Project Url: WaTF-Team/WaTF-Bank
Introduction: WaTF Bank - What a Terrible Failure Mobile Banking Application for Android and iOS
More: Author   ReportBugs   


License: MIT

Update iOS Swift!

What-a-Terrible-Failure Mobile Banking Application (WaTF-Bank), written in Java, Swift 4, Objective-C and Python (Flask framework) as a backend server, is designed to simulate a "real-world" web services-enabled mobile banking application that contains over 30 vulnerabilities.

The objective of this project:

  • Application developers, programmers and architects can understand and consider how to create secure software by investigating the vulnerable app (WaTF-Bank) on both Android and iOS platforms.
  • Penetration testers can practice security assessment skill in order to identify and understand the implication of the vulnerable app.
OWASP Mobile Top 10 2016 Vulnerability Name
M1. Improper Platform Usage
  • Excessive App Permissions
  • Unsupported version of OS Installation Allowed
  • Unrestricted Backup File
  • Android Content provider Flaw
  • Android Broadcast receiver Flaw
  • Input Validation on API (SQL Injection, Negative value)
  • Information Exposure through API Response Message
  • Control of Interaction Frequency on API
M2. Insecure Data Storage
  • Insecure Application Local Storage
  • Insecure Keychain Usage
  • Unencrypted Database File
  • Sensitive Information on Application Backgrounding
  • Information Disclosure Through Device Logs
  • Copy/Paste Buffer Caching
  • Keyboard Input Caching
  • Lack of Sensitive Information Masking
M3. Insecure Communication
  • Insecure SSL Verification
M4. Insecure Authentication
  • Client-Side Based Authentication Flaw
  • Account Enumeration
  • Account Lockout Policy
  • Weak Password Policy for Password/PIN
  • Misuse of Biometric Authentication
  • Session Management Flaw
M5. Insufficient Cryptography
  • Hardcoded Encryption Key
  • Weak Cryptographic Algorithm
  • Custom Encryption Protocol
M6. Insecure Authorization
  • Insecure Direct Object Reference
  • Business Logic Flaw
M7 Client Code Quality
  • SQL Injection on Content provider
  • Insecure URL Scheme Handler
M8. Code Tampering
  • Unauthorized Code Modification (Application Patching)
  • Weak Root/Jailbreak Detection
  • Method Swizzling
M9. Reverse Engineering
  • Lack of Code Obfuscation
M10. Extraneous Functionality
  • Application Debuggable
  • Hidden Endpoint Exposure

Backend Server

Required Library

  • flask
  • flask_sqlalchemy
  • flask_script
  • flask_migrate

Easy installation through

pip3 install -r requirements.txt

Starting backend (The database will also be remigrated)


Project Team

  • Boonpoj Thongakaraniroj
  • Parameth Eimsongsak
  • Prathan Phongthiproek
  • Krit Saengkyongam


This project is using the MIT License.

Copyright (c) 2018 WaTF-Team

About Me
GitHub: Trinea
Facebook: Dev Tools