DVHMA

Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for Android) that intentionally contains vulnerabilities.

https://gitlab.com/Scofield01/DVHMA

Science Score: 31.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
    Found CITATION.cff file
  • codemeta.json file
  • .zenodo.json file
  • DOI references
    Found 4 DOI reference(s) in README
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (10.1%) to scientific vocabulary
Last synced: 10 months ago · JSON representation ·

Repository

Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for Android) that intentionally contains vulnerabilities.

Basic Info
  • Host: gitlab.com
  • Owner: Scofield01
  • Default Branch: master
Statistics
  • Stars: 0
  • Forks: 0
  • Open Issues: 0
  • Releases: 0
Created almost 8 years ago
Metadata Files
Readme License Citation

README.md

DVHMA

Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for Android) that intentionally contains vulnerabilities. Its purpose is to enable security professionals to test their tools and techniques legally, help developers better understand the common pitfalls in developing hybrid mobile apps securely.

Motivation and Scope

This app is developed to study pitfalls in developing hybrid apps, e.g., using Apache Cordova or SAP Kapsel, securely. Currently, the main focus is to develop a deeper understanding of injection vulnerabilities that exploit the JavaScript to Java bridge.

Installation

Prerequisites

We assume that the * Android SDK (https://developer.android.com/sdk/index.html) and * Apache Cordova (https://cordova.apache.org/), version 8.0.0 (later versions might work)

Moreover, we assume a basic familiarity with the build system of Apache Cordova.

Building DVHMA

Setting Environment Variables

export ANDROID_HOME=<Android SDK Installation Directory>
export PATH=$ANDROID_HOME/tools:$PATH
export PATH=$ANDROID_HOME/platform-tools:$PATH

Compiling DVHMA

cd DVHMA-Featherweight
cordova plugin add ../plugins/DVHMA-Storage
cordova plugin add ../plugins/DVHMA-WebIntent 
cordova platform add android
cordova compile android

Running DVHMA in an Emulator

cordova run android 

Team Members

The development of this application started as part of the project ZertApps. ZertApps was a collaborative research project funded by the German Ministry for Research and Education. It is now developed and maintained by the Software Assurance & Security Research Team at The University of Sheffield, UK.

The core developers of DVHMA are: * Achim D. Brucker * Michael Herzberg

License

This project is under the Apache 2.0 License.

Publications

Citation (CITATION)

To cite the use of this application, please use 

  Achim D. Brucker and Michael Herzberg. On the Static Analysis of
  Hybrid Mobile Apps: A Report on the State of Apache Cordova
  Nation. In International Symposium on Engineering Secure Software
  and Systems (ESSoS). Lecture Notes in Computer Science (9639), pages
  72-88, Springer-Verlag, 2016.  doi: :10.1007/978-3-319-30806-7_5

A BibTeX entry for LaTeX users is

@InCollection{	  brucker.ea:cordova-security:2016,
  author	= {Achim D. Brucker and Michael Herzberg},
  booktitle	= {International Symposium on Engineering Secure Software and
		  Systems (ESSoS)},
  language	= {USenglish},
  editor	= {Juan Caballero and Eric Bodden},
  publisher	= {Springer-Verlag},
  pages		= {72--88},
  talk		= {talk:brucker.ea:cordova-security:2016},
  address	= {Heidelberg},
  series	= {Lecture Notes in Computer Science},
  number	= {9639},
  title		= {On the Static Analysis of Hybrid Mobile Apps: A Report on
		  the State of Apache Cordova Nation},
  year		= {2016},
  isbn		= {978-3-642-11746-6},
  classification= {conference},
  areas		= {security, software},
  public	= {yes},
  doi		= {10.1007/978-3-319-30806-7_5},
  pdf		= {https://www.brucker.ch/bibliography/download/2016/brucker.ea-cordova-security-2016.pdf},
  abstract	= {Developing mobile applications is a challenging business:
		  developers need to support multiple platforms and, at the
		  same time, need to cope with limited resources, as the
		  revenue generated by an average app is rather small. This
		  results in an increasing use of cross-platform development
		  frameworks that allow developing an app once and offering
		  it on multiple mobile platforms such as Android, iOS, or
		  Windows.
		  
		  Apache Cordova is a popular framework for developing
		  multi-platform apps. Cordova combines HTML5 and JavaScript
		  with native application code. Combining web and native
		  technologies creates new security challenges as, e.g., an
		  XSS attacker becomes more powerful.
		  
		  In this paper, we present a novel approach for statically
		  analysing the foreign language calls. We evaluate our
		  approach by analysing the top Cordova apps from Google
		  Play. Moreover, we report on the current state of the
		  overall quality and security of Cordova apps. },
  keywords	= {static program analysis, static application security
		  testing, Android, Cordova, hybrid mobile apps},
  url		= {https://www.brucker.ch/bibliography/abstract/brucker.ea-cordova-security-2016}
}

Dependencies

DVHMA-OpenUI5/www/resources/sap/ui/thirdparty/licenses/requireJS-MIT-LICENSE.txt pypi
  • AUTHORSORCOPYRIGHTHOLDERSBELIABLEFORANYCLAIM ,DAMAGESOROTHER
  • Copyright *
  • FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENT.INNOEVENTSHALLTHE *
  • IMPLIED ,INCLUDINGBUTNOTLIMITEDTOTHEWARRANTIESOFMERCHANTABILITY,
  • LIABILITY ,WHETHERINANACTIONOFCONTRACT,TORTOROTHERWISE,ARISINGFROM,
  • OUTOFORINCONNECTIONWITHTHESOFTWAREORTHEUSEOROTHERDEALINGSIN *
  • Permissionisherebygranted ,freeofcharge,toanypersonobtainingacopy
  • THESOFTWARE. *
  • THESOFTWAREISPROVIDED *
  • Theabovecopyrightnoticeandthispermissionnoticeshallbeincludedin *
  • allcopiesorsubstantialportionsoftheSoftware. *
  • copiesoftheSoftware ,andtopermitpersonstowhomtheSoftwareis
  • furnishedtodoso ,subjecttothefollowingconditions
  • intheSoftwarewithoutrestriction ,includingwithoutlimitationtherights
  • ofthissoftwareandassociateddocumentationfiles *
  • touse ,copy,modify,merge,publish,distribute,sublicense,and