Drozer--androidapp Security Assessment Tool

0x00: Preface

There are many application flaws in Android apps, and in many cases they need to be evaluated securely, andDrozer is one of the best tools. Here an app is sieve(a password manager), and its own flaws can be used as a test sample.

0x01:

Install sieve backward to configure the password, PIN code, any need to add a password to manage the information

0x02: Installing Drozer

  Tips: My platform is windows, there are several pits when installing

Download the Drozer after installation, follow up to the Drozer directory run drozer.bat, shown below is the installation success

Then in the downloaded Drozer folder there is a agent.apk file, install it on the phone and run the following

Then adb forward tcp:31415 tcp:31415 forward

The following will be displayed when running drozer console Connect

  

Solution:

Create a . drozer_config file under the Drozer directory that cannot be created directly under Windows. Start with the file by creating a 1 first. Drozer_config file , and then modify it with the Rename command)

Add the following lines (where the paths are Java and Javac)

    [Executables]
Java=f:\java\jdk1.8.0_66\bin\java.exe
Javac=f:\java\jdk1.8.0_66\bin\javac.exe

It is created and then run, and is displayed as follows: Run successfully

(If Erron 10061 or Erron 10054 appears, see:http://blog.csdn.net/ksr12333/article/details/39181057)

  

0x03: Demo Drozer How to evaluate apps

 (1) You can first list all package names run App.package.list-f sieve here is not all listed, with the-f keyword can filter the app you want to test

  

Get basic information (for example: Sieve version, permission information, user ID, group ID, data directory, etc.)

  Run App.package.info-a Com.mwr.example.sieve

  

 (2) itentify the Attack Surface (Confirm attack surface) Run App.package.attacksurface com.mwr.example.sieve

  

Debuggable lets us use ADB bindings to monitor the app

  

Start Activity run app.activity.start–-component com.mwr.example.sieve com.mwr.example.sieve.PWList( Pwlist is a password list class package, so run it)

  

 (3) SQL injection

SQL statements can be injected into the content provider with the projection and selection parameters

  Run app.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/--projection ""

  

The error here indicates that it can be injected. Continue with run app.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/--selection ""

  

  With run app.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/--projection "* from key;- command to select a specific table to list.

This is based on the Android operating system recommended to use SQLite database to store user data. The SQLite database uses SQL statements, so SQL injection is possible.

 (4) get information from content provider

  Run App.provider.info-a Com.mwr.example.sieve

  

You can see the content Provider specific information, permissions, etc.

View the URIof the Content Provider (data disclosure)

  Run Scanner.provider.finduris-a Com.mwr.example.sieve

  

We try to view specific information run App.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/–-vertical

  

You can see the encrypted password and set the information

 (5) detecting the presence of traversal file vulnerabilities

  Run Scanner.provider.traversal-a Com.mwr.example.sieve

  

The above section is a relatively simple demonstration of the basic usage of drozer, in more detail see the official documentation:

  Https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf

  

0x04: summary

Drozer's powerful evaluation capabilities (SQL injection detection, Content provider detection, traversal of file vulnerabilities, and the ability to capture sensitive information based on vulnerabilities) provide us with a great deal of help in handling an app, and we want to share it with all our friends who love Android security. If there is any place not written right, hope to correct.

0x05: Reference

  Drozer security assessment for Android apps

Drozer--androidapp Security Assessment Tool