Dirty Mobile is a vulnerable Android application. It's based on over 20 vulnerable functions including insecure IPC mechanisms, Activities, Webviews and others. It's made for learning and practicing Android security tests.
- Get yourself a copy of OWASP Mobile Application Security Verification Standard
- Install the dirtymobile.apk file
- Fire one of the functions available
- Try to reverse the apk file to find out what's going on underneath (Use source files only as a last resort).
- Find insecure mechanism in vulnerable function and try to exploit it. You can also find flags (not always).
- Have fun.
Some Webview functions require you to setup a local website and configure hosts file to point evilsite.local to your website.