This page has information about the automated app analysis system — you will need to interact with it to solve the app development and exploitation challenges!

Overview. To solve the app dev and exploitation challenges, you need to write your own Android app (APK), submit it to the automated analysis system, and somehow find a way to get the flag out it. To submit an app, go to "APK Submissions" tab at challs.reyammer.io/apks, select your APK, indicate which challenge you are trying to solve, and hit the "Submit APK" button. The system will then pick it up, and analyze it. You will then be able to see a dedicated report, with the analysis status and the logs.

Getting output out of the system. To get information out of the system, you can use the standard Android logging mechanism. However, only logs with the tag "MOBISEC" will appear in the public log. Example: Log.e("MOBISEC", "example log message");.

Analysis. The automated analysis consists of the following steps: 1) restore the emulator to a clean snapshot; 2) if the challenge has a target app (that you need interact with or that you need to hack), install it and start its main activity; 3) install the submitted app and start its main activity; 4) wait for about 10 to 15 seconds; 5) wrap the analysis up and produce the logs. The website shows you the position of your APK in the analysis queue (the analysis follows FIFO policy).

Setup. The analysis system runs a standard (non-rooted) Android emulator (installed via Android Virtual Device Manager), with target Android 9.0 (Google Play), API 28. When no specific info about the apps is provided, you can assume minSdkVersion=22 and targetSdkVersion=28.

Permissions. Your app can request all non-system permissions (i.e., normal and dangerous (run-time) permissions). The analysis system will automatically grant all the permissions declared in the app's manifest just after the installation step.

Suggestions on how to approach the challenges. Debugging remotely can be tricky and time consuming. Here there are some suggestions: 1) have a working local setup, with an emulator with the same version of Android; 2) always get your local test working before submitting to the system; 3) wrap all your code with a huge try/catch so that you have a chance to dump the details about exceptions you did not think about (protip: use Log.getStackTraceString(exc) to get a nicely formatted traceback).

What if you find unintended bugs in the system? Folks, this is a website for educational purposes, and the software that is putting this non-trivial infrastructure together is ducktape-level. Please, if you find bugs in the system, let me know without destroying everything and ruining the fun for other people. Your eliteness will be publicly acknowledged on this website :-)

You can find the challenges at challs.reyammer.io. Enjoy!