Introduction:

Drozer is an FSecureLABS Android application security testing tool used for penetration testing to scan application components for potential vulnerabilities. It acts as a local Android application and works by connecting to the Dalvik virtual machine.

Benefits of using Drozer:

• Static analysis
• Run time manipulation
• Information gathering
• Enumeration of packages

Drozer Installation Steps:

1. Install docker and run the Drozer docker image

cmd: docker run -it fsecurelabs/drozer

2. Connect the Drozer console to the server IP

cmd: drozer console connect –server 192.168.31.154

Drozer Usage:

In this document, for reference, a vulnerable package is used i.e. com.mwr.example.sieve

1. The app.package.list module is used to retrieve the list of installed packages on the device.

cmd: run app.package.list

2. The app.package.info module is used to retrieve the information for the requested package on the device. i.e., com.mwr.example.sieve – package name

cmd: run app.package.info -a com.mwr.example.sieve

3. The app.package.manifest module is used to retrieve the Android manifest file and to show it on the terminal.

cmd: run app.package.manifest com.mwr.example.sieve

4. The app.package.attacksurface module is used to check the package’s attack surface and it displays the number of vulnerable components in the package. 

cmd: run app.package.attacksurface com.mwr.example.sieve

5. In Drozer, there are some modules for checking the exported activities, services, content providers, and broadcast receivers. (android:exported=true)

cmd: run app.activity.info -a com.mwr.example.sieve

There are three exported activities without any permissions and these might be vulnerable.

cmd: run app.service.info -a com.mwr.example.sieve

These two services are found without any permissions and these might be vulnerable.

cmd: run app.provider.info -a com.mwr.example.sieve

There are two content providers which do not have any READ and WRITE permissions given for them; These may be vulnerable to traversal and injection vulnerabilities.

cmd: run app.broadcast.info -a com.mwr.example.sieve

As there are no vulnerable broadcast receivers, here it shows ‘no matching receivers’. 

6. There are three exported activities in the com.mwr.example.sieve package, one of the activity is exploited and bypassed the login page as shown below: 

Before the exploitation:

This login screen can be bypassed by invoking the activity using Drozer or it can be done using ADB commands also.

After exploitation:

The same method can be followed to exploit other exported activities.

We will continue with this topic in an upcoming article. Stay tuned!