Sitemap
Open in app

Sign in

Medium Logo
Write

Sign in

DroidGround: Elevate your Android CTF Challenges

thelicato
5 min readJun 5, 2025

Ever felt that Android CTF challenges are too focused on reverse engineering, leaving out the thrill of real-world exploitation? I did too. That’s why I developed DroidGround, a platform designed to bring realism and depth to Android Capture The Flag (CTF) challenges.

What is DroidGround?

DroidGround is a modular playground for Android CTF challenges. It allows you to host realistic Android hacking scenarios, enabling challenges that go beyond traditional reverse engineering.

Traditional Android CTFs often limit players to static analysis and reverse engineering tasks. While valuable, they don’t fully capture the dynamic nature of real-world Android exploitation. I wanted to create a platform where challenges could involve

  • Remote Code Execution (RCE)
  • Privilege escalation
  • Data exfiltration
  • And more

DroidGround makes it possible to design such challenges, providing a more comprehensive and engaging experience.

It is a custom-built platform, where attackers are constrained just enough to require solving challenges in the intended way.

Here are some screenshots of the application (just to keep your attention):

Overview
Start Activity
Frida (in jailed mode)
Frida (in full mode)

Key Concepts & Features

DroidGround is a platform that provides:

  • Modular Architecture: Easily enable or disable components and features to tailor challenges.
  • User-Friendly Interface: Manage and deploy challenges with ease.

As of now the following features are available:

  • Real-Time Device Screen (via scrcpy)
  • Reset Challenge State
  • Restart App (toggable)
  • Start Activity (toggable)
  • Start Service (toggable)
  • Send Broadcast Intent (toggable)
  • Shutdown / Reboot Device (toggable)
  • Download Bugreport (bugreportz) (toggable)
  • Frida Scripting (toggable, in either “jailed” or “full” mode)
  • File Browser (toggable)
  • Terminal Access (toggable)
  • APK Management (and start Exploit App) (toggable)
  • Logcat Viewer (toggable)

Importantly, participants may be jailed inside the app environment. The modularity of the tool allows to set if the user can or cannot spawn a shell, read arbitrary files, or sideload tools. Everything can be setup so that the only way to retrieve the flag is through understanding and exploiting the app itself.

Some of those features are visually showcased in the previous screenshots, the other in the upcoming ones!

App Manager
File Browser
Terminal
Logcat

Example Challenge: Hidden Activity

To demonstrate DroidGround’s capabilities, I’ve included an example challenge: Hidden Activity. This challenge involves uncovering a hidden activity within an Android application and exploiting it to retrieve a flag.

If you carefully read the currently available features you may have realised that this challenge could be solved by using both the Start Activity feature and the Exploit App.

So, is this redundant? It is not.

Enabling the App Manager/Exploit App feature allows for a broader range of things that the player could do; therefore it is up to the CTF organiser/host to carefully setup the instance based on the actual CTF.

Let’s address the elephant in the room: Deploy and real-world usage

So… you’ve built the perfect Android challenge. You’ve wrapped it in DroidGround. You’re ready to unleash it on a crowd of eager CTF players.

Now what?

Here’s the honest truth: scaling DroidGround for real-world, multi-player CTF environments isn’t trivial….yet.

Currently, the most practical approach is to spin up separate instances, one for each team. It’s a bit manual, but it works. You isolate challenges, avoid interference, and give everyone their own sandbox.

That said, I fully recognize this setup isn’t ideal, especially for larger competitions. That’s why I’m exploring more scalable solutions for the future. For now though, if you plan on using DroidGround in a CTF, expect to do a bit of orchestration. Hopefully, with community feedback and contributions, we can build a more automated deployment pipeline down the road.

Thing is that, as usual, you start building something for yourself (with your own needs and requirements) and you realise, later on, that it could be something useful for everybody. That’s the beauty of open source!

Things for Nerds: the Companion app

If you’re curious about the inner workings of DroidGround, here’s your backstage pass.

At the heart of DroidGround’s App Manager features lies the Companion App ,a dexed Java binary that runs outside the standard app sandbox using Android’s app_process. Inspired by tools like scrcpy and aya, it enables low-level access to system internals via a UNIX socket (localabstract:droidground) and communicates through protobuf.

This tool exposes methods such as:

  • getVersion: returns the app version.
  • getPackageInfos: gathers structured metadata on installed apps.
  • getAttackSurfaces: enumerates exported components (activities, receivers, services, providers) of selected packages.

This functionality allows DroidGround to dynamically enumerate and assess attack surfaces in a controlled and scriptable way.

This component wouldn’t exist if it wasn’t for aya and scrcpy. Kudos to them.

Contribute and Collaborate

DroidGround is an open-source project, and contributions are welcome! Whether you’re interested in adding new features, creating challenges, or improving documentation, your input is valuable.

The server section heavily relies on the amazing work done by @yume-chan, probably this app wouldn’t exist if it wasn’t for his amazing work.

Visit the GitHub repository to get started… and hit the Star button if you like it!

Open Source
Android
Cybersecurity
Ctf
Frida

--

--

thelicato
thelicato

Written by thelicato

1.7K followers
7K following

F R A G I L E — Handle with care 👨‍💻 Security Researcher 🖖 Incurable nerd 🎞️ Movie/TV Show addicted

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech