Real vulnerabilities. Real impact. Real testing.

The first open-source benchmark suite featuring 98 realistic vulnerable mobile applications that mirror actual CVE and bug bounty findings - not theoretical textbook examples.

Testing security tools against real-world mobile vulnerabilities

Ostorlab Security Testing Benchmarks provides a comprehensive collection of vulnerable mobile applications based on actual security incidents, CVE reports, and bug bounty findings. Unlike academic exercises, these benchmarks reflect the vulnerabilities that security teams encounter in production environments.

• ✨ 93 Vulnerable Applications - 72 Android and 21 iOS apps with realistic functionality
• 🎯 70+ Vulnerability Classes - From authentication bypasses to complex logic flaws
• 💰 Bug Bounty Inspired - Every vulnerability based on real findings worth actual bounties
• 🔧 Automation Challenges - Includes "impossible to automate" logical bugs
• 📊 Comprehensive Documentation - Detailed exploitation guides and detection strategies

Traditional vulnerable app collections serve educational purposes but fail to represent modern mobile security challenges. After analyzing thousands of bug bounty reports, we identified a critical gap: security teams need benchmarks that reflect actual production vulnerabilities.

The Reality: A security scanner might catch 100% of SQL injections in test apps but miss critical logic flaws that constitute 60% of actual bug bounty payouts. These benchmarks measure what truly matters.

• Git
• Android Studio 4.0+ (for Android apps)
• Xcode 12+ (for iOS apps)
• Java 8+ / Swift 5+

1. Clone the repository

   git clone https://github.com/Ostorlab/benchmarks.git
   cd benchmarks

2. Navigate to your platform of choice

   cd mobile/android  # For Android applications
   # or
   cd mobile/ios      # For iOS applications

3. Choose an application and follow its README

   cd banking-app
   # Each app contains:
   # - Source code
   # - Build instructions
   # - Vulnerability documentation
   # - Exploitation guides

• PIN/Passcode bypass mechanisms
• Two-factor authentication circumvention
• OAuth account takeover (missing PKCE)
• Biometric authentication bypasses
• Session persistence after password changes

• Firebase database takeover scenarios
• Cleartext storage of sensitive data
• Google Advertising ID misuse
• Location data exposure vulnerabilities
• Hardcoded production secrets

• Intent redirection vulnerabilities
• Task hijacking attack vectors
• Broadcast injection scenarios
• WebView JavaScript bridge exploitation
• Path traversal in archive processing

Android-Specific:

• Tapjacking vulnerabilities
• Unprotected critical activities
• Provider SQL injection
• Grant URI permission escalation

iOS-Specific:

• Deeplink CSRF attacks
• WebKit internal file access
• URL link spoofing
• Promotion code brute force
• Unencrypted session exposure

We welcome contributions that enhance the realism and coverage of our benchmarks! Whether you're a developer, security researcher, or tool vendor, there's a way for you to contribute.

1. Fork the repository
2. Create your feature branch (git checkout -b feature/new-vulnerability)
3. Follow our coding standards (see CONTRIBUTING.md)
4. Add tests and documentation
5. Commit your changes (git commit -m 'Add realistic OAuth bypass scenario')
6. Push to the branch (git push origin feature/new-vulnerability)
7. Open a Pull Request

• 🆕 Add new vulnerable applications following real-world patterns
• 🔄 Port vulnerabilities to different platforms
• 📝 Improve documentation with clearer exploitation guides
• 🧪 Share vulnerability patterns from your bug bounty findings
• 🛠️ Enhance detection logic for existing vulnerabilities

See our Contribution Guide for detailed instructions.

Join our growing community of security professionals working toward more realistic security testing:

• 💬 Community: GitHub Repository - Ask questions and share ideas
• 🐛 Issues: Report bugs or request features
• 🐦 Twitter: Follow @OstorlabSec for updates

This project is licensed under the Apache License 2.0 - see the LICENSE file for details.

Special thanks to:

• The security research community for sharing vulnerability insights
• Bug bounty hunters whose findings inspired these benchmarks
• Contributors who help maintain and expand this project
• Tool vendors who use these benchmarks to improve their products

⚠️ Important: These applications contain intentional security vulnerabilities for testing purposes only. Do not deploy in production environments. Use responsibly in isolated testing environments.

If you use these benchmarks in your research, please cite:

@misc{ostorlab-benchmarks-2025,
  title={Ostorlab Security Testing Benchmarks},
  author={Ostorlab Team},
  year={2025},
  url={https://github.com/Ostorlab/benchmarks}
}

Made with ❤️ and 🔥 by the Ostorlab team

Back to top ↑