Android CTFs

  • CyberTruckChallenge19 - A CTF with three different challenges. The two first are pretty easy with Java code only and the third gets more difficult as it introduces native code. The third part is a great complement to the UnCrackable App’s native challenges.
  • DEFCON Quals 2019 VeryAndroidoso - A CTF that focus more on reversing an algorithm rather than finding a hard coded secret. It has some native code, but can be solved without working with the native code. I found this CTF fairly challenging.
  • EVABS - Beginner friendly CTF with several different challenges of different types. A few of them can be solved with Frida. Great to start with.
  • FridaLab - A small beginner friendly app with 8 Frida challenges. Great for those who are just starting out with Frida and need to get some practice.
  • h1-702 2018 CTF - A CTF with one flag where you have to brute force a 6 digit pin code. Relies on native code, but it can be solved using Frida by just working with the Java code.
  • Hacker101 - Several different CTFs of various kinds with a couple of fairly easy Android CTFs. Some of the challenges, like the Oauthbreaker challenge can be solved with Frida. A free HackerOne account is needed to do these.
  • hpAndro Vulnerable Application - An Android CTF written in Kotlin which is still under development. It currently has 101 different flags in a wide range of challenges, some of which are suitable for solving with Frida.
  • UnCrackable App - A couple of different CTF apps, the first has only Java code and is also fairly beginner friendly. The second introduces native code and the third hides the secret better and adds native anti tampering code that needs to be bypassed. It’s quite difficult, but entirely possible without prior experience in reversing native code.

Tools

  • dex2jar - command line tool for converting apks to jar files (among other things).
  • Burp Suite - Popular tool among pen-testers, contains among others an http(s) proxy.
  • Bytecode Viewer - Java/Android decompiler. Haven’t used it much, but it looks like a promising alternative to Jadx.
  • Fiddler - A great, powerful and free http(s) proxy for Windows, my proxy of choice for analyzing, intercepting and modifying http(s) traffic.
  • Frida - dynamic instrumentation toolkit, and also the main purpose of this blog.
  • Ghidra - a free and open source reverse engineering tool, good as a free alternative to IDA.
  • Jadx - Java decompiler. Quick and easy to use as you can open apk files directly and see the source code.
  • JD-GUI - Java decompiler. Can’t open apk files directly, so tools like dex2jar has to be used on the apk first. But once that’s done it sometimes produces better results than Jadx.