Posted on by Achim D. Brucker, licensed under CC BY-ND 4.0.

Damn Vulnerable Hybrid Mobile App (DVHMA)

Last month, we got interviewed by Hakin9 about one of our “side-projects”: DVHMA - The Damn Vulnerable Hybrid Mobile App. DVHMA is a hybrid mobile app (for Android) that intentionally contains vulnerabilities. Its purpose is to enable security professionals to test their tools and techniques legally, help developers better understand the common pitfalls in developing hybrid mobile apps securely.

We developed it to study pitfalls in developing hybrid apps, e.g., using Apache Cordova or SAP Kapsel, securely. Originally we developed DVHMA as a test case for evaluating static application security testing tools [1]. Hence, the focus was to develop a deeper understanding of injection vulnerabilities that exploit the JavaScript to Java bridge.

Exploiting XSS via the Java-to-JavaScript bridge of Cordova

Today, DVHMA is becoming increasingly popular by penetration testers and forensics experts that want to learn the specifics of Cordova apps.

DVHMA is published under the Apache 2.0 License and you are welcome to participate in its further development. We are currently working on improving DVHMA and hope to be able to release a substantial update in the future.


A. D. Brucker and M. Herzberg, “On the static analysis of hybrid mobile apps: A report on the state of apache cordova nation,” in International symposium on engineering secure software and systems (ESSoS), J. Caballero and E. Bodden, Eds. Heidelberg: Springer-Verlag, 2016, pp. 72–88. doi: 10.1007/978-3-319-30806-7_5.

Welcome to the blog of the Software Assurance & Security Research Team at the University of Exeter. We blog regularly news, tips & tricks, as well as fun facts about software assurance, reliability, security, testing, verification, hacking, and logic.

You can also follow us on Twitter: @logicalhacking.




academia ai android apidesign appsec bitcoin blockchain bpmn browser browserextensions browsersecurity bug certification chrome composition cordova dast devops devsecops dom dsbd efsm epsrc event extensions fixeffort floss formaldocument formalmethods funding hol-ocl hol-testgen humanfactor hybridapps iast industry internetofthings iot isabelle/hol isabelledof isadof latex logic maintance malicous mbst mobile mobile apps modelinference modeling monads monitoring msc ocl ontology opensource owasp patches pet phd phdlife phishing policy protocols publishing reliability research safelinks safety sap sast sdlc secdevops secureprogramming security securityengineering securitytesting semantics servicecomposition skills smartcontract smartthings softwareeinginering softwaresecurity softwaresupplychain solidity staff&positions statemachine studentproject tcb test&proof testing tips&tricks tools transport tuos uk uoe upgrade usability verification vulnerabilities vulnerableapplication webinar websecurity


blog whole site