Damn Vulnerable Bank Android Application aims to provide an interface for everyone to get a detailed understanding with internals and security aspects of android application.

How to Use Application

Username Password Account Number Beneficiaries Admin privileges
user1 password1 111111 222222, 333333, 444444 No
user2 password2 222222 None No
user3 password3 333333 None No
user4 password4 444444 None No
admin admin 999999 None Yes


Building the Apk with Obfuscation

List of vulnerabilities in the application

To keep things crisp and interesting, we hidden this section. Do not toggle this button if you want a fun and challenging experience. Try to explore the application, find all the possible vulnerabilities and then cross check your findings with this list.

Spoiler Alert
  • Root and emulator detection
  • Anti-debugging checks (prevents hooking with frida, jdb, etc)
  • SSL pinning – pin the certificate/public key
  • Obfuscate the entire code
  • Encrypt all requests and responses
  • Hardcoded sensitive information
  • Logcat leakage
  • Insecure storage (saved credit card numbers maybe)
  • Exported activities
  • JWT token
  • Webview integration
  • Deep links
  • IDOR

Backend to-do


Thanks to these amazing people

Rewanth Cool (Rest API) Github LinkedIn
Hrushikesh Kakade (Android App) Github LinkedIn
Akshansh Jaiswal (Android App) Github LinkedIn
Download Damn-Vulnerable-Bank

Leave a Reply

Your email address will not be published. Required fields are marked *