drozer - an android application security tool
TRANSCRIPT
n|u MUMBAI September,17,2016 Drozer - An Android Application Security Tool
@c3p70r
#WHOAMI
▪ Vivek Mahajan @c3p70r▪ InfoSec Enthusiast & Learner▪ Senior Information Security Analyst @niiconsulting
@c3p70r
#Agenda
▪ Drozer Basics▪ Leaking Content Providers▪ Attacking Broadcast Receivers▪ Abusing Android application permissions▪ Breaking and Building Drozer as per need of pentest
@c3p70r
Before We Dig Drozer
▪ Android Applications are made up of:– Activities– Services – Content Providers– Broadcast Receivers– Intents*
@c3p70r
Drozer Basics
▪ Framework for Android application assessment written by MWR InfoSecurity
▪ Written on iPython▪ Extensive list of inbuilt modules such as leaking content
provider, scanning, application permission-list, broadcast receivers etc.
▪ Drozer works on client-server architecture.▪ Setting up a Drozer Environment▪ Basics usage and handy commands (Sieve Demo)
@c3p70r
Leaking Content Providers
▪ Vulnerable application used – Catch ▪ Task:– Reverse the application using apktool– Find out the Content providers – Query the content provide– Vulnerability Discovered by Aditya Gupta (@adi)https://www.youtube.com/watch?v=knNQe27blVc
@c3p70r
Attacking Broadcast Receivers
▪ Vulnerable application used – Fourgoats.▪ Task: – Reverse the application using apktool– Find the broadcast receiver code– Figure out the broadcast receiver inputs.– Exploit the vulnerable broadcast receiver using Drozer
@c3p70r
Abusing Android Application Permissions
▪ Vulnerable application used: Adobe Reader▪ Vulnerable to leaking content provider▪ Path traversal vulnerability▪ Attacker can exploit Adobe Reader’s permissions to
read any arbitrary file from SDCARD.▪ Discovered by Sebastian Guerro
(http://blog.seguesec.com/2012/09/path-traversal-vulnerability-on-adobe-readerandroid-application/)
@c3p70r
Drozer-KungFu
▪ Vulnerable application used: CSIP_Simple▪ Not directly vulnerable.▪ Custom permissions are there to protect the application
(but lack in protection)▪ Vulnerability discovered by Joshua J. Drake (@jduck)▪ Reference AHH (Android hackers handbook)
@c3p70r
Demo Time
@c3p70r
<--Question--->