![](\"https:\/\/varutra-1a3b6.kxcdn.com\/wp-content\/uploads\/2021\/09\/Android-Penetration-Testing-with-Drozer-1024x535.png\" "\\"Android")
<\/p>\n<\/p>\n
Drozer is an android application security testing framework which is developed by FSecureLABS that makes it easy for a Pen-tester to check for potential vulnerabilities in the components of an application. It was in the past known as Mercury. It Works by playing the part of a local Android application and interfacing with the Dalvik Virtual Machine.<\/strong><\/p>\n <\/p>\n <\/p>\n In this blog, I will illustrate the installation of Drozer in Kali Linux. It is a straightforward Installation.<\/p>\n <\/p>\n <\/p>\n <\/p>\n Information Gathering on Device:<\/strong><\/p>\n Drozer has built-in modules to fetch the date and time of the device and some other information of the device also, run \u201crun information.datetime\u201d in the terminal.<\/p>\n <\/p>\n <\/p>\n Run the following command to check the packages which are debuggable run app.package.debuggable.<\/p>\n Run The following command to get the androidmanifest.xml file.<\/p>\n \u201crun app.package.manifestjakhar.aseem.diva\u201d<\/p>\n This feature of drozer will help us to identify the possible attack surface on the application. Android applications have mainly 4 essential components that can be exploited along with the debuggable flag. Run the following command to get the attack surface of any android application with a package name.<\/p>\n \u201crun app.package.attacksurfacejakhar.aseem.diva\u201d<\/p>\n Exploiting Activities:<\/strong><\/p>\n \u201crun app.activity.info -a jakhar.aseem.diva\u201d<\/p>\n \u201crun app.activity.start \u2013component jakhar.aseem.divajakhar.aseem.diva.APICredsActivity\u201d<\/p>\n \u201crun app.provider.info\u00a0 -a jakhar.aseem.diva\u201d<\/p>\n \u201crun app.provider.query\u201d with the content URI as shown in the below screenshot.<\/p>\n In this blog, we looked at various use cases of drozer framework and how drozer can help in android vulnerability assessment and various attacks that pose serious security issues to the applications. We explored the attack surface on the application, exploited exported components of the application and performed SQL injection<\/a>, etc. Thanks for reading.<\/p>\n <\/p>\n Author,<\/p>\n Piyush Sonkushre<\/strong><\/p>\n Attack & Pentest Team<\/p>\n Varutra Consulting Pvt.Ltd.<\/p>","protected":false},"excerpt":{"rendered":" Introduction to Android Application Security Testing Framework – Drozer: Drozer is an android application security testing framework which is developed by FSecureLABS that makes it…<\/p>\n","protected":false},"author":4,"featured_media":17162,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[51],"tags":[507,453,450,452,355],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\tFeatures:<\/strong><\/h3>\n
\n
Requirements:<\/strong><\/h3>\n
\n
Installation:<\/strong><\/h3>\n
\n
Android Application Testing with Drozer:<\/strong><\/h3>\n
\n
![\"1\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/1.png\")
<\/p>\n![\"1.1\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/1.1.png\")
<\/p>\n\n
\n
![\"3\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/3.png\")
<\/p>\n\n
![\"drozer](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/4.png\")
<\/p>\n\n
![\"drozer](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/5.png\")
<\/p>\n![\"drozer](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/5.1.png\")
<\/p>\n\n
![\"6\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/6.png\")
<\/p>\n\n
![\"command](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/7.png\")
<\/p>\n![\"Information](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/Information-Gathering-on-Device.png\")
<\/p>\n<\/h3>\n
Information Gathering on Packages:<\/strong><\/h3>\n
\n
![\"\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/Information-Gathering-on-Packages-1.png\")
<\/p>\n\n
![\"run](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/run-the-command.png\")
<\/p>\n\n
![\"3\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/3-1.png\")
<\/p>\nDebuggable Packages:<\/strong><\/h3>\n
![\"Debuggable](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/Debuggable-Packages.png\")
<\/p>\nGetting AndroidManifest.xml File from Drozer:<\/strong><\/h3>\n
![\"Getting](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/Getting-AndroidManifest.xml-File-fromDrozer.png\")
<\/p>\nIdentifying the attack surface of the application:<\/strong><\/h3>\n
![\"Identifying](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/Identifying-the-attack-surface-of-the-application.png\")
<\/p>\n\n
![\"Exploiting](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/Exploiting-Activities-1.png\")
<\/p>\n\n
![\"Now](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/Now-to-launch-or-invoke.png\")
<\/p>\n\n
![\"Vendor](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/Vendor-API.png\")
<\/p>\n\n
![\"help](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/help-of-drozer.png\")
<\/p>\n![\"help](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/help-of-drozer-2.png\")
<\/p>\n<\/h3>\n
Exploiting the exported content provider:<\/strong><\/h3>\n
\n
![\"Exploiting](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/Exploiting-the-exported-content-provider.png\")
<\/p>\n\n
![\"2\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/2.png\")
<\/p>\n\n
![\"3\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/3-2.png\")
<\/p>\n\n
![\"4\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/4-1.png\")
<\/p>\n\n
![\"5.1\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/5.1-1.png\")
<\/p>\n![\"5.2\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/5.2.png\")
<\/p>\n\n
![\"6\"](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/09\/6-1.png\")
<\/p>\nConclusion:<\/strong><\/h3>\n