- Code Reuse: Leverage existing React components and API integration
- Learning Continuity: Same tech stack as web app (React/JavaScript/Node.js)
- Vulnerability Ecosystem: Rich npm ecosystem for demonstrating supply chain issues
- Cross-Platform: Single codebase for iOS and Android
- Educational Value: Shows how web vulnerabilities translate to mobile
Implementation Ideas:
- Store JWT tokens in AsyncStorage (unencrypted)
- Hardcode API keys in JavaScript bundle
- Use weak biometric authentication bypass
- Store passwords in plain text locally
- No credential rotation or expiration
Code Examples:
// Bad: Storing sensitive data in AsyncStorage
AsyncStorage.setItem('jwt_token', token);
AsyncStorage.setItem('user_password', password);
// Bad: Hardcoded credentials
const API_KEY = 'sk-1234567890abcdef';
const SECRET_KEY = 'zero-health-secret';Implementation Ideas:
- Include vulnerable npm packages
- Use outdated React Native version
- Include malicious-looking dependencies
- No dependency scanning or SBOMs
- Use packages with known CVEs
Vulnerable Dependencies to Include:
{
"lodash": "4.17.20", // Known prototype pollution
"moment": "2.24.0", // ReDoS vulnerabilities
"axios": "0.18.0", // Known security issues
"react-native-keychain": "6.2.0" // Older version
}Implementation Ideas:
- No session timeout
- Weak password requirements (3 chars minimum)
- No account lockout after failed attempts
- Client-side role validation only
- JWT stored in plain text
Code Examples:
// Bad: Client-side role checking only
if (user.role === 'admin') {
showAdminFeatures();
}
// Bad: No session management
const isLoggedIn = AsyncStorage.getItem('isLoggedIn') === 'true';Implementation Ideas:
- No input sanitization for API calls
- Direct SQL injection via mobile app
- XSS in WebView components
- No file upload restrictions
- Buffer overflow in native modules
Code Examples:
// Bad: No input validation
const searchPatients = (query) => {
fetch(`/api/patients?search=${query}`); // Direct injection
};
// Bad: Dangerous WebView usage
<WebView source={{html: userGeneratedContent}} />Implementation Ideas:
- HTTP instead of HTTPS for sensitive data
- Weak TLS configuration
- Certificate pinning bypass
- Man-in-the-middle vulnerabilities
- Sensitive data in URL parameters
Code Examples:
// Bad: HTTP for sensitive operations
const API_BASE = 'http://zero-health-api.com';
// Bad: Disable certificate validation
const agent = new https.Agent({
rejectUnauthorized: false
});Implementation Ideas:
- Excessive permissions requests
- Location tracking without consent
- Contact access for "enhanced features"
- Analytics collection without disclosure
- Medical data shared with third parties
Permissions Example:
<!-- Excessive permissions -->
<uses-permission android:name="android.permission.READ_CONTACTS" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.RECORD_AUDIO" />
<uses-permission android:name="android.permission.CAMERA" />Implementation Ideas:
- No code obfuscation
- Debug builds in "production"
- Root/jailbreak detection bypass
- Anti-tampering disabled
- Source maps included in release
React Native Specific:
// Bad: Debug code in production
if (__DEV__) {
console.log('Debug mode - but this runs in production too!');
// Expose debug features
}Implementation Ideas:
- Default React Native configurations
- Expo development mode in production
- Debug features enabled
- Unnecessary services running
- Weak build configurations
Metro Config Issues:
// Bad: Debug features enabled
module.exports = {
resolver: {
sourceExts: ['js', 'json', 'ts', 'tsx', 'jsx']
},
transformer: {
minifierConfig: {
keep_fnames: true, // Keeps function names
mangle: false // No code mangling
}
}
};Implementation Ideas:
- Medical records in AsyncStorage
- SQLite databases unencrypted
- Logs containing sensitive data
- Screenshots with patient data
- Cache containing PII
Code Examples:
// Bad: Storing sensitive data insecurely
AsyncStorage.setItem('patient_records', JSON.stringify(records));
AsyncStorage.setItem('medical_history', patientData);
// Bad: Logging sensitive information
console.log('Patient SSN:', patient.ssn);
console.log('Medical records:', records);Implementation Ideas:
- Weak encryption algorithms (MD5, SHA1)
- Hardcoded encryption keys
- Custom crypto implementations
- No key management
- Predictable random number generation
Code Examples:
// Bad: Weak crypto
import CryptoJS from 'crypto-js';
const encrypted = CryptoJS.DES.encrypt(data, 'fixed-key');
// Bad: Hardcoded keys
const ENCRYPTION_KEY = '1234567890123456';-
Patient Portal
- View medical records
- Book appointments
- View lab results
- Prescription management
- Secure messaging
-
Healthcare Provider Interface
- Patient management
- Appointment scheduling
- Lab result entry
- Prescription writing
-
AI Chatbot
- Role-based medical assistance
- Voice input/output
- Image analysis (fake AI features)
- Biometric Authentication (vulnerable)
- Camera Integration for "document scanning"
- Location Services for "nearby doctors"
- Push Notifications (with sensitive data)
- Offline Data Sync (insecure)
zero-health-mobile/
├── src/
│ ├── components/
│ │ ├── common/
│ │ ├── patient/
│ │ └── provider/
│ ├── screens/
│ │ ├── auth/
│ │ ├── patient/
│ │ └── provider/
│ ├── navigation/
│ ├── services/
│ │ ├── api/
│ │ ├── storage/ # Vulnerable storage implementations
│ │ ├── crypto/ # Weak cryptography
│ │ └── auth/ # Insecure authentication
│ ├── vulnerabilities/ # Educational vulnerability showcase
│ └── utils/
├── android/
├── ios/
├── docs/
│ ├── vulnerabilities.md
│ └── exploitation-guide.md
└── package.json
- Set up React Native project
- Basic navigation and UI components
- API integration with existing backend
- Basic authentication flow
- Patient portal features
- Provider interface
- Basic chatbot integration
- File upload/download
- Implement all OWASP Mobile Top 10 vulnerabilities
- Add mobile-specific attack vectors
- Create exploitation documentation
- Add vulnerability showcase screen
- UI/UX improvements
- Comprehensive documentation
- Video tutorials
- Testing and bug fixes
- Professional Appearance: Hide vulnerabilities behind polished UI
- Healthcare Branding: Consistent with web app
- Accessibility: Standard mobile accessibility patterns
- Trust Indicators: Security badges, certifications (fake but convincing)
- Trust dialogs that can be bypassed
- Fake security indicators
- Misleading permission requests
- Hidden debug menus
- Accessible developer options
- Mobile Security Fundamentals
- Platform-Specific Vulnerabilities
- Mobile DevSecOps
- Penetration Testing Mobile Apps
- Secure Mobile Development
- Static analysis with tools like MobSF
- Dynamic analysis with Frida
- Network traffic analysis
- Binary reverse engineering
- Runtime manipulation
{
"react-native": "0.72.0",
"react-navigation": "^6.0.0",
"@react-native-async-storage/async-storage": "^1.19.0",
"react-native-keychain": "8.1.0",
"react-native-sqlite-storage": "^6.0.1",
"react-native-vector-icons": "^10.0.0",
"axios": "^1.4.0",
"react-native-paper": "^5.8.0"
}{
"lodash": "4.17.20",
"moment": "2.24.0",
"crypto-js": "^4.1.1",
"react-native-webview": "^11.0.0"
}- React Native CLI
- Flipper for debugging
- MobSF for security analysis
- Frida for runtime manipulation
- Burp Suite for traffic analysis
- Node.js 16+
- React Native CLI
- Android Studio / Xcode
- Java 11+ / Android SDK
# Clone and setup
git clone https://github.com/yourusername/zero-health-mobile.git
cd zero-health-mobile
npm install
# iOS
cd ios && pod install && cd ..
npx react-native run-ios
# Android
npx react-native run-android- Installation and setup
- Basic usage and navigation
- Role-based feature overview
- Vulnerability exploitation tutorials
- Mobile penetration testing guide
- Remediation recommendations
- Secure development practices
- Contributing guidelines
- Adding new vulnerabilities
- Testing procedures
- Deployment considerations