Damn Vulnerable Android Components (DVAC) is an educational Android application intentionally designed to expose and demonstrate vulnerabilities related to various Android components such as Activities, Intents, Content Providers, and Broadcast Receivers. It is structured as a password manager application to manage and store passwords securely (LOL).
Inspired by the pioneering work of the Sieve application, which focused on similar vulnerabilities but is now outdated and incompatible with newer Android versions, DVAC aims to fill the gap by providing a modern, up-to-date platform for learning about Android security. DVAC provides a hands-on learning experience for beginners in Android pentesting and cybersecurity and developed while keeping beginners who find it difficulty to get proper lab for learning android pentesting.
🇮🇳 Handcrafted in India
There are total 14 vulnerabilities in Damn Vulnerable Android Components -
- Hardcoded Credentials
- Bypass Login via Exported Activity
- Insecure Storage
- Insecure Exported Activity With Intent - Changing the password
- Changing the Password via Broadcast Receiver
- SQL Injection Content Provider
- Path Traversal Content Provider
- Exposed Service Over Ports
- Exposed Service Over Messaging
- Privilege Escalation - Pending Intent
- Denial Of Service via Broadcast Receiver
- Broadcast Sniffing
- Access Non-Exported Activity
- Access Non-Exported Content Provider
Read the official writeup - https://medium.com/@zinjacoder/the-dvac-damn-vulnerable-android-components-the-sieve-apk-reborn-writeup-e096600ec27d
The development of DVAC was inspired by the Sieve APK, another vulnerable application focusing on Android component vulnerabilities. However, Sieve is outdated and does not function properly on newer versions of Android. DVAC aims to provide similar functionality while working on modern Android versions.
- Tested on both virtual and physical devices
- Tested on Android v12
- Download the latest release from Releases.
- Install it either by drag and drop if you are using a virtual device or using adb:
adb install DVACv1.apk
Contributions to DVAC are welcome and encouraged! You can contribute to the project in the following ways:
Report Bugs: If you encounter any bugs or issues while using DVAC, please open an issue on GitHub. This helps us identify and fix problems quickly.
Fix Issues: If you're a developer, consider fixing open issues in the repository. Your contributions can improve the overall quality of DVAC.
Enhancements: You can suggest enhancements or new features by creating an issue on GitHub. We value your input and ideas for making DVAC better.
Feedback: Share your feedback and suggestions for improving DVAC. Your input helps us understand how users are using the app and how we can make it more useful.
Spread the Word: Help us reach more people by sharing DVAC on social media, with your friends and colleagues, and in communities interested in Android pentesting and cybersecurity.
Contributions are extremely easy to do and as equally important. All you have to do is -
- Star the Repository
If you find DVAC useful, consider starring the GitHub repository. This simple action helps raise awareness of the project among other Android Pentesters, developers and enthusiasts.
- Share with Others
Share DVAC with your friends, colleagues, and on social media platforms. Spread the word about this educational tool to help more people learn about Android pentesting and cybersecurity.
- Write Write-ups and Tutorials
Write-ups and tutorials about your experiences with DVAC can be incredibly valuable. Share your insights, tips, and tricks for using the app effectively. These resources can help others understand the vulnerabilities better and learn how to mitigate them.
- Make its Presence Known on Social Media
Share DVAC on social media platforms like Twitter, LinkedIn, and others. Use hashtags related to cybersecurity, Android development, and pentesting to reach a wider audience. Your posts can encourage others to explore the app and contribute to its development.
Contributing to DVAC is easy and can be done in many ways. Your support and contributions are highly appreciated and help make DVAC a better learning resource for everyone.
This app is designed to be a learning tool and should only be used for educational and ethical purposes. It is not intended for any malicious or illegal activities. Users are solely responsible for ensuring that their use of the app complies with all applicable laws and regulations. The developer(s) of this app disclaim any liability for misuse or damage caused by the app.
DVAC is licensed under the GNU General Public License (GPL), which means that it is open-source software and can be freely used, modified, and distributed by anyone. You can find the full text of the license in the LICENSE file in the repository.
If you have any questions, suggestions, or feedback, feel free to connect with me on:
LinkedIn: jafar-pathan Twitter: @zinja_coder Threads: jafar.khan.pathan_
The Browser Bruter: The FIRST-EVER! browser-based web application penetration testing tool.
