• Goa 2020
  • AMMO
  • VyAPI



Tool Name:



Riddhi Shree


VyAPI is a hybrid Android app that's vulnerable by design. We call it VyAPI, because it's flaws are pervasive and it communicates not just via IPC calls but API calls, too.

Amazon Cognito has been used to handle authentication, authorization and user management. AWS Amplify Console has been used to consume the Authentication APIs provided by AWS Amplify Authentication module. Room persistence library has been used to handle data in the local SQLite database. GLide API has been used to load images. AndroidX libraries and JAVA programming language have been used to develop the business logic of VyAPI Android app.

We know how to attack activities, but, what could change with fragments coming into the picture? There might be a case where we just have one activity, but multiple fragments (each rendering a different functionality) in our Android app. VyAPI will allow you to experience this behavior of our modern day Android apps.

VyAPI is different not only in terms of its look and feel, but also in terms of latest technologies being used to build it. Following primary tools and technologies have been used to develop VyAPI:

  1. AWS Amplify CLI
  2. AWS SDK for Android 10
  3. Amazon Cognito
  4. OpenJDK 1.8.0_152-release 5. Glide v4
  5. Room Persistence Library
  6. Gradle 5.1.1

Modern technologies are eliminating security risks by blocking vulnerable features by default. However, not all vulnerabilities could go away that easily. Also, with new technologies come new security vulnerabilities. Security misconfigurations, business logic flaws, and poor coding practices are evergreen vulnerabilities. VyAPI is the vulnerable hybrid Android app which can be used by our security enthusiasts to get a hands-on experience of a variety of modern and legacy Android app vulnerabilities.


Riddhi Shree is an Application Security Analyst at Appsecco. She started her career in Information Security one and a half years ago. Prior to this, she had been working as Quality Analyst and a Scrum Master in different organizations. She is the chapter leader for null open source security community in Bangalore. She has conducted training and workshop at c0c0n and BSides Delhi security conferences. She has spoken at Offensive Security Conference Bangalore by ISC2, and at c0c0n 12 - Hacking and Cyber Security Briefing. She is an avid learner, and she enjoys experimenting with new ideas. She is the creator of the open source, cloud based, vulnerable Android app called VyAPI.

Copyright © 2023 | Nullcon India | International Security Conference | All Rights Reserved