Android Application Testing using Drozer – Part II

After you followed our Part I of Android Application Testing series, we are now set to perform security test on Android app to identify any known vulnerabilities. Before proceeding, for the purpose of demonstration, install a vulnerable app – InsecureBank. Refer to my below article on how to install and setup insecurebank in Kali linux.

Identify Package Name:

Apps installed on the Android device are identified by their package name. You can use following drozer commands to identify package name.

To get package names of all the app installed on Android device.

dz> run app.package.list

You can even find the package name using the app name seen in Android phone.

dz> run app.package.list -f <app_name>

Mention App Name (InsecureBank) that appears on your phone.

Know Package Information:

This command provides useful information of the package path where data and apk gets stored, UIDs and details of app permissions and some more.

dz> run app.package.info -a <package_name>

Identify Insecure permissions using Android Manifest

Android Manifest files contains

  • package name
  • required app permissions on the device installed.
  • lists all the activities and other Android components
  • status of backup, debug..etc.

dz> run app.package.manifest <package_name>

shows package name and lists required user permissions
lists status of debug, backup and other defined activities

Identify insecure activities using Attack Surface:

Activities are basically screens (User Interface) which you see on the app. All the activities are declared in the manifest file with their attributes. Good Read here

dz> run app.package.attacksurface <package_name>

Use above command to identify all the exportable components – activities, broadcast, content providers and others.
dz> run app.package.attacksurface com.android.insecurebankv2

dz > run app.activity.info -a <package_name>

Once you identified exportable components, go further to list exportable activities using above command and you noticed that permissions are not defined. So we can use these activities in the next section to bypass the login screen.
dz> run app.activity.info -a com.android.insecurebankv2

dz > run app.activity.start –component <package_name> <activity_name>

Note: Use double hyphen for component
Without the login credentials, we are able to access the inner pages.
login without credentials proves presence of Vulnerable Activity Components

Identify insecure storage using Content Providers:

Content Providers store data in database, file or even over network. The real purpose of Content Providers is to supply data from app to another based on request.

dz> run scanner.provider.finduris -a <package_name>

dz> run app.provider.query <content_provider_uri>

SQLi in Content Providers:

Usually Content Providers use SQLite databases or files to store data. You can easily determine whether content providers are vulnerable using projection.

dz> run scanner.provider.injection -a <package_name>

dz> run app.provider.query content://<content> –projection “‘”

dz> run scanner.provider.sqltables -a content://<content>

You can further construct proper injection to determine structure of tables in order to retrieve data.

You may also like...

1 Response

  1. September 27, 2019

    […] Android Application Testing using Drozer – Part II […]