![](\"https:\/\/varutra-1a3b6.kxcdn.com\/wp-content\/uploads\/2021\/07\/DROZER-\u2013-Android-Security-Assessment-Framework-1024x573.png\" "\\"DROZER")
\nDrozer is a framework for Android security assessments developed by MWR Labs. It is one of the best Android security assessment tools available for Android Security Assessments. In this blog, we will discuss some basic concepts related to Drozer.<\/p>\n
<\/p>\n
<\/p>\n
![\"Setting](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/07\/Setting-up-Drozerlab.png\")
<\/p>\n
Figure 1: Setting up Drozerlab<\/strong><\/p>\n <\/p>\n Figure 2: Starting the session<\/strong><\/p>\n \u00a0<\/strong><\/p>\n Drozer has a list of modules for interactive with android devices. Each module implements a very specific function, which lists down all the packages installed on the device. For example- \u2018list\u2019 shows a list of modules present in the current session.<\/p>\n Figure 3: Drozermodules<\/strong><\/p>\n <\/p>\n Once Drozer is installed and the session between the device and PC is established, we can use Drozer for conducting security assessment activities. In this blog, we will be using the \u2018Sieve\u2019 vulnerable android application for finding out vulnerable activities and content providers and further exploit them.<\/p>\n First step for finding out any vulnerable android components is finding out package-related information.<\/strong><\/p>\n Commands: <\/strong><\/p>\n Figure 4.1: Retrieve package information<\/strong><\/p>\n <\/p>\n The second step is finding out the attack interface, i.e how many activities, content providers, etc. are exported.<\/p>\n Command:<\/strong><\/p>\n Figure 4.2: Identify attack interface<\/strong><\/p>\n \u00a0<\/strong><\/p>\n The third step is finding out information related to activities that are exported to true and then launch them. If you can launch activities, which can be accessed only after authentication then you are successfully able to bypass the authentication. Sometimes, directly accessing any activity will give you access to sensitive information, for example \u2013 passwords, API keys, etc.<\/p>\n Command:<\/strong><\/p>\n Figure 4.3.1: Identify activities<\/strong><\/p>\n Command:<\/strong><\/p>\n Figure 4.3.2: Launch activities<\/strong><\/p>\n Here is another example, using \u2018Diva\u2019 vulnerable android application. In this application, we were able to access sensitive information (API Credentials) by launching the activities directly without any authentication.<\/p>\n Commands:<\/strong><\/p>\n Figure 4.3.3: Identify and launch activities<\/strong><\/p>\n <\/p>\n In the fourth step, we will see how to find out information related to content providers and the permissions required to launch them.<\/p>\n Command<\/strong><\/p>\n Figure 4.4: Identify content providers<\/strong><\/p>\n \u00a0<\/strong><\/p>\n Drozer provides a scanner module that brings together various ways to guess paths and a list of accessible content URIs.<\/p>\n Command:<\/strong><\/p>\n Figure 4.5: Identify content URI\u2019s<\/strong><\/p>\n \u00a0<\/strong><\/p>\n In this step, we will see how to query a content provider and find out the sensitive information stored in it. In the given example, we were able to find out user id, password, and pin-related information in the application. Drozer also provides scanners to find out SQL injection vulnerabilities in content providers<\/a>. We can use the scanners and can further explore SQL injection in vulnerable applications.<\/p>\n Commands:<\/strong><\/p>\n Figure 4.6.1: Query content provider<\/strong><\/p>\n Figure 4.6.2: Query content provider<\/strong><\/p>\n Figure 4.6.3: SQL injection in content providers<\/strong><\/p>\n Figure 4.6.4: SQL injection in content providers<\/strong><\/p>\n Figure 4.6.5: SQL injection in content providers<\/strong><\/p>\n \u00a0<\/strong><\/p>\n Drozer is an easy-to-use framework for quickly identifying weaknesses and possible vulnerabilities on Android-based applications. In this blog, we checked how to find out vulnerabilities related to vulnerable android components however, the framework still has various interestingly looking functionalities like getting the reverse shell, file upload, and download and writing you own Drozer module which can be explored further.<\/p>\n <\/p>\n Author,<\/p>\n Prashasti Rikhari<\/strong><\/p>\n Attack & PenTest Team<\/p>\n Varutra Consulting Pvt. Ltd.<\/p>","protected":false},"excerpt":{"rendered":" Drozer is a framework for Android security assessments developed by MWR Labs. It is one of the best Android security assessment tools available for Android…<\/p>\n","protected":false},"author":4,"featured_media":14915,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[51,264,262],"tags":[453,450,451,452,229,151],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\tStarting the Session<\/strong><\/h3>\n
\n
![\"Starting](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/07\/Starting-the-session.png\")
<\/p>\nHow to Use Drozer for Android Security Assessment<\/strong><\/h3>\n
![\"Drozermodules\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/07\/Drozermodules.png\")
<\/p>\nUsing Drozer for Android Security Assessment<\/strong><\/h3>\n
\n
\n
![\"Retrieve](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/07\/Retrieve-package-information.png\")
<\/p>\n\n
\n
![\"Identify](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/07\/Identify-attack-interface.png\")
<\/p>\n\n
\n
\n
![\"Identify](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/07\/Identify-activities.png\")
<\/p>\n\n
\n
![\"Launch](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/07\/Launch-activities.png\")
<\/p>\n\n
![\"Identify](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/07\/Identify-and-launch-activities.png\")
<\/p>\n\n
\n
![\"Identify](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/07\/Identify-content-providers.png\")
<\/p>\n\n
\n
![\"Identify](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/07\/Identify-content-URIs.png\")
<\/p>\n\n
\n
![\"Query](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/07\/Query-content-provider.png\")
<\/p>\n\n
![\"Query](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/07\/Query-content-provider-2.png\")
<\/p>\n\n
![\"SQL](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/07\/SQL-injection-in-content-providers.png\")
<\/p>\n\n
![\"SQL](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/07\/SQL-injection-in-content-providers-2.png\")
<\/p>\n\n
![\"SQL](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/07\/SQL-injection-in-content-providers-3.png\")
<\/p>\n