Drozer - An Android Application Security Tool
- 1. n|u MUMBAI September,17,2016 Drozer - An Android Application SecurityTool
- 2. #WHOAMI ▪ Vivek Mahajan @c3p70r ▪ InfoSec Enthusiast & Learner ▪ Senior Information Security Analyst @niiconsulting @c3p70r
- 3. #Agenda ▪ Drozer Basics ▪ Leaking Content Providers ▪ Attacking Broadcast Receivers ▪ Abusing Android application permissions ▪ Breaking and Building Drozer as per need of pentest @c3p70r
- 4. Before We Dig Drozer ▪ Android Applications are made up of: – Activities – Services – Content Providers – Broadcast Receivers – Intents* @c3p70r
- 5. Drozer Basics ▪ Framework forAndroid application assessment written by MWR InfoSecurity ▪ Written on iPython ▪ Extensive list of inbuilt modules such as leaking content provider, scanning, application permission-list, broadcast receivers etc. ▪ Drozer works on client-server architecture. ▪ Setting up a Drozer Environment ▪ Basics usage and handy commands (Sieve Demo) @c3p70r
- 6. Leaking Content Providers ▪ Vulnerable application used – Catch ▪ Task: – Reverse the application using apktool – Find out the Content providers – Query the content provide – Vulnerability Discovered by Aditya Gupta (@adi) https://www.youtube.com/watch?v=knNQe27blVc @c3p70r
- 7. Attacking Broadcast Receivers ▪ Vulnerable application used – Fourgoats. ▪ Task: – Reverse the application using apktool – Find the broadcast receiver code – Figure out the broadcast receiver inputs. – Exploit the vulnerable broadcast receiver using Drozer @c3p70r
- 8. Abusing Android Application Permissions ▪ Vulnerable application used:Adobe Reader ▪ Vulnerable to leaking content provider ▪ Path traversal vulnerability ▪ Attacker can exploit Adobe Reader’s permissions to read any arbitrary file from SDCARD. ▪ Discovered by Sebastian Guerro (http://blog.seguesec.com/2012/09/path-traversal-vulnerability-on- adobe-readerandroid-application/) @c3p70r
- 9. Drozer-KungFu ▪ Vulnerable application used: CSIP_Simple ▪ Not directly vulnerable. ▪ Custom permissions are there to protect the application (but lack in protection) ▪ Vulnerability discovered by Joshua J. Drake (@jduck) ▪ Reference AHH (Android hackers handbook) @c3p70r
Editor's Notes
- #5: -Activities are UI screens where user can Interact with them… in short activities represent a single screen with user interface. -Service is a component which runs in the background to perform long running operations. Services doesn’t provide the user interface. For an eg music player running in the background while you are working on the different application. Can be started by an activity. -Content providers are always start with content:// Generally used to store, retrieve and share the data from the SQLite database. Also XML and text format. -Broadcast messages are generated by the android OS. Android applications register for intents to observer and applications get backs a notification from the android system when that particular intent occur. For an eg: Battery low, Message received, Alarm etc… -Intents Ignites a broadcast receiver. Starts a service through an activity Starts a services through a BROADCAST RECEIVER Helps to migrate from one activity to another activity. Helps to deliver data from one activity to another activity ** Intents are Divided in to two categories:- Explicit Intent and Implicit intent In simple words an Intent is basically an intention to do an action Con