Dynamic Application Testing - Part 2

Intro to Drozer

• Test interaction of app with other apps on the phone

• Uses the client-server model to exploit the interprocess communication (IPC)

• Drozer Console (Runs on the workstation) and Drozer Agent (Runs on the android device)

• Test for exposed app components

Drozer Architecture

Drozer Setup

Steps to start a drozer session

• Download and extract exercise file

• Agent and sieve APK already present in the exercise files

On CMD/Terminal

• Install agent and target app

adb devices

adb install agent.apk

adb install seive.apk

• adb forward tcp:31415 tcp:31415

On Device/Emulator

• Start embedded server

On CMD/Terminal

• drozer console connect

Sieve application overview

• Open the application for the first time

• Create a Password

• Create a PIN

• Sign in using the Password

Drozer Commands

Find the application package name

dz> run app.package.list -f sieve

Package Info

dz> run app.package.info -a <package name>

Identify Attack Surface

dz> run app.package.attacksuface <package name>

Activity Testing

Find Activities

dz> run app.activity.info -a <package name>

Access an Activity

dz> run app.activity.start --component <package name> <activity name>

Content Provider Testing

Get basic information of content providers

dz> run app.provider.info -a <package name> 

Access URIs

dz> run scanner.provider.finduris -a <package name>

dz> run app.provider.query <URI>

Content Provider Testing : SQL Injection

Test for SQL injection

dz> run scanner.provider.injection -a <package name>

Verfiy the presense of SQL injection

dz> run app.provider.query <URI> --projection "'"

dz> run app.provider.query <URI> --selection "email='<email address>'"