Hackers of India

VyAPI

By  Riddhi Shree  on 06 Mar 2020 @ Nullcon

This Tool Demo covers following tools where the speaker has contributed or authored
VYAPI

Abstract

VyAPI is a hybrid Android app that’s vulnerable by design. We call it VyAPI, because it’s flaws are pervasive and it communicates not just via IPC calls but API calls, too.

Amazon Cognito has been used to handle authentication, authorization and user management. AWS Amplify Console has been used to consume the Authentication APIs provided by AWS Amplify Authentication module. Room persistence library has been used to handle data in the local SQLite database. GLide API has been used to load images. AndroidX libraries and JAVA programming language have been used to develop the business logic of VyAPI Android app.

We know how to attack activities, but, what could change with fragments coming into the picture? There might be a case where we just have one activity, but multiple fragments (each rendering a different functionality) in our Android app. VyAPI will allow you to experience this behavior of our modern day Android apps.

VyAPI is different not only in terms of its look and feel, but also in terms of latest technologies being used to build it. Following primary tools and technologies have been used to develop VyAPI:

AWS Amplify CLI AWS SDK for Android 10 Amazon Cognito OpenJDK 1.8.0_152-release 5. Glide v4 Room Persistence Library Gradle 5.1.1 Modern technologies are eliminating security risks by blocking vulnerable features by default. However, not all vulnerabilities could go away that easily. Also, with new technologies come new security vulnerabilities. Security misconfigurations, business logic flaws, and poor coding practices are evergreen vulnerabilities. VyAPI is the vulnerable hybrid Android app which can be used by our security enthusiasts to get a hands-on experience of a variety of modern and legacy Android app vulnerabilities.