Skip to content

satishpatnayak/AndroGoat

BranchesTags

Repository files navigation

AndroGoat Logo

AndroGoat

A Vulnerable Android Application built with Kotlin

License Downloads Stars Issues X Follow X Follow

Security TestersSecurity ProfessionalsSecurity EnthusiastsDevelopers


📖 Overview

AndroGoat is a purposely developed open-source vulnerable/insecure application using Kotlin. It serves as a learning tool for security professionals and developers to understand, exploit, and defend against vulnerabilities in the Android platform. As the first vulnerable app developed natively in Kotlin, AndroGoat is the perfect solution for anyone looking to master modern Android Application Security Testing.

I strongly believe this AndroGoat will help many people to learn Android Application Security Testing.

Happy learning!

📢 AndroGoat was present at:

and many more

📚 AndroGoat in OWASP MSTG

The MASTG lists AndroGoat as a reference app - https://mas.owasp.org/MASTG/apps/android/MASTG-APP-0001/

🚀 Getting Started

⚙️ Installation

  1. Download the APK: Grab the latest compiled APK from the releases page.

  2. Install on Device/Emulator: Enable Unknown Sources on your Android device or emulator and install the APK.

🆕 New Excercises

  1. Certificate Pinning using Network Security Config
  2. Hardcoding issues - AI
  3. Hardcoding issues - Cloud Service
  4. Input Validations - QR Code
  5. Unprotected Android Components – Content Providers
  6. Biometric Authentication

🐞 All Vulnerabilities covered in this app:

  1. Root Detection
  2. Emulator Detection
  3. Insecure Data Storage – Shared Prefs - 1
  4. Insecure Data Storage - Shared Prefs - 2
  5. Insecure Data Storage - SQLite
  6. Insecure Data Storage – Temp Files
  7. Insecure Data Storage – SD Card
  8. Keyboard Cache
  9. Insecure Logging
  10. Input Validations – XSS
  11. Input Validations – SQLi
  12. Input Validations – WebView
  13. Input Validations - QR Code
  14. Unprotected Android Components – Activity
  15. Unprotected Android Components –Service
  16. Unprotected Android Components – Broadcast Receivers
  17. Unprotected Android Components – Content Providers
  18. Insecure Clipboard Usage
  19. Hardcoding issues - Shopping Cart
  20. Hardcoding issues - AI
  21. Hardcoding issues - Cloud Service
  22. Network intercepting – HTTP
  23. Network intercepting – HTTPS
  24. Network intercepting – Certificate Pinning - OKHTTP3
  25. Network intercepting – Certificate Pinning - Network Security Config
  26. Misconfigured Network_Security_Config.xml
  27. Android Debuggable
  28. Android allowBackup
  29. Custom URL Scheme
  30. Broken Cryptography
  31. Misconfigured Firebase DB
  32. Binary Patching
  33. Biometric Authentication

🤝 Contributing

We welcome contributions from the community!

  1. Create a PR
  2. Reach me out on [email protected]

📄 Documentation

Documentation can be found at https://medium.com/androgoat

🌟 Support the Project

Love AndroGoat? Give us a ⭐ on GitHub!

About

AndroGoat

Resources

Readme
Activity

Stars

301 stars

Watchers

5 watching

Forks

94 forks
Report repository

Releases 2

v2.0.1 Latest
Nov 22, 2025
+ 1 release

Packages

No packages published

Contributors 3

Languages