The Story of how I made a vulnerable Android App VyAPI
Exactly 1 year, 4 months and 5 days ago, I joined the application security company known as Appsecco. The first few months at my workplace had went by in learning just the basics, in knowing my people, and in understanding the company culture. Soon, I knew that I have reached a place that is conducive to self- growth and where possibilities are only limited by your own imagination.
I still remember the day when I did my first ever mobile application vulnerability assessment at Appsecco. It was an iOS app assessment that was supposed to start on a Monday morning. On Friday evening of the prior week, before I left home, I walked up to where Akash Mahajan and Riyaz Walikar were having a conversation over a cup of tea, and asked them if I could carry the iPhone device with me so that I could practice a few things over the weekend. I was pleasantly surprised when Akash smiled and said ‘Yes!’ instantly. I carried the jail-broken iPhone device with me and the next two days went by in a jiffy. I was excited and eager to explore what was in my hand. Everything was going perfect until the Sunday evening, just before the day of the iOS assessment, when I did what Riyaz had clearly asked me not to do. I installed the latest iOS updates on my jail-broken iPhone device in the process of trying out something new. In less than 20 hours, I had an upcoming iOS assessment, and here I was with the latest iOS software running in my testing device. I was frozen with fear! After losing all hope, and when the evening started transitioning into the night, I mustered up courage and called Akash on his mobile phone. He answered the call and I broke the unpleasant news. To my surprise, he did not scold me (not then). I wished I was more careful, but there was no time for feeling sorry. We had to get ready for the assessment anyways. I started thinking about the alternatives. The most obvious thing to do was to use the iOS simulator instead of an actual iOS device for our iOS app vulnerability assessment. I ensured my MacBook was loaded with all the tools and showed up at office the next day. Riyaz shared the assessment details, and seemed to be all calm and composed even though I had done a blunder. No one was scolding me and everyone seemed to be very practical and mature. The assessment went well, and I even reported some interesting security issues in the target iOS app. Once the assessment was over, it was time for reflection. Would things have been different if I had broken the bad news earlier, or not at all? Would I have been the same if I was scolded and not supported when I was already in a mess? What was my takeaway from this whole experience? I realised that I am at a place that gives me room to make mistakes, learn and move ahead.
By now, I was comfortable with the basics of iOS pentesting. However, I became curious to know how is an Android app different from an iOS app? Moreover, iOS pen-testing requires specific (and costly) infrastructure, but same is not true for Android pen-testing.
I glanced at the Android phone that I was holding in my hand.
When I look at people around me at home, in office and in public places, I see that Android rules the mobile market in terms of volume. More people are using Android devices, while, less people are aware of the potential and the hazards that these handheld devices bring along with them. With Internet access becoming cheap and readily available to all, it is a matter of concern that the level of application security awareness among the mobile phone users is not at all satisfactory. Looking at the situation that prevails around me, I often ask myself what could I do to improve this situation? The best answer that I could come up with is to start by educating those in my vicinity. But, the next obvious question that comes to my mind is what am I going to educate my people about? Can I really educate others effectively if I don’t understand the problems myself?
My parents often say to me that the best way to learn is to teach. And, my teachers often told me that the best way to understand something is by taking action and actually doing it.
So, there I was, firing up my Android Studio and Googling like a fanatic. I had decided to build an Android application myself. I wanted to understand Activities, Broadcast Receivers, Content Providers, Services, Inter-Process Communication calls, etc. I had no clue where to start, or, what to achieve at the end! I just knew that I was looking for something. I just knew that things would eventually become clear as I move along. Today, I feel glad that I did not waste time in overthinking and instead spent all my energy in exploring my interest area. Even before I realised, my Android app had started taking a good shape. I was enjoying what I was doing.
My motivation to build and complete the custom Android application increased further when my colleagues appreciated my work. One day, Akash asked me, “What is the name of your Android app”? I took a moment to understand the question because I wasn’t seeing my work from that perspective. Why would I name the Android app, I thought! But, the whole idea of choosing a name did feel great. I approached Google God and asked him to share with me some meaningful Sanskrit words. I was presented with long lists of Sanskrit words along with their meanings. After selecting a handful of Sanskrit words, I settled for that unique term that kind of summarised my emotions behind developing this Android app in the first place. This term was “Vyapi”!
Vyapi means all-pervasive in Sanskrit.
Vyapi refers to what’s spread throughout and it affects all parts of something, just like Android devices are all-pervasive and so are the Android app vulnerabilities. The letters “API” in the term “Vyapi” deserve special attention because I have developed a hybrid Android app that involves making API calls, unlike the native apps. Also, the letter “A” could be easily used to symbolise us, the team at Appsecco. Thus, my Android app finally got its name as VyAPI.
Ever since I started working on VyAPI, each day has been an adventure. Each morning I would think of a new feature, and I would struggle the whole day to make it work. By the end of the day, whenever I managed to make something work, I would feel what could be called as an immense momentary satisfaction. I wouldn’t allow this satisfaction to prevail the next day, because I believe progress stops when we get satisfied. I kept my motivation high by challenging myself every single day. It’s highly possible that what seems challenging to me could be trivial for many others. But, well, it’s my journey! And, I must go through my share of hit and trials, ups and downs.
I believe that what makes VyAPI different from other available vulnerable Android apps is it’s technology stack, and it’s look and feel. I had a great time developing VyAPI and I wish to share my learnings with you through VyAPI. I hope you will find it interesting and fun to learn and use.
I wrote a smaller post detailing the technical details of VyAPI here.
Github Repository
At Appsecco we provide advice, testing, training and insight around software and website security, especially anything that’s online, and its associated hosting infrastructure — Websites, e-commerce sites, online platforms, mobile technology, web-based services etc.
