Introduction

Drozer is a security testing for android system and android applications. It allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.

Installing Drozer

Step #1 Installing Drozer on Ubuntu

Do to the latest official release  and download the deb package then install it

dpkg -i drozer_*.deb

Step #2 Installing Drozer Agent on Android

You can copy the apk package the way you want, I use AirDroid application or using adb way

adb install drozer-agent-2.x.x.apk

Step #3 Connecting to Drozer

As we know, by default drozer agent listens on port 31415 so we need to ask adb to bind forward any communications come to  our machine on that port to be forwarded to our device on the same port.

adb forward tcp:31415 tcp:31415

Now we can connect drozer framework to the agent.

drozer console connect

You'll see somthing similar to this

Selecting e780a17239ac74d7 (OnePlus A0001 6.0.1)

            ..                    ..:.
           ..o..                  .r..
            ..a..  . ....... .  ..nd
              ro..idsnemesisand..pr
              .otectorandroidsneme.
           .,sisandprotectorandroids+.
         ..nemesisandprotectorandroidsn:.
        .emesisandprotectorandroidsnemes..
      ..isandp,..,rotectorandro,..,idsnem.
      .isisandp..rotectorandroid..snemisis.
      ,andprotectorandroidsnemisisandprotec.
     .torandroidsnemesisandprotectorandroid.
     .snemisisandprotectorandroidsnemesisan:
     .dprotectorandroidsnemesisandprotector.

drozer Console (v2.4.4)
dz>

Drozer Usage

Command Reference

Command Description
run Executes a drozer module
list Show a list of all drozer modules that can be executed in the current session. This hides modules that you do not have suitable permissions to run.
shell Start an interactive Linux shell on the device, in the context of the Agent process.
cd Mounts a particular namespace as the root of session, to avoid having to repeatedly type the full name of a module.
clean Remove temporary files stored by drozer on the Android device.
contributors Displays a list of people who have contributed to the drozer framework and modules in use on your system.
echo Print text to the console.
exit Terminate the drozer session.
help Display help about a particular command or module.
load Load a file containing drozer commands, and execute them in sequence.
module Find and install additional drozer modules from the Internet.
permissions Display a list of the permissions granted to the drozer Agent.
set Store a value in a variable that will be passed as an environment variable to any Linux shells spawned by drozer.
unset Remove a named variable that drozer passes to any Linux shells that it spawns.

List

dz> list 
app.activity.forintent                   Find activities that can handle the given intent
app.activity.info                        Gets information about exported activities.
app.activity.start                       Start an Activity
app.broadcast.info                       Get information about broadcast receivers
app.broadcast.send                       Send broadcast using an intent
app.broadcast.sniff                      Register a broadcast receiver that can sniff particular intents
app.package.attacksurface                Get attack surface of package
app.package.backup                       Lists packages that use the backup API (returns true on FLAG_ALLOW_BACKUP)
app.package.debuggable                   Find debuggable packages
app.package.info                         Get information about installed packages
app.package.launchintent                 Get launch intent of package
app.package.list                         List Packages
app.package.manifest                     Get AndroidManifest.xml of package
app.package.native                       Find Native libraries embedded in the application.
app.package.shareduid                    Look for packages with shared UIDs
app.provider.columns                     List columns in content provider
app.provider.delete                      Delete from a content provider
app.provider.download                    Download a file from a content provider that supports files
app.provider.finduri                     Find referenced content URIs in a package
app.provider.info                        Get information about exported content providers
app.provider.insert                      Insert into a Content Provider
app.provider.query                       Query a content provider
app.provider.read                        Read from a content provider that supports files
app.provider.update                      Update a record in a content provider
app.service.info                         Get information about exported services
app.service.send                         Send a Message to a service, and display the reply
app.service.start                        Start Service
app.service.stop                         Stop Service
auxiliary.webcontentresolver             Start a web service interface to content providers.
exploit.jdwp.check                       Open @jdwp-control and see which apps connect
exploit.pilfer.general.apnprovider       Reads APN content provider
exploit.pilfer.general.settingsprovider  Reads Settings content provider
information.datetime                     Print Date/Time
information.deviceinfo                   Get verbose device information
information.permissions                  Get a list of all permissions used by packages on the device
scanner.activity.browsable               Get all BROWSABLE activities that can be invoked from the web browser
scanner.misc.native                      Find native components included in packages
scanner.misc.readablefiles               Find world-readable files in the given folder
scanner.misc.secretcodes                 Search for secret codes that can be used from the dialer
scanner.misc.sflagbinaries               Find suid/sgid binaries in the given folder (default is /system).
scanner.misc.writablefiles               Find world-writable files in the given folder
scanner.provider.finduris                Search for content providers that can be queried from our context.
scanner.provider.injection               Test content providers for SQL injection vulnerabilities.
scanner.provider.sqltables               Find tables accessible through SQL injection vulnerabilities.
scanner.provider.traversal               Test content providers for basic directory traversal vulnerabilities.
shell.exec                               Execute a single Linux command.
shell.send                               Send an ASH shell to a remote listener.
shell.start                              Enter into an interactive Linux shell.
tools.file.download                      Download a File
tools.file.md5sum                        Get md5 Checksum of file
tools.file.size                          Get size of file
tools.file.upload                        Upload a File
tools.setup.busybox                      Install Busybox.
tools.setup.minimalsu                    Prepare 'minimal-su' binary installation on the device.

List and Find Installed Packages

dz> run app.package.list 
com.skype.raider (Skype)
com.google.android.youtube (YouTube)
com.android.providers.telephony (Phone and Messaging Storage)
net.typeblog.socks (SocksDroid)
com.android.providers.media (Media Storage)
com.google.android.onetimeinitializer (Google One Time Init)
...
org.codeaurora.bluetooth (Bluetooth extensions)
org.cyanogenmod.bugreport (CM Bug Report)
com.boxer.calendar (Calendar)
android (Android System)
com.android.contacts (Contacts)
...
com.android.backupconfirm (com.android.backupconfirm)
org.cyanogenmod.profiles (Profiles Trust Provider)
org.sandroproxy.drony (Drony)
com.cyngn.themestore (Themes)
com.cyngn.gallerynext (Gallery)
...
org.cyanogenmod.screencast (Screencast)
com.google.android.syncadapters.contacts (Google Contacts Sync)
com.android.facelock (Trusted Face)
com.android.insecurebankv2 (InsecureBankv2)
com.cyanogenmod.wallpapers (CM Wallpapers)
com.android.chrome (Chrome)
com.android.dialer (Phone)
..
com.android.bluetoothmidiservice (Bluetooth MIDI Service)
com.android.bluetooth (Bluetooth Share)
com.qualcomm.timeservice (com.qualcomm.timeservice)
com.android.development (Dev Tools)
org.cyanogenmod.weather.provider (Weather Provider)
dz>
dz>
dz> run app.package.list -f bank
com.android.insecurebankv2 (InsecureBankv2)

More Information about a Spcefic Package

dz> run app.package.info -a com.android.insecurebankv2
Package: com.android.insecurebankv2
  Application Label: InsecureBankv2
  Process Name: com.android.insecurebankv2
  Version: 2.0
  Data Directory: /data/user/0/com.android.insecurebankv2
  APK Path: /data/app/com.android.insecurebankv2-1/base.apk
  UID: 10123
  GID: [3003]
  Shared Libraries: null
  Shared User ID: null
  Uses Permissions:
  - android.permission.INTERNET
  - android.permission.WRITE_EXTERNAL_STORAGE
  - android.permission.SEND_SMS
  - android.permission.USE_CREDENTIALS
  - android.permission.GET_ACCOUNTS
  - android.permission.READ_PROFILE
  - android.permission.READ_CONTACTS
  - android.permission.READ_PHONE_STATE
  - android.permission.READ_CALL_LOG
  - android.permission.ACCESS_NETWORK_STATE
  - android.permission.ACCESS_COARSE_LOCATION
  - android.permission.READ_EXTERNAL_STORAGE
  Defines Permissions:
  - None

Inspect the Manifest file of a Spcefic Application

dz> run app.package.manifest com.android.insecurebankv2
<manifest versionCode="2"
          versionName="2.0"
          package="com.android.insecurebankv2">
  <uses-sdk minSdkVersion="15"
            targetSdkVersion="26">
  </uses-sdk>
  <uses-permission name="android.permission.INTERNET">
  </uses-permission>
  <uses-permission name="android.permission.WRITE_EXTERNAL_STORAGE">
  </uses-permission>
  <uses-permission name="android.permission.SEND_SMS">
  </uses-permission>
  <uses-permission name="android.permission.USE_CREDENTIALS">
  </uses-permission>
  <uses-permission name="android.permission.GET_ACCOUNTS">
  </uses-permission>
  <uses-permission name="android.permission.READ_PROFILE">
  </uses-permission>
  <uses-permission name="android.permission.READ_CONTACTS">
  </uses-permission>
  <uses-permission name="android.permission.READ_PHONE_STATE">
  </uses-permission>
  <uses-permission name="android.permission.READ_EXTERNAL_STORAGE"
                   maxSdkVersion="18">
  </uses-permission>
  <uses-permission name="android.permission.READ_CALL_LOG">
  </uses-permission>
  <uses-permission name="android.permission.ACCESS_NETWORK_STATE">
  </uses-permission>
  <uses-permission name="android.permission.ACCESS_COARSE_LOCATION">
  </uses-permission>
  <uses-feature glEsVersion="0x20000"
                required="true">
  </uses-feature>
  <application theme="@16974105"
               label="@2131558420"
               icon="@2131427328"
               debuggable="true"
               allowBackup="true">
    <activity label="@2131558420"
              name="com.android.insecurebankv2.LoginActivity">
      <intent-filter>
        <action name="android.intent.action.MAIN">
        </action>
        <category name="android.intent.category.LAUNCHER">
        </category>
      </intent-filter>
    </activity>
    <activity label="@2131558484"
              name="com.android.insecurebankv2.FilePrefActivity"
              windowSoftInputMode="0x34">
    </activity>
    <activity label="@2131558481"
              name="com.android.insecurebankv2.DoLogin">
    </activity>
    <activity label="@2131558488"
              name="com.android.insecurebankv2.PostLogin"
              exported="true">
    </activity>
    <activity label="@2131558491"
              name="com.android.insecurebankv2.WrongLogin">
    </activity>
    <activity label="@2131558482"
              name="com.android.insecurebankv2.DoTransfer"
              exported="true">
    </activity>
    <activity label="@2131558490"
              name="com.android.insecurebankv2.ViewStatement"
              exported="true">
    </activity>
    <provider name="com.android.insecurebankv2.TrackUserContentProvider"
              exported="true"
              authorities="com.android.insecurebankv2.TrackUserContentProvider">
    </provider>
    <receiver name="com.android.insecurebankv2.MyBroadCastReceiver"
              exported="true">
      <intent-filter>
        <action name="theBroadcast">
        </action>
      </intent-filter>
    </receiver>
    <activity label="@2131558480"
              name="com.android.insecurebankv2.ChangePassword"
              exported="true">
    </activity>
    <activity theme="@16973839"
              name="com.google.android.gms.ads.AdActivity"
              configChanges="0xfb0">
    </activity>
    <activity theme="@2131624125"
              name="com.google.android.gms.ads.purchase.InAppPurchaseActivity">
    </activity>
    <meta-data name="com.google.android.gms.wallet.api.enabled"
               value="true">
    </meta-data>
    <receiver name="com.google.android.gms.wallet.EnableWalletOptimizationReceiver"
              exported="false">
      <intent-filter>
        <action name="com.google.android.gms.wallet.ENABLE_WALLET_OPTIMIZATION">
        </action>
      </intent-filter>
    </receiver>
    <meta-data name="com.google.android.gms.version"
               value="@2131230723">
    </meta-data>
  </application>
</manifest>

Identifying the Attack Surface of a Spcefic Application

dz> run app.package.attacksurface com.android.insecurebankv2
Attack Surface:
  5 activities exported
  1 broadcast receivers exported
  1 content providers exported
  0 services exported
    is debuggable

As we can see, there are 5 activities and 1 content providers explorted. Let's inspect some of them.

Identify the Application activity

As we know, Android's activity component is application screen(s) and the action(s) that applied on that screen(s) when we use the application. So, let's inspect these screens.

dz> run app.activity.info -a com.android.insecurebankv2
Package: com.android.insecurebankv2
  com.android.insecurebankv2.LoginActivity
    Permission: null
  com.android.insecurebankv2.PostLogin
    Permission: null
  com.android.insecurebankv2.DoTransfer
    Permission: null
  com.android.insecurebankv2.ViewStatement
    Permission: null
  com.android.insecurebankv2.ChangePassword
    Permission: null

Resources