This is a curated list of mobile based CTFs, write-ups and vulnerable mobile apps. Most of them are android based due to the popularity of the platform.
Inspired by android-security-awesome, osx-and-ios-security-awesome and all the other awesome security lists on @github.
- Mobile challenges collection
- Android crack me challenges
- OWASP crack me
- Rednaga Challenges
- iOS CTF
- Android Hacking Event 2017: AES-Decrypt
- Android Hacking Event 2017: Token-Generator
- Android Hacking Event 2017: Flag-Validator
- Android Hacking Event 2017: You Can Hide – But You Cannot Run
- Android Hacking Event 2017: Why Should I Pay?
- Android Hacking Event 2017: Esoteric
- Android Hacking Event 2016: StrangeCalculator
- Android Hacking Event 2016: ReverseMe
- Android Hacking Event 2016: ABunchOfNative
- Android Hacking Event 2016: DynChallenge
- PicoCTF-2014: Pickle Jar - 30
- PicoCTF-2014: Revenge of the Bleichenbacher
- Android MIT LL CTF 2013
- InsomniDroid - Description, APK File
- Evil Planner Bsides Challenge
- Crack-Mes
- GreHack-2012 - GrehAndroidMe
- Hackplayers.com Crackmes (in Spanish so an extra challenge): crackme 1
- Hackplayers.com Crackmes (in Spanish so an extra challenge): crackme 2
- Hack.Lu's CTF 2011 Reverse Engineering 300
- Androidcracking.blogspot.com's Crackme’s: cracker 0
- Androidcracking.blogspot.com's Crackme’s: cracker 1
- Insomnia'hack-2K11
- CSAW-2011: Reversing101
- Defcon-19-quals: Binary_L33tness
- Crack me's
- SecuInside: CTF2011
- EnoWars-CTF2011: broken_droid
- Anonim1133
- Challenge4ctf
- Ctfpro
- CTFDroid
- Android CTF
- Android_ctf
- Robot CTF Android
- Cl.ctfk
- Cryptax
- BSides San Francisco CTF 2017 : pinlock-150
- BSides San Francisco CTF 2017 : flag-receiver-200
- Insomni'hack Teaser 2017 : mindreader-250
- 2017_labyREnth: mob1_ezdroid
- 2017_labyREnth: mob2_routerlocker
- 2017_labyREnth: mob3_showmewhatyougot
- 2017_labyREnth: mob4_androidpan
- 2017_labyREnth: mob5_iotctf
- LabyREnth
- 2016_labyREnth: mob1_lastchance
- 2016_labyREnth: mob2_cups
- 2016_labyREnth: mob3_watt
- 2016_labyREnth: mob4_swip3r
- 2016_labyREnth: mob5_ioga
- 2016_labyREnth: mob6_ogmob
- Holiday hack challenge: Part 01
- Holiday hack challenge: Part 02
- Holiday hack challenge: Part 04a
- Holiday hack challenge: Part 04b
- Holiday hack challenge: Part 04c
- Holiday hack challenge: Part 04d
- Holiday hack challenge: Part 04e
- Holiday hack challenge: Part 04f
- Holiday hack challenge: Part 5
- 0ctf-2016
- Google-ctf-2016
- Google-ctf-2016: ill intentions 1
- Google-ctf-2016: ill intentions 2
- Cyber-security-challenge-belgium-2016-qualifiers
- Su-ctf-2016 - android-app-100
- Hackcon-ctf-2016 - you-cant-see-me-150
- RC3 CTF 2016: My Lil Droid
- Cyber Security Challenge 2016: Dexter
- Cyber Security Challenge 2016: Phishing is not a crime
- google-ctf-2016 : little-bobby-application-250
- Rctf-quals-2015
- Insomni-hack-ctf-2015
- 0ctf-2015
- Cyber-security-challenge-2015
- Trend-micro-ctf-2015: offensive-200
- codegate-ctf-2015: dodocrackme2
- Seccon-quals-ctf-2015: reverse-engineering-android-apk-1
- Seccon-quals-ctf-2015 - reverse-engineering-android-apk-2
- Pragyan-ctf-2015
- Volgactf-quals-2015
- Opentoall-ctf-2015: android-oh-no
- 32c3-ctf-2015: libdroid-150
- Polictf 2015: crack-me-if-you-can
- Icectf-2015: Husavik
- Qiwi-ctf-2014: not-so-one-time
- Fdfpico-ctf-2014: droid-app-80
- Su-ctf-quals-2014: commercial_application
- defkthon-ctf 2014: web-300
- secuinside-ctf-prequal-2014: wooyatalk
- Qiwi-ctf-2014: easydroid
- Qiwi-ctf-2014: stolen-prototype
- TinyCTF 2014: Ooooooh! What does this button do?
- 31c3-ctf-2014: Nokia 1337
- Asis-ctf-finals-2014: numdroid
- PicoCTF-2014: Droid App
- NDH2k14-wargames: crackme200-ChunkNorris
- Nuit du Hack's 2k12 & 2k11 (pre-quals and finals) Android Crackme’s 1
- Nuit du Hack's 2k12 & 2k11 (pre-quals and finals) Android Crackme’s 2
- OWASP: OMTG-Hacking-Playground
- Damn insecure and vulnerable App (DIVA)
- Damn Vulnerable Hybrid Mobile App (DVHMA)
- Owasp: Goatdroid Project
- ExploitMe labs by SecurityCompass
- InsecureBankv2
- Sieve (Vulnerable ‘Password Manager’ app)
- sievePWN
- ExploitMe Mobile Android Labs
- Hacme Bank
- Android Labs
- Digitalbank
- Dodo vulnrable bank
- Oracle android app
- Urdu vulnerable app
- MoshZuk File
- Appknox
- Vuln app
- Damn Vulnerable FirefoxOS Application
- Damn Vulnerable NodeJS Application
- OWASP: Juice Shop
- Damn Vulnerable Node Application
- Intentionally Vulnerable node.js application
- Vulnode
- OWASP: NodeGoat
- Vulnerable-node
- OWASP: Broken Web Applications(BWA)
- Damn Vulnerable Web Application (DVWA)
- Damn Vulnerable Web Services(DVWS)
- OWASP Hackademic Challenges
- OWASP: Insecure Web App Project
- OWASP: WebGoat
- Bwapp
- Beebox
- XVWA - Badly coded web application
- Drunk Admin Web Hacking Challenge
- Peruggia
- Mutillidae
- Btslab
- OWASP: Bricks
- The ButterFly Security Project
- WackoPicko
- Vicnum
- GameOver
- LAMPSecurity Training
- Metasploitable
- Metasploitable 2
- Metasploitable 3
- Hackazon
- Twiterlike
- UltimateLAMP
- Mobile app pentest cheatsheet
- Android security awesome
- Android security reference
- Awesome-linux-android-hacking
- iOS security awesome
- awesome-iOS-resource
- Mobile security wiki
- iPhone wiki
- Nyxbone
- Nowhere
- Secmobi
- OSX-iOS-reverse-engineering
- OSX-security-awesome
- Awesome-web-hacking
- Awesome-windows-exploitation
- windows-privesc-check
- Awesome-Hacking
- Awesome-reversing
- Aweasome-Frida
- Awesome-security
- Awesome-fuzzing
- Awesome-wifi-security
- Android vulnerabilities overview
- OSX-security-awesome
- Infosec_Reference
- PayloadsAllTheThings
- Awesome-malware-analysis
- Linux-reverse-engineering-101