Drozer
Drozer is an Android Security Assessment and Attack Framework. It consists of a client/server model where the ‘server’ runs on the Android device, and the client run on your laptop. Drozer was written in, and only runs on, Python2. Even though Python2 is now deprecated – and removed from macOS 12.3 and later – Drozer remains a very capable tool for interrogating an Android application.
The best way to run Drozer is using the official Docker image distributed by F-Secure. This allows us to use an older Python2 script on current systems.
Drozer Installation
Drozer Server
Download the pre-compiled APK file:
https://github.com/FSecureLABS/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk
Install the APK to your test device:
adb install drozer-agent-2.3.4
Drozer Client
Install Docker on to your system if it is not already installed:
https://www.docker.com/products/docker-desktop/
Once Docker is installed and running on your system, pull the latest Drozer container (if required):
docker pull fsecurelabs/drozer
To run the Drozer container:
docker run -it fsecurelabs/drozer
Once you have a shell for the container you can launch the drozer console:
drozer console connect --server [IP Address of Device]
If you just need to run a single command – using the -c flag:
drozer console connect --server [IP Address of Device] -c [command]
Example:
drozer console connect --server 192.168.0.2 -c “run app.package.info -a com.app.name”
Drozer Commands
The first thing is to connect to the Drozer console:
drozer console connect --server 192.168.0.217
The target package name will be needed for almost every command, so if you don’t already have it, you can query Drozer for it. This example looks for a package ID with ‘example’ in it:
dz> run app.package.list -f example
com.example.gx.go (example)
The response will show you the package name (highlighted above). This will be used in the following commands as ${PKGID}.
Get Package Information
dz> run app.package.info -a ${PKGID}
Show Package AndroidManifest.xml file
dz> run app.package.manifest ${PKGID}
Get Application Attack Surface
dz> run app.package.attacksurface ${PKGID}
List Exported Activities
dz> run app.activity.info -a ${PKGID}
List Broadcast Receivers
dz> run app.broadcast.info -a ${PKGID}
List Content Providers
dz> run app.provider.info -a ${PKGID}
List Services
dz> run app.service.info -a ${PKGID}
List URIs That Can Be Queried
dz> run scanner.provider.finduris -a ${PKGID}
List Web URLs
dz> run scanner.misc.weburls -a ${PKGID}
List Invocable URIs
dz> run scanner.activity.browsable -a ${PKGID}
Check SQL Injection
dz> run scanner.provider.injection -a ${PKGID}
Check Local File Inclusion (LFI)
dz> run scanner.provider.traversal -a ${PKGID}
WebView JavaScript Bridge Check
dz> run scanner.misc.checkjavascriptbridge -v -a ${PKGID}
Native Libraries Check
dz> run scanner.misc.native -v -a ${PKGID}
List Readable Files
dz> run scanner.misc.readablefiles /data/data/${PKGID}/ -p
List Writable Files
dz> run scanner.misc.writablefiles /data/data/${PKGID}/ -p
List SUID/GUID Files
dz> run scanner.misc.sflagbinaries -t /data/data/${PKGID}
Package Debuggable Check
dz> run app.package.debuggable -f ${PKGID}
Package Backup API Check
dz> run app.package.backup -f ${PKGID}
Start an Activity
dz> run app.activity.start –component ${PKGID} [Activity Name]
Interact with a Service
dz> run app.service.send ${PKGID} [Service Name] --msg [msg to service]