TODO
September 19, 2025 · View on GitHub
Allsafe - Android
An Intentionally Vulnerable Android Application for Security Education
Features • Screenshots • Installation • Challenges • Contributing • Support
📱 About
Allsafe is an intentionally vulnerable Android application designed for security enthusiasts, pentesters, and developers to learn about Android application security. Unlike typical CTF-style apps, Allsafe simulates a real-world application using modern libraries and technologies, providing a practical learning experience for identifying and exploiting Android vulnerabilities.
🎯 Key Features
- 15+ Security Challenges covering various vulnerability categories
- Modern Tech Stack using current Android development practices
- Frida Challenges for dynamic instrumentation practice
- Real-world Scenarios that mirror actual application vulnerabilities
- Progressive Difficulty from beginner to advanced levels
- Clean UI/UX with a hacker-themed terminal interface
📸 Screenshots
🚀 Installation
Prerequisites
- Android device or emulator (API 23+)
- ADB (Android Debug Bridge) installed
- (Optional) Frida for dynamic analysis challenges
Download & Install
Option 1: Direct APK Installation
# Download the latest APK from releases
wget https://github.com/t0thkr1s/allsafe/releases/latest/download/allsafe.apk
# Install via ADB
adb install allsafe.apk
Option 2: Build from Source
# Clone the repository
git clone https://github.com/t0thkr1s/allsafe.git
cd allsafe
# Build the APK
./gradlew assembleDebug
# Install the APK
adb install app/build/outputs/apk/debug/app-debug.apk
🎮 Challenges
The application contains various security challenges organized by difficulty:
Challenges
1. Insecure Logging
Simple information disclosure vulnerability. Use the logcat command-line tool to discover sensitive information.
Resources & HackerOne Reports:
Show me how it's done!
adb shell 'pidof infosecadventures.allsafe'
Take output and substitue for
adb shell 'logcat --pid [PID] | grep secret'
2. Hardcoded Credentials
Some credentials are left in the code. Your task is to reverse engineer the app and find sensitive information.
Resources & HackerOne Reports:
3. Root Detection
This is purely for Frida practice. Make the code believe that your device is not rooted!
Show me how it's done!
https://youtu.be/Gg-3Sw79gEI
4. Arbitrary Code Execution
Loading modules securely with third-party apps are not easy. Write a PoC application and exploit the vulnerability!
Resources & HackerOne Reports:
5. Secure Flag Bypass
Another Frida-based task. No real vulnerability here, just have fun bypassing the secure flag!
Resources & HackerOne Reports:
6. Certificate Pinning Bypass
Certificate pinning is implemented using the OkHttp library. You have to bypass it in order to view the traffic with Burp Suite.
Resources & HackerOne Reports:
7. Insecure Broadcast Receiver
There's a vulnerable broadcast recevier in the application. Trigger it with the correct data and you're done!
Resources & HackerOne Reports:
- Android Broadcasts Overview
- ok.ru Broadcast Receiver Exploitation
- Bitwarden Vulnerable Broadcast Receiver
8. Deep Link Exploitation
Similar to the insecure broadcast receiver, you need to provide the right query parameter to complete this task!
Resources & HackerOne Reports:
9. SQL Injection
Just a regular SQL injection that you'd find in web applications. No need to reverse the code to bypass the login mechanism.
Resources & HackerOne Reports:
10. Vulnerable WebView
You can also complete this task without decompiling the application. Pop an alert dialog and read files!
Resources & HackerOne Reports:
11. Smali Patching
In this task, you have to modify the execution flow of the application by editing the Smali code. Finally, rebuild and sign the APK!
Resources & HackerOne Reports:
12. Native Library
The application uses a native library that validates the entered password. Reverse engineer the library to find the password then use Frida to hook the native method.
Resources & HackerOne Reports:
Show me how it's done!
# TODO
🔧 Useful Tools & Resources
Frida Scripts
Check out my collection of Frida scripts for Android pentesting: https://github.com/t0thkr1s/frida
Recommended Tools
- Static Analysis: JADX, Apktool
- Dynamic Analysis: Frida, Objection
- Network Analysis: Burp Suite, OWASP ZAP
- Reverse Engineering: Ghidra, IDA Pro
🤝 Contributing
Contributions are welcome! Whether you've found a bug, have a suggestion, or want to add a new challenge:
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
💖 Support
If you found this project helpful or valuable, please consider:
- ⭐ Giving it a star on GitHub
- 🐛 Reporting bugs or suggesting improvements
- 💰 Supporting through cryptocurrency donations:
Bitcoin (BTC)
bc1qd44kvj6zatjgn27n45uxd3nprzt6rm9x9g2yc8
Ethereum (ETH)
0x1835a58E866a668C48Ee63d32432C7Fe28aF54b4
📚 Learning Resources
- OWASP Mobile Security Testing Guide
- Android Security Documentation
- Frida Documentation
- HackerOne Android Reports
📝 Writeups
⚠️ Disclaimer
This application is designed for educational purposes only. It should only be used in controlled environments where you have explicit permission. The developers assume no liability and are not responsible for any misuse or damage caused by this application.
Do not use this application:
- On devices you don't own
- In production environments
- For illegal purposes
- Without proper authorization
📄 License
This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.
Happy Hacking! 🚀