This is a curated list of mobile based CTFs, write-ups and vulnerable mobile apps. Most of them are android based due to the popularity of the platform.
Inspired by [android-security-awesome] (https://github.com/ashishb/android-security-awesome), [osx-and-ios-security-awesome] (https://github.com/ashishb/osx-and-ios-security-awesome) and all the other awesome security lists on [@github] (https://github.com/search?utf8=%E2%9C%93&q=awesome+security&type=Repositories&ref=searchresults).
- [Mobile chalenges collection] (https://drive.google.com/folderview?id=0B7rtSe_PH_fTWDQ0RC1DeWVoVUE&usp=sharing)
- [Android crack me challenges] (https://github.com/reoky/android-crackme-challenge)
- [OWASP crack me] (https://github.com/OWASP/owasp-mstg/tree/master/OMTG-Files/02_Crackmes)
- [Android Hacking Event 2016: StrangeCalculator] (https://team-sik.org/wp-content/uploads/sites/14/2016/06/strangecalculator.apk_.zip)
- [Android Hacking Event 2016: ReverseMe] (https://team-sik.org/wp-content/uploads/sites/14/2016/06/ReverseMe.apk_.zip)
- [Android Hacking Event 2016: BunchOfNative] (https://team-sik.org/wp-content/uploads/sites/14/2016/06/aBunchOfNative.apk_.zip)
- [Android Hacking Event 2016: DynChallenge] (https://team-sik.org/wp-content/uploads/sites/14/2016/06/dynChallenge.apk_.zip)
- [PicoCTF-2014: Pickle Jar - 30] (http://shell-storm.org/repo/CTF/PicoCTF-2014/Forensics/Pickle%20Jar%20-%2030/)
- [PicoCTF-2014: Revenge of the Bleichenbacher] (http://shell-storm.org/repo/CTF/PicoCTF-2014/crypto/Revenge%20of%20the%20Bleichenbacher%20-%20170/)
- [Android MIT LL CTF 2013] (https://github.com/huyle333/androidmitllctf2013)
- [InsomniDroid - Description] (http://www.strazzere.com/blog/2012/03/488/), [APK File] (http://www.strazzere.com/crackmes/insomnidroid.apk)
- [Evil Planner Bsides Challenge] (https://labs.mwrinfosecurity.com/blog/2013/03/11/bsides-challenge/)
- [GreHack-2012 - GrehAndroidMe] (http://shell-storm.org/repo/CTF/GreHack-2012/reverse_engineering/100-GrehAndroidMe.apk/)
- [Hackplayers.com Crackmes (in Spanish so an extra challenge): crackme 1 ] (http://www.hackplayers.com/2010/12/reto-android-crackme1.html))
- [Hackplayers.com Crackmes (in Spanish so an extra challenge): crackme 2] (http://www.hackplayers.com/2011/12/reto-14-android-crackme2.html)
- [Hack.Lu's CTF 2011 Reverse Engineering 300] (http://shell-storm.org/repo/CTF/Hacklu-2011/Reversing/Space%20Station%200xB321054A%20(300)/)
- [Androidcracking.blogspot.com's Crackme’s: cracker 0] (http://androidcracking.blogspot.com/2012/01/way-of-android-cracker-0-rewrite.html)
- [Androidcracking.blogspot.com's Crackme’s: cracker 1] (http://androidcracking.blogspot.com/2010/10/way-of-android-cracker-1.html)
- [Insomnia'hack-2K11] (http://shell-storm.org/repo/CTF/Insomnia'hack-2K11/Reverse/validate.apk)
- [CSAW-2011: Reversing101] (http://shell-storm.org/repo/CTF/CSAW-2011/Reversing/Reversing101%20-%20100%20Points/)
- [Defcon-19-quals: Binary_L33tness] (http://shell-storm.org/repo/CTF/Defcon-19-quals/Binary_L33tness/b300/)
- [Crack me's] (https://github.com/as0ler/Android-Examples)
- [SecuInside: CTF2011] (http://big-daddy.fr/repository/CTF2011/SecuInside-CTF/Q7/)
- [EnoWars-CTF2011: broken_droid] (http://big-daddy.fr/repository/CTF2011/EnoWars-CTF/broken_droid/)
- [Anonim1133] (https://github.com/anonim1133/CTF)
- [Challenge4ctf] (https://github.com/CvvT/challenge_for_ctf)
- [Ctfpro] (https://github.com/jhong01/ctfpro)
- [CTFDroid] (https://github.com/rajasaur/CTFDroid)
- [Android CTF] (https://github.com/fathulkirom22/AndroidCTF)
- [Android_ctf] (https://github.com/artwyman/android_ctf)
- [Robot CTF Android] (https://github.com/KappaEtaKappa/Robot-CTF-android)
- [Cl.ctfk] (https://github.com/CTFK/cl.ctfk)
- [Cryptax] (https://github.com/cryptax/challenges)
- [LabyREnth] (http://researchcenter.paloaltonetworks.com/2016/09/unit42-labyrenth-capture-the-flag-ctf-mobile-track-solutions/)
- [0ctf-2016] (https://github.com/ctfs/write-ups-2016/tree/master/0ctf-2016/mobile)
- [Google-ctf-2016] (https://github.com/ctfs/write-ups-2016/tree/39e9a0e2adca3a3d0d39a6ae24fa51196282aae4/google-ctf-2016/mobile)
- [Google-ctf-2016: ill intentions 1] (http://security.claudio.pt/solving-google-ctf-2016-android-challenges/)
- [Google-ctf-2016: ill intentions 2] (https://github.com/d3rezz/Google-Capture-The-Flag-2016)
- [Cyber-security-challenge-belgium-2016-qualifiers] (https://github.com/ctfs/write-ups-2016/tree/c35549398f88d3755dc31a8fe995f15ef876ee18/cyber-security-challenge-belgium-2016-qualifiers/Mobile%20Security)
- [Su-ctf-2016 - android-app-100] (https://github.com/ctfs/write-ups-2016/tree/274307f43140bb4a52e0729ecf1282628fb22f5b/su-ctf-2016/reverse/android-app-100)
- [Hackcon-ctf-2016 - you-cant-see-me-150] (https://github.com/ctfs/write-ups-2016/tree/274307f43140bb4a52e0729ecf1282628fb22f5b/hackcon-ctf-2016/reversing/you-cant-see-me-150)
- [RC3 CTF 2016: My Lil Droid] (http://aukezwaan.nl/write-ups/rc3-ctf-2016-my-lil-droid-100-points/)
- [Rctf-quals-2015] (https://github.com/ctfs/write-ups-2015/tree/9b3c290275718ff843c409842d738e6ef3e565fd/rctf-quals-2015/mobile)
- [Insomni-hack-ctf-2015] (https://github.com/ctfs/write-ups-2015/tree/9b3c290275718ff843c409842d738e6ef3e565fd/insomni-hack-ctf-2015/mobile)
- [0ctf-2015] (https://github.com/ctfs/write-ups-2015/tree/9b3c290275718ff843c409842d738e6ef3e565fd/0ctf-2015/mobile)
- [Cyber-security-challenge-2015] (https://github.com/ctfs/write-ups-2015/tree/9b3c290275718ff843c409842d738e6ef3e565fd/cyber-security-challenge-2015/mobile-application-security)
- [Trend-micro-ctf-2015: offensive-200] (https://github.com/ctfs/write-ups-2015/tree/9b3c290275718ff843c409842d738e6ef3e565fd/trend-micro-ctf-2015/analysis/offensive-200)
- [codegate-ctf-2015: dodocrackme2] (https://github.com/ctfs/write-ups-2015/tree/9b3c290275718ff843c409842d738e6ef3e565fd/codegate-ctf-2015/reversing/dodocrackme2)
- [Seccon-quals-ctf-2015: reverse-engineering-android-apk-1] (https://github.com/ctfs/write-ups-2015/tree/9b3c290275718ff843c409842d738e6ef3e565fd/seccon-quals-ctf-2015/binary/reverse-engineering-android-apk-1)
- [Seccon-quals-ctf-2015 - reverse-engineering-android-apk-2] (https://github.com/ctfs/write-ups-2015/tree/9b3c290275718ff843c409842d738e6ef3e565fd/seccon-quals-ctf-2015/unknown/reverse-engineering-android-apk-2)
- [Pragyan-ctf-2015] (https://github.com/ctfs/write-ups-2015/tree/9b3c290275718ff843c409842d738e6ef3e565fd/pragyan-ctf-2015/android)
- [Volgactf-quals-2015] (https://github.com/ctfs/write-ups-2015/tree/9b3c290275718ff843c409842d738e6ef3e565fd/volgactf-quals-2015/web/malware)
- [Opentoall-ctf-2015: android-oh-no] (https://github.com/ctfs/write-ups-2015/tree/9b3c290275718ff843c409842d738e6ef3e565fd/opentoall-ctf-2015/misc/android-oh-no)
- [32c3-ctf-2015: libdroid-150] (https://github.com/ctfs/write-ups-2015/tree/9b3c290275718ff843c409842d738e6ef3e565fd/32c3-ctf-2015/reversing/libdroid-150)
- [Polictf 2015: crack-me-if-you-can] (https://github.com/ctfs/write-ups-2015/tree/9b3c290275718ff843c409842d738e6ef3e565fd/polictf-2015/reversing/crack-me-if-you-can)
- [Icectf-2015: Husavik] (https://github.com/ctfs/write-ups-2015/tree/9b3c290275718ff843c409842d738e6ef3e565fd/icectf-2015/forensics/husavik)
- Qiwi-ctf-2014: not-so-one-time
- Fdfpico-ctf-2014: droid-app-80
- Su-ctf-quals-2014: commercial_application
- [defkthon-ctf 2014: web-300] (https://github.com/ctfs/write-ups-2014/tree/b02bcbb2737907dd0aa39c5d4df1d1e270958f54/defkthon-ctf/web-300)
- [secuinside-ctf-prequal-2014: wooyatalk] (https://github.com/ctfs/write-ups-2014/tree/b02bcbb2737907dd0aa39c5d4df1d1e270958f54/secuinside-ctf-prequal-2014/wooyatalk)
- [Qiwi-ctf-2014: easydroid] (https://github.com/ctfs/write-ups-2014/tree/b02bcbb2737907dd0aa39c5d4df1d1e270958f54/qiwi-ctf-2014/easydroid)
- [Qiwi-ctf-2014: stolen-prototype] (https://github.com/ctfs/write-ups-2014/tree/b02bcbb2737907dd0aa39c5d4df1d1e270958f54/qiwi-ctf-2014/stolen-prototype)
- [TinyCTF 2014: Ooooooh! What does this button do?] (https://github.com/ctfs/write-ups-2014/tree/b02bcbb2737907dd0aa39c5d4df1d1e270958f54/tinyctf-2014/ooooooh-what-does-this-button-do)
- [31c3-ctf-2014: Nokia 1337] (https://github.com/ctfs/write-ups-2014/tree/b02bcbb2737907dd0aa39c5d4df1d1e270958f54/31c3-ctf-2014/pwn/nokia-1337)
- [Asis-ctf-finals-2014: numdroid] (https://github.com/ctfs/write-ups-2014/tree/b02bcbb2737907dd0aa39c5d4df1d1e270958f54/asis-ctf-finals-2014/numdroid)
- [PicoCTF-2014: Droid App] (http://shell-storm.org/repo/CTF/PicoCTF-2014/Forensics/Droid%20App%20-%2080/)
- [NDH2k14-wargames: crackme200-ChunkNorris] (http://shell-storm.org/repo/CTF/NDH2k14-wargames/crackme200-ChunkNorris/)
- [Atast CTF 2012 Bin 300] (http://andromedactf.wordpress.com/2013/01/02/atast-ctf-2012-bin300chall5/)
- [Nuit du Hack's 2k12 & 2k11 (pre-quals and finals) Android Crackme’s 1] (http://blog.w3challs.com/index.php?post/2012/07/02/NDH2k12-wargame-CrackMe-Android)
- [Nuit du Hack's 2k12 & 2k11 (pre-quals and finals) Android Crackme’s 2] (http://blog.spiderboy.fr/tag/crackme/)
- [OWASP: OMTG-Hacking-Playground] (https://github.com/OWASP/OMTG-Hacking-Playground)
- [Damn insecure and vulnerable App (DIVA)] (http://payatu.com/damn-insecure-and-vulnerable-app/)
- [Damn Vulnerable Hybrid Mobile App (DVHMA)] (https://github.com/logicalhacking/DVHMA)
- [Owasp Goatdroid Project] (https://github.com/jackMannino/OWASP-GoatDroid-Project)
- [ExploitMe labs by SecurityCompass] (http://securitycompass.github.io/AndroidLabs/setup.html)
- [InsecureBankv2] (https://github.com/dineshshetty/Android-InsecureBankv2)
- [Sieve (Vulnerable ‘Password Manager’ app)] (https://github.com/mwrlabs/drozer/releases/download/2.3.4/sieve.apk)
- [sievePWN] (https://github.com/tanprathan/sievePWN)
- [ExploitMe Mobile Android Labs] (http://securitycompass.github.io/AndroidLabs/)
- [Hacme Bank] (http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx)
- [Android Labs] (https://github.com/SecurityCompass/AndroidLabs)
- [Digitalbank] (https://github.com/CyberScions/Digitalbank)
- [Dodo vulnrable bank] (https://github.com/CSPF-Founder/DodoVulnerableBank)
- [Oracle android app] (https://github.com/dan7800/VulnerableAndroidAppOracle)
- [Urdu vulnerable app] (http://urdusecurity.blogspot.co.ke/2014/08/Exploiting-debuggable-android-apps.html)
- [MoshZuk] (http://imthezuk.blogspot.co.ke/2011/07/creating-vulnerable-android-application.html?m=1) [File] (https://dl.dropboxusercontent.com/u/37776965/Work/MoshZuk.apk)
- [Appknox] (https://github.com/appknox/vulnerable-application)
- [Vuln app] (https://github.com/Lance0312/VulnApp)
- [Damn Vulnerable FirefoxOS Application] (https://github.com/arroway/dvfa)
- [ExploitMe Mobile iPhone Labs] (http://securitycompass.github.io/iPhoneLabs/)
- [Owasp: iGoat] (https://github.com/hankbao/owasp-igoat)
- [Damn Vulnerable iOS App (DVIA)] (http://damnvulnerableiosapp.com/)
- [Mobile app pentest cheatsheet] (https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet)
- [Android security awesome] (https://github.com/ashishb/android-security-awesome)
- [iOS security awesome] (https://github.com/ashishb/osx-and-ios-security-awesome)
- [Mobile security wiki] (https://mobilesecuritywiki.com/)
- [Nyxbone] (http://www.nyxbone.com/malware/android_tools.html)
- [Nowhere] (https://n0where.net/best-android-security-resources/)
- [Secmobi] (https://github.com/secmobi/wiki.secmobi.com)
- [Awesome-web-hacking] (https://github.com/infoslack/awesome-web-hacking)
- [Awesome-windows-exploitation] (https://github.com/enddo/awesome-windows-exploitation)
- [Awesome-Hacking] (https://github.com/Hack-with-Github/Awesome-Hacking)
- [Aweasome-Frida] (https://github.com/dweinstein/awesome-frida)
- [Awesome-security] (https://github.com/sbilly/awesome-security)
- [Awesome-wifi-security] (https://github.com/edelahozuah/awesome-wifi-security)
- [Android vulnerabilities overview] (https://github.com/CHEF-KOCH/Android-Vulnerabilities-Overview)
- [OSX-security-awesome] (https://github.com/kai5263499/osx-security-awesome)
- [Infosec_Reference] (https://github.com/rmusser01/Infosec_Reference)
- [PayloadsAllTheThings] (https://github.com/swisskyrepo/PayloadsAllTheThings)
- [OWASP Mobile Security Project] (https://www.owasp.org/index.php/OWASP_Mobile_Security_Project)
- [OWASP Top 10 - 2016] (https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10)
- [OWASP Mobile Application Security Verification Standard (MASVS)] (https://github.com/OWASP/owasp-masvs)
- [OWASP Mobile Security Testing Guide (MSTG)] (https://github.com/OWASP/owasp-mstg)