Introduction
Drozer is a security testing for android system and android applications. It allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
Installing Drozer
Step #1 Installing Drozer on Ubuntu
Do to the latest official release and download the deb
package then install it
dpkg -i drozer_*.deb
Step #2 Installing Drozer Agent on Android
You can copy the apk
package the way you want, I use AirDroid application or using adb
way
adb install drozer-agent-2.x.x.apk
Step #3 Connecting to Drozer
As we know, by default drozer agent listens on port 31415
so we need to ask adb to bind forward any communications come to our machine on that port to be forwarded to our device on the same port.
adb forward tcp:31415 tcp:31415
Now we can connect drozer framework to the agent.
drozer console connect
You'll see somthing similar to this
Selecting e780a17239ac74d7 (OnePlus A0001 6.0.1)
.. ..:.
..o.. .r..
..a.. . ....... . ..nd
ro..idsnemesisand..pr
.otectorandroidsneme.
.,sisandprotectorandroids+.
..nemesisandprotectorandroidsn:.
.emesisandprotectorandroidsnemes..
..isandp,..,rotectorandro,..,idsnem.
.isisandp..rotectorandroid..snemisis.
,andprotectorandroidsnemisisandprotec.
.torandroidsnemesisandprotectorandroid.
.snemisisandprotectorandroidsnemesisan:
.dprotectorandroidsnemesisandprotector.
drozer Console (v2.4.4)
dz>
Drozer Usage
Command Reference
Command | Description |
---|---|
run | Executes a drozer module |
list | Show a list of all drozer modules that can be executed in the current session. This hides modules that you do not have suitable permissions to run. |
shell | Start an interactive Linux shell on the device, in the context of the Agent process. |
cd | Mounts a particular namespace as the root of session, to avoid having to repeatedly type the full name of a module. |
clean | Remove temporary files stored by drozer on the Android device. |
contributors | Displays a list of people who have contributed to the drozer framework and modules in use on your system. |
echo | Print text to the console. |
exit | Terminate the drozer session. |
help | Display help about a particular command or module. |
load | Load a file containing drozer commands, and execute them in sequence. |
module | Find and install additional drozer modules from the Internet. |
permissions | Display a list of the permissions granted to the drozer Agent. |
set | Store a value in a variable that will be passed as an environment variable to any Linux shells spawned by drozer. |
unset | Remove a named variable that drozer passes to any Linux shells that it spawns. |
List
dz> list
app.activity.forintent Find activities that can handle the given intent
app.activity.info Gets information about exported activities.
app.activity.start Start an Activity
app.broadcast.info Get information about broadcast receivers
app.broadcast.send Send broadcast using an intent
app.broadcast.sniff Register a broadcast receiver that can sniff particular intents
app.package.attacksurface Get attack surface of package
app.package.backup Lists packages that use the backup API (returns true on FLAG_ALLOW_BACKUP)
app.package.debuggable Find debuggable packages
app.package.info Get information about installed packages
app.package.launchintent Get launch intent of package
app.package.list List Packages
app.package.manifest Get AndroidManifest.xml of package
app.package.native Find Native libraries embedded in the application.
app.package.shareduid Look for packages with shared UIDs
app.provider.columns List columns in content provider
app.provider.delete Delete from a content provider
app.provider.download Download a file from a content provider that supports files
app.provider.finduri Find referenced content URIs in a package
app.provider.info Get information about exported content providers
app.provider.insert Insert into a Content Provider
app.provider.query Query a content provider
app.provider.read Read from a content provider that supports files
app.provider.update Update a record in a content provider
app.service.info Get information about exported services
app.service.send Send a Message to a service, and display the reply
app.service.start Start Service
app.service.stop Stop Service
auxiliary.webcontentresolver Start a web service interface to content providers.
exploit.jdwp.check Open @jdwp-control and see which apps connect
exploit.pilfer.general.apnprovider Reads APN content provider
exploit.pilfer.general.settingsprovider Reads Settings content provider
information.datetime Print Date/Time
information.deviceinfo Get verbose device information
information.permissions Get a list of all permissions used by packages on the device
scanner.activity.browsable Get all BROWSABLE activities that can be invoked from the web browser
scanner.misc.native Find native components included in packages
scanner.misc.readablefiles Find world-readable files in the given folder
scanner.misc.secretcodes Search for secret codes that can be used from the dialer
scanner.misc.sflagbinaries Find suid/sgid binaries in the given folder (default is /system).
scanner.misc.writablefiles Find world-writable files in the given folder
scanner.provider.finduris Search for content providers that can be queried from our context.
scanner.provider.injection Test content providers for SQL injection vulnerabilities.
scanner.provider.sqltables Find tables accessible through SQL injection vulnerabilities.
scanner.provider.traversal Test content providers for basic directory traversal vulnerabilities.
shell.exec Execute a single Linux command.
shell.send Send an ASH shell to a remote listener.
shell.start Enter into an interactive Linux shell.
tools.file.download Download a File
tools.file.md5sum Get md5 Checksum of file
tools.file.size Get size of file
tools.file.upload Upload a File
tools.setup.busybox Install Busybox.
tools.setup.minimalsu Prepare 'minimal-su' binary installation on the device.
List and Find Installed Packages
dz> run app.package.list
com.skype.raider (Skype)
com.google.android.youtube (YouTube)
com.android.providers.telephony (Phone and Messaging Storage)
net.typeblog.socks (SocksDroid)
com.android.providers.media (Media Storage)
com.google.android.onetimeinitializer (Google One Time Init)
...
org.codeaurora.bluetooth (Bluetooth extensions)
org.cyanogenmod.bugreport (CM Bug Report)
com.boxer.calendar (Calendar)
android (Android System)
com.android.contacts (Contacts)
...
com.android.backupconfirm (com.android.backupconfirm)
org.cyanogenmod.profiles (Profiles Trust Provider)
org.sandroproxy.drony (Drony)
com.cyngn.themestore (Themes)
com.cyngn.gallerynext (Gallery)
...
org.cyanogenmod.screencast (Screencast)
com.google.android.syncadapters.contacts (Google Contacts Sync)
com.android.facelock (Trusted Face)
com.android.insecurebankv2 (InsecureBankv2)
com.cyanogenmod.wallpapers (CM Wallpapers)
com.android.chrome (Chrome)
com.android.dialer (Phone)
..
com.android.bluetoothmidiservice (Bluetooth MIDI Service)
com.android.bluetooth (Bluetooth Share)
com.qualcomm.timeservice (com.qualcomm.timeservice)
com.android.development (Dev Tools)
org.cyanogenmod.weather.provider (Weather Provider)
dz>
dz>
dz> run app.package.list -f bank
com.android.insecurebankv2 (InsecureBankv2)
More Information about a Spcefic Package
dz> run app.package.info -a com.android.insecurebankv2
Package: com.android.insecurebankv2
Application Label: InsecureBankv2
Process Name: com.android.insecurebankv2
Version: 2.0
Data Directory: /data/user/0/com.android.insecurebankv2
APK Path: /data/app/com.android.insecurebankv2-1/base.apk
UID: 10123
GID: [3003]
Shared Libraries: null
Shared User ID: null
Uses Permissions:
- android.permission.INTERNET
- android.permission.WRITE_EXTERNAL_STORAGE
- android.permission.SEND_SMS
- android.permission.USE_CREDENTIALS
- android.permission.GET_ACCOUNTS
- android.permission.READ_PROFILE
- android.permission.READ_CONTACTS
- android.permission.READ_PHONE_STATE
- android.permission.READ_CALL_LOG
- android.permission.ACCESS_NETWORK_STATE
- android.permission.ACCESS_COARSE_LOCATION
- android.permission.READ_EXTERNAL_STORAGE
Defines Permissions:
- None
Inspect the Manifest file of a Spcefic Application
dz> run app.package.manifest com.android.insecurebankv2
<manifest versionCode="2"
versionName="2.0"
package="com.android.insecurebankv2">
<uses-sdk minSdkVersion="15"
targetSdkVersion="26">
</uses-sdk>
<uses-permission name="android.permission.INTERNET">
</uses-permission>
<uses-permission name="android.permission.WRITE_EXTERNAL_STORAGE">
</uses-permission>
<uses-permission name="android.permission.SEND_SMS">
</uses-permission>
<uses-permission name="android.permission.USE_CREDENTIALS">
</uses-permission>
<uses-permission name="android.permission.GET_ACCOUNTS">
</uses-permission>
<uses-permission name="android.permission.READ_PROFILE">
</uses-permission>
<uses-permission name="android.permission.READ_CONTACTS">
</uses-permission>
<uses-permission name="android.permission.READ_PHONE_STATE">
</uses-permission>
<uses-permission name="android.permission.READ_EXTERNAL_STORAGE"
maxSdkVersion="18">
</uses-permission>
<uses-permission name="android.permission.READ_CALL_LOG">
</uses-permission>
<uses-permission name="android.permission.ACCESS_NETWORK_STATE">
</uses-permission>
<uses-permission name="android.permission.ACCESS_COARSE_LOCATION">
</uses-permission>
<uses-feature glEsVersion="0x20000"
required="true">
</uses-feature>
<application theme="@16974105"
label="@2131558420"
icon="@2131427328"
debuggable="true"
allowBackup="true">
<activity label="@2131558420"
name="com.android.insecurebankv2.LoginActivity">
<intent-filter>
<action name="android.intent.action.MAIN">
</action>
<category name="android.intent.category.LAUNCHER">
</category>
</intent-filter>
</activity>
<activity label="@2131558484"
name="com.android.insecurebankv2.FilePrefActivity"
windowSoftInputMode="0x34">
</activity>
<activity label="@2131558481"
name="com.android.insecurebankv2.DoLogin">
</activity>
<activity label="@2131558488"
name="com.android.insecurebankv2.PostLogin"
exported="true">
</activity>
<activity label="@2131558491"
name="com.android.insecurebankv2.WrongLogin">
</activity>
<activity label="@2131558482"
name="com.android.insecurebankv2.DoTransfer"
exported="true">
</activity>
<activity label="@2131558490"
name="com.android.insecurebankv2.ViewStatement"
exported="true">
</activity>
<provider name="com.android.insecurebankv2.TrackUserContentProvider"
exported="true"
authorities="com.android.insecurebankv2.TrackUserContentProvider">
</provider>
<receiver name="com.android.insecurebankv2.MyBroadCastReceiver"
exported="true">
<intent-filter>
<action name="theBroadcast">
</action>
</intent-filter>
</receiver>
<activity label="@2131558480"
name="com.android.insecurebankv2.ChangePassword"
exported="true">
</activity>
<activity theme="@16973839"
name="com.google.android.gms.ads.AdActivity"
configChanges="0xfb0">
</activity>
<activity theme="@2131624125"
name="com.google.android.gms.ads.purchase.InAppPurchaseActivity">
</activity>
<meta-data name="com.google.android.gms.wallet.api.enabled"
value="true">
</meta-data>
<receiver name="com.google.android.gms.wallet.EnableWalletOptimizationReceiver"
exported="false">
<intent-filter>
<action name="com.google.android.gms.wallet.ENABLE_WALLET_OPTIMIZATION">
</action>
</intent-filter>
</receiver>
<meta-data name="com.google.android.gms.version"
value="@2131230723">
</meta-data>
</application>
</manifest>
Identifying the Attack Surface of a Spcefic Application
dz> run app.package.attacksurface com.android.insecurebankv2
Attack Surface:
5 activities exported
1 broadcast receivers exported
1 content providers exported
0 services exported
is debuggable
As we can see, there are 5 activities and 1 content providers explorted. Let's inspect some of them.
Identify the Application activity
As we know, Android's activity component is application screen(s) and the action(s) that applied on that screen(s) when we use the application. So, let's inspect these screens.
dz> run app.activity.info -a com.android.insecurebankv2
Package: com.android.insecurebankv2
com.android.insecurebankv2.LoginActivity
Permission: null
com.android.insecurebankv2.PostLogin
Permission: null
com.android.insecurebankv2.DoTransfer
Permission: null
com.android.insecurebankv2.ViewStatement
Permission: null
com.android.insecurebankv2.ChangePassword
Permission: null
Resources