Introduction to Drozer 2023
In this article we will learn about Introduction to Drozer
What is Introduction to Drozer?
We have seen various Android app vulnerabilities in previous articles. Before I dive into other Android app vulnerabilities in this series of articles, I’d like to introduce an amazing tool called Drozer.
Drozer is an Android security evaluation framework developed by MWR Labs. It is one of the best Android security assessment tools available for Android security assessment.
According to their official documentation, “Drozer allows you to assume the role of an Android application and communicate with other applications through the inter-Process Communication (IPC) mechanism of Android and the underlying operating system.”
When working with most automated security assessment tools in the web world, we have to provide details about the target application, go get a cup of coffee, and come back for a report. Unlike conventional automatic scanners, Drozer is interactive in nature. To perform a security assessment with Drozer, a user must run console commands on their workstation. Drozer sends them to an agent sitting on the device to perform the appropriate task.
Preparation with a laboratory setting
Assumptions:
- A workstation (Ubuntu in my case) with the following:
JRE or JDK
Android SDK
- Android device or emulator running Android 2.1 or later.
First, download a copy of Drozer installer and Agent.apk from the following link.
https://www.mwrfosecurity.com/products/drozer/community-edition/
In fact, MWR Labs has provided an awesome user guide that can be downloaded from the same link. However, this article provides a brief introduction to setting up and basic usage of Drozer so that we can build on it in future articles where we discuss more sophisticated vulnerabilities.
This article assumes that the reader is working on a similar environment to me.
If you are working with a different setup, please download the appropriate version of Drozer.
Once downloaded, install all required dependencies before installing Drozer itself.
If you are using the Windows version of Drozer, installation is straightforward and similar to installing any other software.
To check if the installation is successful, open a new terminal and run the “drozer” command as shown below.
Now, install the agent.apk file we have downloaded earlier onto your emulator.
It can be done using “adb” as shown below.
[plain]
adb install agent.apk
[/plain]
To start working with Drozer for your evaluation, we need to connect the Drozer console we have on the workstation and the agent sitting on the emulator. To do this, start the agent on your emulator and run the following port forwarding command. Make sure you are using the embedded server when running the agent.
[plain]adb forward tcp:31415 tcp:31415[/plain]
Now, we can simply run the following command to connect to the agent from the workstation.
$ drozer console connect
We should now be presented with the Drozer terminal as shown below.
Performing android security assessments with Drozer
We’re trying to do a security assessment of one of the apps we’ve already discussed. This shows the power of Drozer.
If you went through my first article in this series, we saw how to exploit vulnerable activities that are exported.
Install the app on your real device or emulator. In my case, I’m using an emulator for this demo.
Install testapp.apk
As we know from the first article, testapp.apk has exported activity. Fill out the form below to download the file if you don’t already have it.
Let’s start using Drozer to perform a security assessment of this application.
Before we begin, let’s look at some useful commands available in Drozer.
List of all modules
[plain]
dz> list
[/plain]
– shows the list of all Drozer modules that can be executed in the current session.
The above figure shows the list of modules that can be used (the output is truncated).
Retrieving package information
To list out all the packages installed on the emulator, run the following command:
[plain]
dz> run app.package.list
[/plain]
(Output is truncated)
As we can see in the above figure, I have highlighted two apps, which we used earlier in this series.
Now, to figure out the package name of a specific app, we can specify the flag “-f” with the string we are looking for.
[plain]
dz> run app.package.list –f (string to be searched)
[/plain]
As we can see in the above figure, we got our target app listed below.
[plain]
com.isi.testapp
[/plain]
To see some basic information about the package, we can run the following command.
[plain]
dz> run app.package.info –a (package name)
[/plain]
<span>In our case,</span>
[plain]dz> run app.package.info –a com.isi.testapp[/plain]
We can see a lot of information about the app. The above output shows where the app data is resided, APK path, if it has any shared User ID etc.
Identifying the attack surface
This section is one of the interesting sections when working with Drozer. We can identify the attack surface of our target application with a single command. It gives the details such as exported applications components, if the app is debuggable, etc.
Let’s go ahead and find out the attack surface of testapp.apk. The following command is the typical syntax for finding attack surface of a specific package.
[plain]
dz> run app.package.attacksurface (package name)
[/plain]
In our case for testapp.apk,
[plain]dz> run app.package.attacksurface com.isi.testapp[/plain]
As we can see in the image above, the testapp application has two activities that are exported. Now our task is to find the name of the exported activities and see if they are sensitive in nature. If they are sensitive, we can further exploit them using existing Drozer modules. This application is also debuggable, which means we can attach a debugger to the process and step through each individual instruction and even run arbitrary code in the context of the application process. We’ve already covered two in-depth articles on how to use tunable apps. You can go through them if you want to know more about it.
Identifying and Exploiting Android Application Vulnerabilities with Drozer
Now let’s work on the results we obtained in the previous section where we tried to identify the attack surface of our target applications.
Attacks on exported activities
This section focuses on a deeper examination of the testapp.apk file to identify and exploit its vulnerabilities.
From the previous section, we already knew that this application has an exported activity. To identify the names of existing activities in the current package, let’s go ahead and run the following command.
[simple]
dz> run app.activity.info -a (package name)
[/simple]
In our case,
[plain]dz> run app.activity.info -a com.isi.testapp[/plain]
In the above figure, we can see the list of activities exported in the target application.
com.isi.testapp.MainActivity is obviously the home screen which is supposed to be exported in order to be launched. com.isi.testapp.Welcome looks like the name of the activity which is behind the login screen. So, let’s try to launch it using Drozer.
[plain]
dz> run app.activity.start –component (package name) (component name)
[/plain]
In our case it is,
Related Article:Ethical Hacking Interview Questions 2023
[plain]dz> run app.activity.start –component com.isi.testapp com.isi.testapp.Welcome[/plain]
The above command formulates an appropriate intent in the background in order to launch the activity. This is the same as launching activities using activity manager tool, which we discussed in the previous module. The following figure shows the screen launched by Drozer.
It is clear that we have bypassed the authentication in order to login to the app.
What is the problem here?
As we discussed in the first article of this series, the activity component’s “android:exported” value is set to “true” in the AndroidManifest.xml file.
Conclusion
This article is to give readers a brief introduction to Android application penetration testing with Drozer. In the upcoming articles, we will see even more sophisticated vulnerabilities and their exploitation. We will also see how to write Drozer extensions later in this series.
