Paladion Labs

Paladion's AppSec tools for Mobile Enthusiasts

InsecureBank

Paladion's Vulnerable Andriod application named "InsecureBank" is made for security enthusiasts and developers to learn the android insecurities by testing this vulnerable application. The server component which is written in python can be downloaded here. The client component i.e. the Android InsecureBank.apk can be downloaded here. The vulnerabilities that can be learnt using this application are-

  • Information Sniffing due to Unencrypted Transport medium
  • Sensitive information disclosure via Property Files
  • Sensitive information disclosure via SD card storage
  • Sensitive information disclosure via SQLite DB
  • Sensitive information disclosure via Device and Application Logs
  • Sensitive information disclosure via Side Channel Leakage
  • Malicious Activity via parameter Manipulation
  • Malicious Activity via Clientside XSS
  • Malicious Activity due to insecure WebView implementation
  • Sensitive information leakage due to hardcoded secrets
  • Sensitive information leakage due to weak encryption algorithm
  • Malicious Activity via Backdoor
  • Malicious Activity via Reverse Engineering

Automation Script

Paladion's Mobile Security Team has developed an automation script which is helpful in quick static analysis of Android Vulnerabilities. The script is a batch file, which prompts the user to provide the path of the android application code to be analysed. The script has detection parameters pre-configured in it, which run over the android application code. The result is a list of text files- one each for different vulnerability. These text files are the primary source of vulnerability identification. Sometimes it may not directly flag off a vulnerability but may act as the pointer from where to start with. This script is very useful in case of bigger applications.

Click here to download the script

Below is list of Checks that the script would be testing for:

  • Code to check for presence of HTML Sensitive Information
  • Code to check for insecure usage of SharedPreferences
  • Code to check for possible TapJacking attack
  • Code to check usage of external storage card for storing information
  • Code to check for possible scripting javscript injection
  • Code to check for presence of possible weak algorithms
  • Code to check for weak transportation medium
  • Code to check for Autocomplete ON
  • Code to presence of possible SQL Content
  • Code to check for Logging mechanism
  • Code to check for Information in Toast messages
  • Code to check for Debugging status
  • Code to check for presence of Device Identifiers

Case Study

Project - Holistic & Continual Security Management. The client is a fast-growing private sector retail bank. Ensuring security of banking transactions and customer privacy has been a norm for the bank since its inception.

View Case Study

Testimonial

“I was very pleased with the overall effort of the Paladion Networks team. They provided qualified..”
Bill Dziwura,
Executive Officer/CIO
Office of the Pardon Attorney
Department of Justice, USA

All Testimonials

Plynt

Paladion tests and certifies your application against security risks.300+ Organizations in 25 US States & 15 Nations worldwide benefit from Plynt Security testing program.

Visit Plynt site