Ostorlab's Insecure Flutter Apps: A Playground for Learning and Testing Mobile Security

Ostorlab has open-sourced two Flutter applications, designed to be intentionally insecure for testing and educational purposes. The apps, one native to iOS and the other a Java/C++/Flutter app, highlight a variety of common mobile app vulnerabilities. Available under the Apache-2.0 license, they serve as practical resources for understanding Flutter security.

Mon 10 July 2023

We are happy to announce the open-source of two insecure Flutter application for testing and educational purposes.

The first application is a Flutter-native application focusing on iOS vulnerabilities.

The second application is a Java/C++/Flutter application.

Both repositories are hosted on GitHub and are available under the Apache-2.0 license.

About the Repository

The Ostorlab Insecure Flutter App is a purposely vulnerable Flutter application designed for security testing and education. The application is designed to exhibit a variety of security vulnerabilities that are common in mobile applications. This makes the application a perfect playground for testing and learning about different Flutter security vulnerabilities.

Vulnerabilities Demonstrated

The app demonstrates a wide variety of vulnerabilities, including but not limited to:

  • Biometric None CryptObject: Showcases vulnerabilities associated with incorrect implementation or lack of cryptographic protection in biometric authentication.
  • ECB Cipher Mode: Illustrates the weaknesses of using the ECB (Electronic CodeBook) mode of operation for cryptographic ciphers.
  • Insecure Commands: Demonstrates vulnerabilities when insecure or system commands are executed from the application.
  • Reflection API: Provides instances of unsafe usage of reflection APIs.
  • TLS Traffic: Explains potential security threats when using unencrypted or improperly encrypted Transport Layer Security (TLS) traffic.
  • Clear Text Traffic: Highlights the risks associated with transmitting sensitive data over clear text traffic.
  • Hardcoded Credentials in URL: Demonstrates the risk of hardcoding sensitive credentials within URLs.
  • Insecure Random: Showcases the issues with using insecure random number generators for sensitive operations.
  • Oracle Padding: Illustrates the potential dangers of oracle padding vulnerabilities.
  • SQLite Database Call: Showcases insecure practices related to SQLite database calls.
  • Webview Insecure Settings: Demonstrates potential vulnerabilities with insecure WebView settings.
  • Command Exec: Displays potential issues when executing system commands.
  • Hash Call: Demonstrates improper usage of hash functions.
  • Insecure Shared Preferences: Shows risks related to insecure handling of shared preferences.
  • Path Traversal: Showcases the potential dangers of path traversal vulnerabilities.
  • Static IV: Demonstrates the security risks associated with using static initialization vectors in encryption.

How to Contribute

Contributions to the Ostorlab Insecure iOS App are always welcome and appreciated. You can contribute in several ways:

  1. Bug Reports: If you encounter a bug or something that doesn't seem right, create an issue on the GitHub repository to report it.
  2. Enhancement Suggestions: If you have an idea on how to improve the application, feel free to create an issue detailing your suggestion.
  3. Code Contributions: Make pull requests to improve the application. This could be anything from fixing bugs, improving the UI, adding new vulnerabilities to demonstrate, or enhancing the documentation.
  4. Your contributions will not only help improve the application but also contribute to the broader community's understanding of mobile application security.

We do newsletters, too

Get the latest news, updates, and product innovations from Ostorlab right in your inbox.

Table of Contents