116 | }
117 |
--------------------------------------------------------------------------------
/docs/topics/re/README.md:
--------------------------------------------------------------------------------
1 | # 3. Reverse‑engineering resistance
2 |
3 | 
4 |
5 | #### Where in code
6 | - Secure helper: `app/src/secure/java/.../re/SecureReDemoHelper.kt`
7 | - Vulnerable helper: `app/src/vuln/java/.../re/VulnReDemoHelper.kt`
8 | - Gradle flavors for this topic: `re` combined with `secure` or `vuln` (see `app/build.gradle.kts`)
9 |
10 | #### Pre‑lab checklist
11 | - Android Studio + adb available
12 | - jadx‐gui and apktool installed
13 | - A keystore for re‑signing (can generate a temporary one)
14 |
15 | #### Lab guide (hands‑on)
16 | 1) Build the vulnerable RE APK
17 | - Gradle task:
18 | ```
19 | ./gradlew :app:assembleClientVulnReDebug
20 | ```
21 | - Output path example:
22 | ```
23 | ls app/build/outputs/apk/clientVulnRe/debug/
24 | ```
25 | - You should see `vulnRe-debug.apk`.
26 |
27 | 2) Decompile with JADX (quick source view)
28 | - Open in JADX:
29 | ```
30 | jadx-gui app/build/outputs/apk/.../clientVulnRe-debug.apk
31 | ```
32 | - Search for obvious findings:
33 | - `SUPER_SECRET_API_KEY`
34 | - `DexClassLoader`
35 | - `assets/sensitive.txt`
36 | - Note any hardcoded strings, keys, or debug logs.
37 |
38 | 3) Decode resources with apktool (smali/manifest/assets)
39 | - Decode:
40 | ```
41 | apktool d clientVulnRe-debug.apk -o out_vuln
42 | ```
43 | - Inspect inside `out_vuln/`:
44 | - `AndroidManifest.xml` (exported components, permissions)
45 | - `assets/` (plain‑text files or secrets)
46 | - `smali/` (methods to patch if needed)
47 |
48 | 4) Extract sensitive assets quickly
49 | - Without full decode:
50 | ```
51 | unzip -p clientVulnRe-debug.apk assets/sensitive.txt
52 | ```
53 | - Or pull from a device:
54 | ```
55 | adb shell pm path
56 | adb pull /data/app/.../base.apk
57 | ```
58 |
59 | 5) Patch the runtime signature check (tampering demo)
60 | - Locate the helper (e.g., `SecureReDemoHelper` or similar) in smali and modify the method to return `true`, or patch the decompiled Java and recompile.
61 | - Rebuild the APK with apktool:
62 | ```
63 | apktool b out_vuln -o patched.apk
64 | ```
65 |
66 | 6) Re‑sign the modified APK
67 | - Generate a temporary keystore if you don’t have one:
68 | ```
69 | keytool -genkeypair -keystore seminar.jks -alias key0 -storepass changeit -keypass changeit -dname "CN=Seminar,O=Demo,C=US" -keyalg RSA -keysize 2048 -validity 3650
70 | ```
71 | - Sign and verify:
72 | ```
73 | apksigner sign --ks seminar.jks --ks-pass pass:changeit --key-pass pass:changeit --out patched-signed.apk patched.apk
74 | apksigner verify --print-certs patched-signed.apk
75 | ```
76 |
77 | 7) Install and test the patched APK
78 | - Replace the original if necessary:
79 | ```
80 | adb uninstall
81 | adb install -r patched-signed.apk
82 | ```
83 | - Verify:
84 | - Does signature/tamper check now pass in the patched build?
85 | - Check `logcat` for security/tamper logs.
86 |
87 | 8) Dynamic DEX injection demo (if the vuln UI allows loading from storage)
88 | - Build a minimal class and convert to DEX:
89 | ```
90 | # Example workflow
91 | javac --release 8 -d build_classes dev/training/dynamic/Hello.java
92 | jar cvf dynamic.jar -C build_classes dev/training/dynamic/Hello.class
93 | d8 --output out/ dynamic.jar
94 | adb shell "mkdir -p /sdcard/Android/data/dev.jamescullimore.android_security_training.vuln/files"
95 | adb push out/classes.dex /sdcard/Android/data/dev.jamescullimore.android_security_training.vuln/files/dynamic.dex
96 | ```
97 | - In the vulnerable app UI, enter just the file name `dynamic.dex` (do not paste a full path). The app will look for this file in its external files directory and then copy it into its internal code cache before loading via DexClassLoader. You can also enter `self` to attempt loading the app's own APK. Discuss risk: unvalidated external code execution.
98 |
99 | 9) R8 / obfuscation comparison
100 | - Compare a debug APK vs. a release APK with `minifyEnabled = true`.
101 | - Observe differences in JADX: identifiers renamed, dead code removed, logs stripped.
102 |
103 | #### Group deliverables (for workshops)
104 | - Screenshot of an extracted secret/asset
105 | - Screenshot of the patched app running
106 | - Short write‑up: 3 risks found + 3 mitigations
107 |
108 | #### Troubleshooting
109 | - `apktool b` failures → check resources/apktool version mismatch
110 | - `INSTALL_FAILED_UPDATE_INCOMPATIBLE` → uninstall the app first
111 | - Signature mismatches → verify keystore/alias/passwords
112 | - adb device issues → ensure USB debugging/emulator running
113 |
114 | #### Best practices
115 | - Don’t store secrets in the APK; prefer server‑issued, short‑lived tokens.
116 | - Enable R8/ProGuard shrinking/obfuscation for release; strip debug info from release.
117 | - Verify app signature at runtime for critical logic paths; consider Play Integrity as an additional signal.
118 |
119 | #### Extra reading
120 | - App signing & verifying: https://developer.android.com/studio/publish/app-signing
121 | - Code shrinking, obfuscation, optimization: https://developer.android.com/studio/build/shrink-code
122 | - OWASP MASVS‑RESILIENCE: https://mas.owasp.org/MASVS/
123 | - Android app reverse engineering overview (docs): https://developer.android.com/privacy-and-security
124 |
--------------------------------------------------------------------------------
/docs/topics/web/README.md:
--------------------------------------------------------------------------------
1 | # 8. WebView & exported components
2 |
3 | 
4 |
5 | #### Where in code
6 | - Topic activity: `app/src/web/java/.../WebActivity.kt`
7 | - Secure helper/receiver: `app/src/secure/java/.../web/SecureWebViewHelper.kt`
8 | - Vulnerable helper: `app/src/vuln/java/.../web/VulnWebViewHelper.kt`
9 | - Demo ContentProvider (class): `app/src/main/java/.../perm/DemoProvider.kt` (authority overridden in vuln manifest)
10 | - Vulnerable manifest override: `app/src/vuln/AndroidManifest.xml` (exported provider authority `com.example.demo.provider`)
11 |
12 | #### Lab guide (hands-on)
13 | A) Exported ContentProvider attack (adb)
14 | - Build and run `vulnPermDebug` or any vuln topic (provider is registered in the vuln manifest).
15 | - Query the exported provider from the shell:
16 | ```
17 | adb shell content query --uri content://dev.jamescullimore.android_security_training.vuln.demo/hello
18 | ```
19 | Expected (vuln): a row like `hello from DemoProvider: /hello` because the provider is exported with no permission checks.
20 |
21 | - Compare with secure builds: the same provider is non-exported and gated by a signature permission; external queries should fail.
22 |
23 | B) WebView path traversal from file scheme (vuln)
24 | - Build and run `vulnWebDebug` and open the WebView screen.
25 | - Tap "Configure WebView" (enables JS, file://, mixed content, etc. in vuln).
26 | - Tap "Load Untrusted HTTP (cleartext)" to demonstrate mixed content and lack of validation (loads http://neverssl.com/).
27 | - Tap "Load Untrusted FILE (path traversal)" to execute a traversal load. The vuln helper prepares a secret at:
28 | - `/data/data//files/secret.txt` (created on first run)
29 | - It then calls:
30 | ```
31 | webView.loadUrl("file:///android_asset/../../data/data//files/secret.txt")
32 | ```
33 | Notes:
34 | - Modern WebView implementations may block this traversal, but the code and attempt are visible for discussion and testing on older images.
35 | - Replace `` with the running package, e.g., `dev.jamescullimore.android_security_training.vuln`.
36 |
37 | C) Resetting app data via broadcast (lab helper)
38 | For quick lab resets, the app includes a BroadcastReceiver that can clear local data.
39 | - Action: `dev.jamescullimore.android_security_training.ACTION_CLEAR_DATA`
40 | - Extras:
41 | - `what` (optional): one of `prefs`, `files`, `cache`, `db`/`databases`, or omit for `all`.
42 |
43 | Usage examples (vulnerable flavors expose this receiver; secure flavors keep it non-exported and gated by a signature permission):
44 | - Vulnerable build (any topic, package suffix `.vuln`):
45 | ```
46 | # Clear everything (prefs, files, cache, databases)
47 | adb shell am broadcast -a dev.jamescullimore.android_security_training.ACTION_CLEAR_DATA -n dev.jamescullimore.android_security_training.vuln/dev.jamescullimore.android_security_training.ClearDataReceiver
48 |
49 | # Clear only SharedPreferences
50 | adb shell am broadcast -a dev.jamescullimore.android_security_training.ACTION_CLEAR_DATA --es what prefs -n dev.jamescullimore.android_security_training.vuln/dev.jamescullimore.android_security_training.ClearDataReceiver
51 | ```
52 | - Secure build: The receiver is not exported and requires the custom signature permission, so external adb broadcasts will be ignored/denied by design. Triggering is possible only from inside the app or a same-signature test app.
53 |
54 | D) Load a malicious HTML payload (local file and via adb VIEW)
55 | - Place the payload into the app-specific external files directory (works without storage permissions on modern Android):
56 | ```
57 | # For the vulnerable package id
58 | adb shell mkdir -p /sdcard/Android/data/dev.jamescullimore.android_security_training.vuln/files
59 | adb push html/payload.html /sdcard/Android/data/dev.jamescullimore.android_security_training.vuln/files/payload.html
60 | ```
61 | - In the app (vulnWebDebug):
62 | 1) Tap "Configure WebView".
63 | 2) Tap "Load Local Payload (app external files)" — this loads `file:///sdcard/Android/data/dev.jamescullimore.android_security_training.vuln/files/payload.html`.
64 | - Or trigger via adb with a VIEW intent (deep link to a file URL):
65 | ```
66 | adb shell am start -n dev.jamescullimore.android_security_training.vuln/dev.jamescullimore.android_security_training.WebActivity -a android.intent.action.VIEW -d "file:///sdcard/Android/data/dev.jamescullimore.android_security_training.vuln/files/payload.html"
67 | ```
68 | - WebActivity has an intent-filter for `file`, `http`, and `https` and will auto-load the provided URI into the WebView on launch.
69 | - Tip: You can also host the file and use `-d "http://10.0.2.2:8000/payload.html"` to demo from the host machine.
70 |
71 | E) Other vuln WebView demos
72 | - Run JS demo to exfiltrate a token from `addJavascriptInterface` and observe the broadcast.
73 | - Expose/trigger a mutable PendingIntent via broadcast leak.
74 |
75 | #### Best practices
76 | - Disable JS, file access, and mixed content by default.
77 | - Use a safe URL loading policy and validate origins.
78 | - Don’t expose WebView JS interfaces to untrusted content; prefer postMessage‑style bridges with strict validation.
79 | - Avoid exporting components unless required; protect with signature permissions when needed.
80 |
81 | #### Extra reading
82 | - WebView security tips: https://developer.android.com/guide/webapps/webview#security
83 | - Avoiding intent/component leaks: https://developer.android.com/guide/components/intents-filters#Security
84 | - Network security config (mixed content): https://developer.android.com/training/articles/security-config#CleartextTrafficPermitted
85 | - MASVS‑PLATFORM: https://mas.owasp.org/MASVS/
86 |
--------------------------------------------------------------------------------
/app/src/storage/java/dev/jamescullimore/android_security_training/StorageActivity.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training
2 |
3 | import android.os.Bundle
4 | import androidx.activity.ComponentActivity
5 | import androidx.activity.compose.setContent
6 | import androidx.activity.enableEdgeToEdge
7 | import androidx.compose.foundation.layout.Column
8 | import androidx.compose.foundation.layout.Spacer
9 | import androidx.compose.foundation.layout.fillMaxSize
10 | import androidx.compose.foundation.layout.height
11 | import androidx.compose.foundation.layout.padding
12 | import androidx.compose.foundation.rememberScrollState
13 | import androidx.compose.foundation.verticalScroll
14 | import androidx.compose.material3.Button
15 | import androidx.compose.material3.Scaffold
16 | import androidx.compose.material3.Text
17 | import androidx.compose.runtime.*
18 | import androidx.compose.ui.Modifier
19 | import androidx.compose.ui.platform.LocalContext
20 | import androidx.compose.ui.tooling.preview.Preview
21 | import androidx.compose.ui.unit.dp
22 | import dev.jamescullimore.android_security_training.ui.theme.AndroidSecurityTrainingTheme
23 | import kotlinx.coroutines.launch
24 |
25 | class StorageActivity : ComponentActivity() {
26 | override fun onCreate(savedInstanceState: Bundle?) {
27 | super.onCreate(savedInstanceState)
28 | enableEdgeToEdge()
29 | setContent {
30 | AndroidSecurityTrainingTheme {
31 | StorageScreen()
32 | }
33 | }
34 | }
35 | }
36 |
37 | @Composable
38 | fun StorageScreen(modifier: Modifier = Modifier) {
39 | val context = LocalContext.current
40 | val output = remember { mutableStateOf("Ready.") }
41 | val helper = remember { provideStorageHelper() }
42 | val root = remember { provideRootHelper() }
43 | val scope = rememberCoroutineScope()
44 |
45 | fun guardIfRooted(action: suspend () -> String): suspend () -> String = {
46 | if (root.isRooted(context)) {
47 | "[SECURE] Blocked action due to detected root/jailbreak (demo). Use Root topic to discuss policy.)"
48 | } else action()
49 | }
50 | Scaffold(modifier = Modifier.fillMaxSize()) { innerPadding ->
51 | Column(
52 | modifier = Modifier.padding(innerPadding)
53 | .verticalScroll(rememberScrollState())
54 | .padding(16.dp)
55 | ) {
56 | Text(text = "Local Data Storage Lab")
57 | Spacer(Modifier.height(8.dp))
58 | // Preferences (secure)
59 | Button(onClick = {
60 | scope.launch {
61 | output.value =
62 | guardIfRooted { helper.saveTokenSecure(context, "secret-token-123") }()
63 | }
64 | }) { Text("Save Token (EncryptedSharedPreferences)") }
65 | Button(onClick = {
66 | scope.launch { output.value = helper.loadTokenSecure(context) }
67 | }) { Text("Load Token (Encrypted)") }
68 | Spacer(Modifier.height(8.dp))
69 | // Preferences (insecure)
70 | Button(onClick = {
71 | scope.launch {
72 | output.value = helper.saveTokenInsecure(context, "secret-token-123")
73 | }
74 | }) { Text("Save Token (Plain SharedPreferences)") }
75 | Button(onClick = {
76 | scope.launch { output.value = helper.loadTokenInsecure(context) }
77 | }) { Text("Load Token (Plain)") }
78 | Spacer(Modifier.height(8.dp))
79 | // Files
80 | Button(onClick = {
81 | scope.launch {
82 | output.value = guardIfRooted {
83 | helper.writeSecureFile(
84 | context,
85 | "secure.txt",
86 | "Sensitive file content"
87 | )
88 | }()
89 | }
90 | }) { Text("Write Secure File (EncryptedFile)") }
91 | Button(onClick = {
92 | scope.launch {
93 | output.value =
94 | helper.writeInsecureFile(context, "insecure.txt", "Sensitive file content")
95 | }
96 | }) { Text("Write Insecure File (Plaintext)") }
97 | Button(onClick = {
98 | scope.launch { output.value = helper.readInsecureFile(context, "insecure.txt") }
99 | }) { Text("Read Insecure File") }
100 | Spacer(Modifier.height(8.dp))
101 | // SQLite
102 | Button(onClick = {
103 | scope.launch {
104 | output.value =
105 | guardIfRooted { helper.dbPut(context, "session_token", "db-secret-456") }()
106 | }
107 | }) { Text("DB Put (session_token)") }
108 | Button(onClick = {
109 | scope.launch { output.value = helper.dbGet(context, "session_token") }
110 | }) { Text("DB Get (session_token)") }
111 | Button(onClick = {
112 | scope.launch { output.value = helper.dbList(context) }
113 | }) { Text("DB List All") }
114 | Button(onClick = {
115 | scope.launch { output.value = helper.dbDelete(context, "session_token") }
116 | }) { Text("DB Delete (session_token)") }
117 | Spacer(Modifier.height(12.dp))
118 | Button(onClick = {
119 | scope.launch {
120 | output.value = "Root signals: \n" + root.getSignals(context)
121 | .joinToString("\n") + "\nIs rooted? " + root.isRooted(context)
122 | }
123 | }) { Text("Run Root Checks (from Root topic helper)") }
124 | Spacer(Modifier.height(12.dp))
125 | Text(text = output.value)
126 | }
127 | }
128 | }
129 |
130 | @Preview
131 | @Composable
132 | internal fun StorageScreenPreview() {
133 | StorageScreen()
134 | }
135 |
--------------------------------------------------------------------------------
/app/src/web/java/dev/jamescullimore/android_security_training/WebActivity.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training
2 |
3 | import android.content.Intent
4 | import android.os.Bundle
5 | import android.webkit.WebView
6 | import androidx.activity.ComponentActivity
7 | import androidx.activity.compose.setContent
8 | import androidx.activity.enableEdgeToEdge
9 | import androidx.compose.foundation.layout.Box
10 | import androidx.compose.foundation.layout.Column
11 | import androidx.compose.foundation.layout.Spacer
12 | import androidx.compose.foundation.layout.fillMaxSize
13 | import androidx.compose.foundation.layout.fillMaxWidth
14 | import androidx.compose.foundation.layout.height
15 | import androidx.compose.foundation.layout.padding
16 | import androidx.compose.foundation.rememberScrollState
17 | import androidx.compose.foundation.verticalScroll
18 | import androidx.compose.material3.Button
19 | import androidx.compose.material3.MaterialTheme
20 | import androidx.compose.material3.Scaffold
21 | import androidx.compose.material3.Text
22 | import androidx.compose.runtime.Composable
23 | import androidx.compose.runtime.LaunchedEffect
24 | import androidx.compose.runtime.mutableStateOf
25 | import androidx.compose.runtime.remember
26 | import androidx.compose.ui.Modifier
27 | import androidx.compose.ui.platform.LocalContext
28 | import androidx.compose.ui.tooling.preview.Preview
29 | import androidx.compose.ui.unit.dp
30 | import androidx.compose.ui.viewinterop.AndroidView
31 | import dev.jamescullimore.android_security_training.ui.theme.AndroidSecurityTrainingTheme
32 | import dev.jamescullimore.android_security_training.web.WebViewHelper
33 |
34 | class WebActivity : ComponentActivity() {
35 | override fun onCreate(savedInstanceState: Bundle?) {
36 | super.onCreate(savedInstanceState)
37 |
38 | enableEdgeToEdge()
39 | setContent {
40 | AndroidSecurityTrainingTheme {
41 | WebScreen(incoming = intent, provideWebViewHelper())
42 | }
43 | }
44 | }
45 | }
46 |
47 | @Composable
48 | fun WebScreen(incoming: Intent?, helper: WebViewHelper) {
49 | Scaffold(modifier = Modifier.fillMaxSize()) { innerPadding ->
50 | val ctx = LocalContext.current
51 | val output = remember { mutableStateOf("Ready.") }
52 | val webViewState = remember { mutableStateOf(null) }
53 |
54 | Column(modifier = Modifier
55 | .padding(innerPadding)
56 | .fillMaxSize()
57 | .verticalScroll(rememberScrollState())
58 | .padding(16.dp)) {
59 | Text("WebView & Component Security Lab — Variant: ${BuildConfig.FLAVOR}", style = MaterialTheme.typography.headlineSmall)
60 | Spacer(Modifier.height(8.dp))
61 |
62 | Box(modifier = Modifier
63 | .fillMaxWidth()
64 | .height(400.dp)
65 | ) {
66 | AndroidView(
67 | modifier = Modifier.fillMaxSize()
68 | .verticalScroll(rememberScrollState()),
69 | factory = { context ->
70 | WebView(context).apply {
71 | webViewState.value = this
72 | isVerticalScrollBarEnabled = true
73 | }
74 | },
75 | update = {
76 | // no-op
77 | }
78 | )
79 | }
80 |
81 | // If launched via VIEW intent with data, auto-load it once the WebView exists
82 | LaunchedEffect(webViewState.value) {
83 | val wv = webViewState.value
84 | val data = incoming?.data
85 | if (wv != null && incoming?.action == Intent.ACTION_VIEW && data != null) {
86 | // Best-effort configure before loading
87 | runCatching { helper.configure(ctx, wv) }
88 | output.value = helper.loadFromIntent(ctx, wv, data.toString())
89 | }
90 | }
91 |
92 | Spacer(Modifier.height(8.dp))
93 |
94 | Column(
95 | modifier = Modifier
96 | .fillMaxWidth()
97 | ) {
98 | Button(onClick = {
99 | webViewState.value?.let { output.value = helper.loadTrusted(ctx, it) }
100 | }) { Text("Load Trusted URL (https)") }
101 |
102 | Button(onClick = {
103 | webViewState.value?.let { output.value = helper.loadUntrustedHttp(ctx, it) }
104 | }) { Text("Load Untrusted HTTP (cleartext)") }
105 |
106 | Button(onClick = {
107 | webViewState.value?.let { output.value = helper.loadUntrusted(ctx, it) }
108 | }) { Text("Load Untrusted FILE (path traversal)") }
109 |
110 | Button(onClick = {
111 | webViewState.value?.let { wv ->
112 | output.value = helper.loadLocalPayload(ctx, wv)
113 | }
114 | }) { Text("Load Local Payload (app external files)") }
115 |
116 | Button(onClick = {
117 | webViewState.value?.let { output.value = helper.runDemoJs(ctx, it) }
118 | }) { Text("Run JS Demo / Bridge Call") }
119 |
120 | Spacer(Modifier.height(8.dp))
121 | Button(onClick = {
122 | output.value = helper.sendInternalBroadcast(ctx)
123 | }) { Text("Send Internal Broadcast") }
124 |
125 | Button(onClick = {
126 | output.value = helper.exposePendingIntent(ctx)
127 | }) { Text("Expose PendingIntent (demo)") }
128 |
129 | Spacer(Modifier.height(12.dp))
130 | Text(output.value)
131 | }
132 | }
133 | }
134 | }
135 |
136 | @Preview
137 | @Composable
138 | internal fun WebScreenPreview() {
139 | WebScreen(incoming = null, provideWebViewHelper())
140 | }
141 |
--------------------------------------------------------------------------------
/docs/topics/links/README.md:
--------------------------------------------------------------------------------
1 | # 5. App links & deep links
2 |
3 | 
4 |
5 | #### Where in code
6 | - Topic manifest: `app/src/links/AndroidManifest.xml`
7 | - Secure helper: `app/src/secure/java/.../deeplink/SecureDeepLinkHelper.kt`
8 | - Activity UI: `app/src/links/java/.../DeepLinksActivity.kt`
9 | - Website DAL file: `./.well-known/assetlinks.json` (already includes base, .secure, .vuln packages)
10 |
11 | #### Lab guide (hands-on)
12 | Goal: See how verified App Links are accepted by the secure build and how broad/unverified links are rejected (secure) but accepted (vuln).
13 |
14 | A) Build and install variants
15 | - Secure:
16 | - Android Studio: select Build Variant `secureLinksDebug` and Run
17 | - CLI: `./gradlew :app:installSecureLinksDebug`
18 | - Package: `dev.jamescullimore.android_security_training.secure`
19 | - Vulnerable:
20 | - Android Studio: select Build Variant `vulnLinksDebug` and Run
21 | - CLI: `./gradlew :app:installVulnLinksDebug`
22 | - Package: `dev.jamescullimore.android_security_training.vuln`
23 |
24 | B) Test a verified App Link (secure should accept)
25 | - Command:
26 | ```
27 | adb shell am start -a android.intent.action.VIEW -d "https://lethalmaus.github.io/AndroidSecurityTraining/welcome?code=abc&state=123"
28 | ```
29 | - Expected (secure): DeepLinks screen shows validated=true; result "Accepted … (code redacted)".
30 | - Expected (vuln): Also accepts because it’s https; uses looser checks.
31 |
32 | C) Test an unverified/custom host (secure should reject, vuln accepts)
33 | - Command:
34 | ```
35 | adb shell am start -a android.intent.action.VIEW -d "https://lab.example.com/welcome?code=abc&state=123"
36 | ```
37 | - Expected (secure): "Rejected: invalid scheme/host/path" and no navigation.
38 | - Expected (vuln): Treats as acceptable and echoes parameters.
39 |
40 | D) Toggle between URLs inside the app
41 | - Open the app UI and use the "Switch to Verified/Unverified URL" button.
42 | - Use "Simulate Incoming VIEW" and "Navigate Internally (Secure Path)" to compare behavior.
43 |
44 | E) If App Links don’t auto‑verify
45 | - Ensure the app that should handle links is the default: open the verified URL in Chrome and choose the app; if a chooser appears, long‑press to always open.
46 | - Clear defaults if needed: Settings → Apps → "Open by default" → Clear.
47 | - Check verification state (Android 12+): `adb shell pm get-app-links dev.jamescullimore.android_security_training.secure`
48 | - Uninstall all variants to reset link handling:
49 | ```
50 | adb uninstall dev.jamescullimore.android_security_training
51 | adb uninstall dev.jamescullimore.android_security_training.secure
52 | adb uninstall dev.jamescullimore.android_security_training.vuln
53 | ```
54 | - Note: The provided assetlinks.json includes all three package IDs for convenience during demos.
55 |
56 | #### Vulnerable custom-scheme parsing demo (why this is dangerous)
57 | - Goal: Observe how a naive prefix check on a non-canonicalized path can be abused.
58 | - Build: vulnLinksDebug (package: dev.jamescullimore.android_security_training.vuln)
59 | - Activity: DeepLinksActivity (launcher for the links topic)
60 |
61 | A) Send a benign custom-scheme URL (accepts a token)
62 | ```
63 | adb shell am start -a android.intent.action.VIEW -d "ast://dev.jamescullimore/AndroidSecurityTraining/open/?token=abc123"
64 | ```
65 | Expected:
66 | - App opens the Deep Links screen.
67 | - "Received Intent" shows values like:
68 | - path=/AndroidSecurityTraining/open/
69 | - canonicalPath=/AndroidSecurityTraining/open
70 | - naiveAccept(prefix '/AndroidSecurityTraining/open')=true
71 | - params: token=abc123
72 |
73 | B) Send a canonicalized malicious URL using .. (path traversal/confused routing)
74 | ```
75 | adb shell am start -a android.intent.action.VIEW -d "ast://dev.jamescullimore/AndroidSecurityTraining/open/../private/secret"
76 | ```
77 | Expected (vulnerable behavior):
78 | - App still "accepts" because it checks only that the RAW path starts with /AndroidSecurityTraining/open.
79 | - UI shows:
80 | - path=/AndroidSecurityTraining/open/../private/secret
81 | - canonicalPath=/AndroidSecurityTraining/private/secret
82 | - naiveAccept(prefix '/AndroidSecurityTraining/open')=true
83 |
84 | Why this is dangerous
85 | - The decision uses a naive prefix check without canonicalizing dot segments (.., .). An attacker can craft a path that appears to start with an allowed prefix but resolves to a different route when canonicalized.
86 | - Impact examples:
87 | - Route confusion: reach internal/private handlers (e.g., /private/secret) gated behind an intended /open prefix.
88 | - Policy bypass: trigger actions or expose data mapped to unintended paths.
89 | - Data trust: the vulnerable helper also echoes untrusted parameters (e.g., token) which can aid phishing or log injection.
90 |
91 | How to fix (secure approach)
92 | - Always normalize/canonicalize the path before validation, then validate against a strict allowlist.
93 | - Validate scheme, host, and path prefixes explicitly; reject anything unexpected.
94 | - Prefer verified App Links for https domains and avoid trusting custom schemes for sensitive flows.
95 | - Don’t echo secrets back to logs/UI; treat deep link params as untrusted input.
96 |
97 | #### Best practices
98 | - Prefer verified app links (assetlinks.json) for https domains.
99 | - Validate schemes, hosts, and path prefixes explicitly; reject unexpected ones.
100 | - Avoid exporting components unless required; use `android:exported="false"` by default.
101 |
102 | #### Extra reading
103 | - Verify Android App Links: https://developer.android.com/training/app-links/verify-site-associations
104 | - Deep links documentation: https://developer.android.com/training/app-links/deep-linking
105 | - Digital Asset Links: https://developer.android.com/training/app-links/associate-website
106 | - MASVS‑PLATFORM: https://mas.owasp.org/MASVS/
107 | - https://developers.google.com/digital-asset-links/v1/getting-started
108 | - https://owasp.org/www-community/attacks/Path_Traversal
109 |
--------------------------------------------------------------------------------
/app/src/main/res/drawable/ic_launcher_background.xml:
--------------------------------------------------------------------------------
1 |
2 |
7 |
10 |
15 |
20 |
25 |
30 |
35 |
40 |
45 |
50 |
55 |
60 |
65 |
70 |
75 |
80 |
85 |
90 |
95 |
100 |
105 |
110 |
115 |
120 |
125 |
130 |
135 |
140 |
145 |
150 |
155 |
160 |
165 |
170 |
171 |
--------------------------------------------------------------------------------
/app/src/secure/java/dev/jamescullimore/android_security_training/web/SecureWebViewHelper.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training.web
2 |
3 | import android.app.PendingIntent
4 | import android.content.Context
5 | import android.content.Intent
6 | import android.net.Uri
7 | import android.os.Build
8 | import android.util.Log
9 | import android.webkit.SafeBrowsingResponse
10 | import android.webkit.WebResourceRequest
11 | import android.webkit.WebSettings
12 | import android.webkit.WebView
13 | import android.webkit.WebViewClient
14 | import androidx.core.net.toUri
15 |
16 | class SecureWebViewHelper : WebViewHelper {
17 |
18 | override fun configure(context: Context, webView: WebView): String {
19 | val s = webView.settings
20 | s.javaScriptEnabled = true // enable only if needed for the demo
21 | s.allowFileAccess = false
22 | s.allowContentAccess = true
23 | s.mixedContentMode = WebSettings.MIXED_CONTENT_NEVER_ALLOW
24 | webView.settings.safeBrowsingEnabled = true
25 | webView.webViewClient = object : WebViewClient() {
26 | override fun shouldOverrideUrlLoading(view: WebView?, request: WebResourceRequest?): Boolean {
27 | val u = request?.url ?: return true
28 | return !isAllowed(u)
29 | }
30 | @Deprecated("Deprecated in API 24")
31 | override fun shouldOverrideUrlLoading(view: WebView?, url: String?): Boolean {
32 | return !isAllowed(url?.toUri())
33 | }
34 | override fun onSafeBrowsingHit(
35 | view: WebView?, request: WebResourceRequest?, threatType: Int, callback: SafeBrowsingResponse?
36 | ) {
37 | // Show interstitial and block
38 | callback?.backToSafety(true)
39 | }
40 | }
41 | return "[SECURE] WebView configured: JS=on, fileAccess=off, mixedContent=never, SafeBrowsing=on, host allowlist enforced"
42 | }
43 |
44 | private fun isAllowed(uri: Uri?): Boolean {
45 | if (uri == null) return false
46 | if (uri.scheme != "https") return false
47 | val allowedHosts = setOf("jamescullimore.dev", "lethalmaus.github.io", "github.com")
48 | val host = uri.host ?: return false
49 | return allowedHosts.contains(host)
50 | }
51 |
52 | override fun loadTrusted(context: Context, webView: WebView): String {
53 | // Primary trusted URL migrated to GitHub Pages as jamescullimore.dev may be unavailable.
54 | val url = "https://lethalmaus.github.io/AndroidSecurityTraining/README.md"
55 | webView.loadUrl(url)
56 | return "Loaded trusted $url"
57 | }
58 |
59 | override fun loadUntrusted(context: Context, webView: WebView): String {
60 | // Attempt a file traversal like the vuln build, but our settings and allowlist should block it
61 | try {
62 | val secretFile = java.io.File(context.filesDir, "secret.txt")
63 | if (!secretFile.exists()) {
64 | secretFile.writeText("TOP-SECRET (secure build demo) " + System.currentTimeMillis())
65 | }
66 | } catch (_: Throwable) { }
67 | val pkg = context.packageName
68 | val url = "file:///android_asset/../../data/data/$pkg/files/secret.txt"
69 | webView.loadUrl(url)
70 | return "[SECURE] Attempted file traversal load (blocked by fileAccess=false and URL allowlist): $url"
71 | }
72 |
73 | override fun loadUntrustedHttp(context: Context, webView: WebView): String {
74 | // Demonstrate that cleartext/mixed content is blocked by policy
75 | val url = "http://neverssl.com/"
76 | webView.loadUrl(url)
77 | return "[SECURE] Attempted cleartext HTTP load (should be blocked): $url"
78 | }
79 |
80 | override fun loadLocalPayload(context: Context, webView: WebView): String {
81 | // Keep protections: file access disabled; attempt will be blocked
82 | val url = "file:///sdcard/Download/payload.html"
83 | webView.loadUrl(url)
84 | return "[SECURE] Attempted to load local payload but file access/URL policy should block: $url"
85 | }
86 |
87 | override fun loadFromIntent(context: Context, webView: WebView, url: String): String {
88 | // Only allow https to an allowlisted host; otherwise block
89 | return try {
90 | val uri = android.net.Uri.parse(url)
91 | if (uri != null && uri.scheme == "https" && isAllowed(uri)) {
92 | webView.loadUrl(url)
93 | "[SECURE] Loaded allowed https URL from intent: $url"
94 | } else {
95 | "[SECURE] Rejected VIEW intent URL: $url (scheme/host not allowed)"
96 | }
97 | } catch (t: Throwable) {
98 | "[SECURE] Error handling VIEW intent URL: ${t.javaClass.simpleName}: ${t.message}"
99 | }
100 | }
101 |
102 | override fun runDemoJs(context: Context, webView: WebView): String {
103 | // Demonstrate safe JS call to display message, no native bridge exposed.
104 | Log.i("WebDemo", "Secure runDemoJs() invoked: no bridge exposed, executing harmless JS")
105 | webView.evaluateJavascript("alert('Hello from safe JS (no native bridge)')") { value ->
106 | Log.i("WebDemo", "evaluateJavascript (secure) result: $value")
107 | }
108 | return "Executed harmless JS (no addJavascriptInterface)"
109 | }
110 |
111 | override fun sendInternalBroadcast(context: Context): String {
112 | val intent = Intent(ACTION_DEMO).apply {
113 | setPackage(context.packageName)
114 | putExtra("msg", "hello-internal")
115 | }
116 | context.sendBroadcast(intent)
117 | return "Sent internal broadcast (restricted by setPackage; receiver not exported in secure builds)"
118 | }
119 |
120 | override fun exposePendingIntent(context: Context): String {
121 | // Secure: use immutable and do not expose outside
122 | PendingIntent.getActivity(
123 | context, 0,
124 | android.content.Intent(Intent.ACTION_VIEW,
125 | "https://lethalmaus.github.io/AndroidSecurityTraining/".toUri()),
126 | PendingIntent.FLAG_IMMUTABLE
127 | )
128 | return "Created immutable PendingIntent (not exposed)"
129 | }
130 |
131 | companion object {
132 | const val ACTION_DEMO = "dev.jamescullimore.android_security_training.DEMO"
133 | }
134 | }
135 |
--------------------------------------------------------------------------------
/app/src/vuln/java/dev/jamescullimore/android_security_training/re/VulnReDemoHelper.kt:
--------------------------------------------------------------------------------
1 | package dev.jamescullimore.android_security_training.re
2 |
3 | import android.content.Context
4 | import android.content.pm.PackageManager
5 | import android.os.Build
6 | import android.util.Base64
7 | import android.net.Uri
8 | import dalvik.system.DexClassLoader
9 | import java.io.ByteArrayInputStream
10 | import java.io.File
11 | import java.security.MessageDigest
12 | import java.security.cert.CertificateFactory
13 | import java.security.cert.X509Certificate
14 |
15 | /**
16 | * INTENTIONALLY VULNERABLE: Demonstrates secrets in code, asset leakage, and unsafe dynamic code loading.
17 | */
18 | class VulnReDemoHelper : ReDemoHelper {
19 |
20 | // Obvious hardcoded secret for students to find via JADX/apktool (intentionally present in vuln build)
21 | private val SUPER_SECRET_API_KEY = "sk_live_REPLACE_ME_123456"
22 |
23 | override fun getHardcodedSecret(): String = SUPER_SECRET_API_KEY
24 |
25 | override fun readLeakyAsset(context: Context): String = try {
26 | context.assets.open("sensitive.txt").use { it.readBytes().toString(Charsets.UTF_8) }
27 | } catch (t: Throwable) {
28 | "Asset missing: ${t.message}"
29 | }
30 |
31 | override suspend fun tryDynamicDexLoad(context: Context, dexOrJarPath: String): String {
32 | return runCatching {
33 | // Interpret input as a simple file name located in the app's external files directory,
34 | // except for the special keyword 'self' which loads the current APK.
35 | val input = dexOrJarPath.trim().trim('"', '\'')
36 | val isSelf = input.equals("self", ignoreCase = true)
37 |
38 | val src: File = if (isSelf) {
39 | File(context.packageCodePath)
40 | } else {
41 | val baseRoot = context.getExternalFilesDir(null) ?: context.filesDir
42 | val nameOnly = File(input).name // guard against paths; keep only the last segment
43 | File(baseRoot, nameOnly)
44 | }
45 |
46 | if (!src.exists()) return@runCatching "Dynamic load failed: File not found at ${src.absolutePath}"
47 | if (!src.isFile) return@runCatching "Dynamic load failed: Not a file: ${src.absolutePath}"
48 |
49 | // If loading external dex/jar by name, copy it into internal code cache first
50 | val loadFile: File = if (!isSelf) {
51 | val nameOnly = src.name
52 | val internalDex = File(context.codeCacheDir, nameOnly)
53 | runCatching {
54 | src.inputStream().use { input ->
55 | internalDex.outputStream().use { output ->
56 | input.copyTo(output)
57 | }
58 | }
59 | }.onFailure { ioErr ->
60 | return@runCatching "Dynamic load failed: IOException while copying to internal cache: ${ioErr.message} (src=${src.absolutePath})"
61 | }
62 | internalDex.setReadable(true, true)
63 | internalDex.setWritable(false, true)
64 | internalDex
65 | } else src
66 |
67 | val optDir = File(context.codeCacheDir, "dexopt").apply { mkdirs() }
68 | val cl = DexClassLoader(loadFile.absolutePath, optDir.absolutePath, null, context.classLoader)
69 |
70 | // Self-load demo
71 | if (isSelf) {
72 | val appBuildConfig = runCatching { cl.loadClass("dev.jamescullimore.android_security_training.BuildConfig") }.getOrNull()
73 | if (appBuildConfig != null) {
74 | val appIdField = runCatching { appBuildConfig.getField("APPLICATION_ID") }.getOrNull()
75 | val versionNameField = runCatching { appBuildConfig.getField("VERSION_NAME") }.getOrNull()
76 | val appId = runCatching { appIdField?.get(null) as? String }.getOrNull()
77 | val versionName = runCatching { versionNameField?.get(null) as? String }.getOrNull()
78 | return@runCatching "Loaded self APK via DexClassLoader: BuildConfig{APPLICATION_ID=$appId, VERSION_NAME=$versionName} (path=${src.absolutePath})"
79 | }
80 | }
81 |
82 | // Preferred demo: dev.training.dynamic.Hello.greet()
83 | val tryPreferred = runCatching {
84 | val k = cl.loadClass("dev.training.dynamic.Hello")
85 | val m = k.getDeclaredMethod("greet")
86 | m.invoke(null) as? String
87 | }.getOrNull()
88 | if (tryPreferred != null) return@runCatching "Loaded dev.training.dynamic.Hello.greet(): ${tryPreferred} (path=${src.absolutePath})"
89 |
90 | // Keep failure simple now
91 | "Dynamic load failed: ClassNotFound for dev.training.dynamic.Hello.greet() (path=${src.absolutePath})"
92 | }.getOrElse { err -> "Dynamic load failed: ${err.javaClass.simpleName}: ${err.message}" }
93 | }
94 |
95 | override fun getSigningInfo(context: Context): String = runCatching {
96 | val digest = signingCertSha256B64(context)
97 | digest
98 | }.getOrElse { err -> "Error: ${err.message}" }
99 |
100 | override fun verifyExpectedSignature(context: Context): Boolean {
101 | // Vulnerable: does not verify expected signature at all
102 | return true
103 | }
104 |
105 | override fun getMethodToBeChangedAndResignedValue(): Boolean {
106 | return false
107 | }
108 |
109 | private fun signingCertSha256B64(context: Context): String {
110 | val pm = context.packageManager
111 | val pkg = context.packageName
112 | val cf = CertificateFactory.getInstance("X509")
113 | val info = pm.getPackageInfo(pkg, PackageManager.GET_SIGNING_CERTIFICATES)
114 | val signInfo = info.signingInfo
115 | val sigs = if (signInfo != null && signInfo.hasMultipleSigners()) signInfo.apkContentsSigners else signInfo?.signingCertificateHistory
116 | val sigBytesList: List = sigs?.map { it.toByteArray() } ?: emptyList()
117 | val first = sigBytesList.firstOrNull() ?: error("No signatures")
118 | val cert = cf.generateCertificate(ByteArrayInputStream(first)) as X509Certificate
119 | val sha = MessageDigest.getInstance("SHA-256").digest(cert.encoded)
120 | return Base64.encodeToString(sha, Base64.NO_WRAP)
121 | }
122 | }
123 |
--------------------------------------------------------------------------------