This repository contains the source code for an iOS app intentionally made vulnerable for testing purposes. The app is designed to exhibit a wide variety of security vulnerabilities that are common in mobile applications. It's recommended to use this app as a playground to test and learn about different iOS security vulnerabilities.
Here are the vulnerabilities that the app demonstrates:
-
Biometric None Cryptobject (
biometric_none_cryptobject.dart): Demonstrates vulnerabilities associated with incorrect implementation or lack of cryptographic protection in biometric authentication. -
ECB Cipher Mode (
ecb_cipher_mode.dart): Shows the weaknesses of using the ECB (Electronic CodeBook) mode of operation for cryptographic ciphers. -
Insecure Commands (
insecure_commands.dart): Illustrates vulnerabilities when insecure or system commands are executed from the application. -
Reflection API (
reflection_api.dart): Provides instances of unsafe usage of reflection APIs. -
TLS Traffic (
tls_traffic.dart): Illustrates potential security threats when using unencrypted or improperly encrypted Transport Layer Security (TLS) traffic. -
Clear Text Traffic (
clear_text_traffic.dart): Highlights the risks associated with transmitting sensitive data over clear text traffic. -
Hardcoded Credentials in URL (
hardcoded_creds_in_url.dart): Demonstrates the risk of hardcoding sensitive credentials within URLs. -
Insecure Random (
insecure_random.dart): Showcases the issues with using insecure random number generators for sensitive operations. -
Oracle Padding (
oracle_padding.dart): Illustrates the potential dangers of oracle padding vulnerabilities. -
SQLite Database Call (
sqlite_database_call.dart): Showcases insecure practices related to SQLite database calls. -
Webview Insecure Settings (
webview_insecure_settings.dart): Demonstrates potential vulnerabilities with insecure WebView settings. -
Command Exec (
command_exec.dart): Displays potential issues when executing system commands. -
Hash Call (
hash_call.dart): Demonstrates improper usage of hash functions. -
Insecure Shared Preferences (
insecure_shared_preferences.dart): Shows risks related to insecure handling of shared preferences. -
Path Traversal (
path_traversal.dart): Showcases the potential dangers of path traversal vulnerabilities. -
Static IV (
static_iv.dart): Demonstrates the security risks associated with using static initialization vectors in encryption.
Please follow the standard iOS application building process for installation.
// TODO.
To use the app, simply run it on your iOS device or emulator. You can explore different vulnerabilities by navigating through the app's UI.
// TODO
This app is intentionally vulnerable and therefore not intended for production use. Use it at your own risk. The authors are not responsible for any misuse or damage caused by this program.
Contributions are always welcome! Please feel free to create issues for bug reports or enhancement suggestions, and make pull requests to improve the application.
Follow these steps to build and install the Ostorlab Insecure ios App:
- Clone the repository. Clone the repository: Run the following command in your terminal or command prompt to clone the repository to your local machine:
git clone https://github.com/Ostorlab/ostorlab_insecure_ios_app- Navigate to the Flutter project: Change directory to the ostorlab_insecure_ios_app directory within the cloned repository:
cd ostorlab_insecure_flutter_app - Get Flutter dependencies: Run the following command to fetch the required dependencies for the Flutter project:
flutter pub get- Build the Flutter project: Run the following command to build the Flutter project:
flutter build ios- Open the project in Xcode: Run the following command to open the project in Xcode:
open ios/Runner.xcworkspace- Select a development team: In Xcode, select a development team to use for provisioning the app. To do this, select a team from the Signing & Capabilities tab of the Runner project.
- Build and run the app: In Xcode, click the Run button to build and run the app on your iOS device or emulator.