Skip to content

Reference applications

The applications listed below can be used as training materials. Note: only the MASTG apps and Crackmes are tested and maintained by the MAS project.

Android

Android Crackmes

A set of apps to test your Android application hacking skills - https://mas.owasp.org/crackmes

Android UnCrackable L1

Available at https://mas.owasp.org/crackmes/Android#android-uncrackable-l1

Android UnCrackable L2

Available at https://mas.owasp.org/crackmes/Android#android-uncrackable-l2

Android UnCrackable L3

Available at https://mas.owasp.org/crackmes/Android#android-uncrackable-l3

Android UnCrackable L4

Available at https://mas.owasp.org/crackmes/Android#android-uncrackable-l4

Android License Validator

Available at https://mas.owasp.org/crackmes/Android#android-license-validator

AndroGoat

An open source vulnerable/insecure app using Kotlin. This app has a wide range of vulnerabilities related to certificate pinning, custom URL schemes, Android Network Security Configuration, WebViews, root detection and over 20 other vulnerabilities - https://github.com/satishpatnayak/AndroGoat

DVHMA

A hybrid mobile app (for Android) that intentionally contains vulnerabilities - https://github.com/logicalhacking/DVHMA

Digitalbank

A vulnerable app created in 2015, which can be used on older Android platforms - https://github.com/CyberScions/Digitalbank

DIVA Android

An app intentionally designed to be insecure which has received updates in 2016 and contains 13 different challenges - https://github.com/payatu/diva-android

DodoVulnerableBank

An insecure Android app from 2015 - https://github.com/CSPF-Founder/DodoVulnerableBank

InsecureBankv2

A vulnerable Android app made for security enthusiasts and developers to learn the Android insecurities by testing a vulnerable application. It has been updated in 2018 and contains a lot of vulnerabilities - https://github.com/dineshshetty/Android-InsecureBankv2

MASTG Hacking Playground

A vulnerable Android app with vulnerabilities similar to the test cases described in this document

MASTG Hacking Playground (Java)

Available at https://github.com/OWASP/MASTG-Hacking-Playground/tree/master/Android/MSTG-Android-Java-App

MASTG Hacking Playground (Kotlin)

Available at https://github.com/OWASP/MASTG-Hacking-Playground/tree/master/Android/MSTG-Android-Kotlin-App

OVAA

An Android app that aggregates all the platform’s known and popular security vulnerabilities - https://github.com/oversecured/ovaa

iOS

iOS Crackmes

A set of applications to test your iOS application hacking skills - https://mas.owasp.org/crackmes

iOS UnCrackable L1

Available at https://mas.owasp.org/crackmes/iOS#ios-uncrackable-l1

iOS UnCrackable L2

Available at https://mas.owasp.org/crackmes/iOS#ios-uncrackable-l2

Myriam

A vulnerable iOS app with iOS security challenges - https://github.com/GeoSn0w/Myriam

DVIA

A vulnerable iOS app written in Objective-C which provides a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills - http://damnvulnerableiosapp.com/

DVIA-v2

A vulnerable iOS app, written in Swift with over 15 vulnerabilities - https://github.com/prateek147/DVIA-v2

iGoat

An iOS Objective-C app serving as a learning tool for iOS developers (iPhone, iPad, etc.) and mobile app pentesters. It was inspired by the WebGoat project, and has a similar conceptual flow to it - https://github.com/owasp/igoat

iGoat-Swift

A Swift version of original iGoat project - https://github.com/owasp/igoat-swift

OVIA

An iOS app that aggregates all the platform’s known and popular security vulnerabilities - https://github.com/oversecured/ovia

UnSAFE Bank

UnSAFE Bank is a core virtual banking application designed with the aim to incorporate the cybersecurity risks and various test cases such that newbie, developers, and security analysts can learn, hack and improvise their vulnerability assessment and penetration testing skills. - https://github.com/lucideus-repo/UnSAFE_Bank