SchmiemanDev
Back to blog
Cyber Security
5 min

Damn Vulnerable Flutter App (DVFA)

A comprehensive FinTech security lab featuring a purposely vulnerable mobile architecture mapped to the OWASP Mobile Top 10.

Sjoerd Schmieman
2026-03-23
Damn Vulnerable Flutter App (DVFA)

This project involved the conceptualization, architecture, and development of a modern, FinTech-themed mobile application specifically engineered with intentional security vulnerabilities. I developed this platform to serve as an advanced training ground for mobile application security.

The full source code and documentation can be found on GitHub: https://github.com/Schmiemandev/dvfa/

Project Overview

The primary objective was to establish a comprehensive security lab tailored to the unique architecture of cross-platform frameworks. As Flutter's enterprise adoption grows, traditional native mobile security testing methodologies often fall short against Ahead-of-Time (AOT) compiled Dart binaries. The DVFA bridges this critical gap by providing a realistic environment for both static code review and dynamic reverse-engineering, mapped directly to the OWASP Mobile Application Security Verification Standard (MASVS).

Core Challenges

A significant technical challenge was designing realistic, state-driven business logic—such as secure notes, VIP authorization, and encrypted bank statement generation—while seamlessly weaving in critical security flaws that mirror real-world developer oversights. Furthermore, the platform needed to support offline analysis (White-Box) while also providing a safe, containerized environment for intercepting live network traffic (Black-Box).

Engineering the Solution

I spearheaded the full-stack development of the application and its underlying infrastructure, focusing on creating verifiable, exploitable scenarios:

  • OWASP MASVS Architecture: I architected 10 distinct exploitation challenges, ranging from beginner to advanced difficulties. This includes engineering vulnerabilities like Client-Side SQL Injection using unparameterized sqflite queries, and Improper Platform Usage via malicious Deep Link hijacking.
  • AOT Binary Exploitation: I designed cryptographic challenges that force researchers to move beyond the source code. To decrypt financial payloads, users must reverse-engineer the compiled libapp.so native binary to extract hardcoded AES-256 keys and Initialization Vectors from the Dart string pools.
  • Containerized API Infrastructure: To facilitate Insecure Communication (M5) and Man-in-the-Middle (MITM) training, I developed a mock backend API using Python and Flask. This backend is fully containerized via Docker, ensuring a self-contained, reproducible testing environment for traffic interception without exposing external systems.
  • Lifecycle Data Leakage: I intentionally omitted background-state obfuscation, creating a real-world scenario where sensitive financial data is leaked to the operating system's persistent app switcher cache.

Operational Impact

The DVFA acts as a highly effective, end-to-end mobile hacking lab that moves beyond theoretical vulnerabilities. It provides the cybersecurity community with a tangible platform to practice dynamic instrumentation, proxy configuration, and binary analysis within a modern framework. For development teams, the accompanying technical documentation and remediation guides serve as a direct blueprint for writing resilient, enterprise-grade Flutter applications.

#Application Security#Penetration Testing#Flutter#Reverse Engineering#OWASP MASVS#Docker
View all articles