I'm pleased to release the challenges of my MOBISEC class! This can be seen as a wargames website focused on mobile security. The current challenges have been designed for a grad-level class, so they are on the easy side (but some of them are not super trivial). The focus is on Android-related aspects — if you are interested in binary-related aspects, there are so many other amazing wargames websites (w3challs.org, pwnable.kr, ...).

There are three sets of challenges:

Android app development. (Not released yet.) This set of challenges pushes you to play with the different low-level / security-relevant features of Android app development. They are not strictly security-related, but they will force you to understand how certain important APIs work, how to think out of the box, and will force you to have a decent local debug setup (which is super useful for the exploitation challenges). For this homework, you will need to write your own app and submit it to the system, which will then pick it up and run it on the emulator (which somehow contains the associated flag).

Reversing. This homework introduces you to reverse engineering. Each challenge consists in an Android app, and each app contains a functionality to check if a flag you provide is "valid". If you run the app, you will see a simple UI with a "check flag" button. Your goal is to find a flag that is considered as valid by the system. There is only one valid flag for each challenge (if you find more, let me know...). Once you have a valid flag, submit it to get your points.

Exploitation. (Not released yet.) This homework is all about Android app exploitation. Each challenge consists in a vulnerable app, which somehow contains / stores a flag. For this homework, you will need to write your exploit as an Android app and submit it to the system. The system will then run your app on an emulator, which also contains the "target", vulnerable APK. Leak the flag and submit it!

Important: PLEASE do NOT discuss these challenges and their solutions online. You can point people to the website scoreboard to show that you are good. Posting solutions online will spoil the fun for others, and it will make you look lame. Very lame. Don't be lame.

Note for instructors: I can provide you with the source code of these challenges so that you can adapt them a bit to your needs. If interested, please fill this form and I'll get back to you as soon as possible.

You can find the challenges at challs.reyammer.io. Enjoy!