Chapter 3. Android Security Assessment Tools

In this chapter, we will cover the following recipes:

  • Installing and setting up Santoku
  • Setting up drozer
  • Running a drozer session
  • Enumerating installed packages
  • Enumerating activities
  • Enumerating content providers
  • Enumerating services
  • Enumerating broadcast receivers
  • Determining application attack surfaces
  • Launching activities
  • Writing a drozer module – a device enumeration module
  • Writing an application certificate enumerator

Introduction

We've covered all the Android development basics and introduced all the Android Development Tools. Now it's time to start getting into the Android hacking and security assessment tools.

This chapter introduces you to an exploitation and Android security assessment framework called drozer —formally known as Mercury —developed by some of the people at MWR Labs. Also covered in the chapter is a Debian-based Linux distribution called Santoku , which is basically like BackTrack or Kali Linux of Mobile security assessment. Here we cover setting it up and getting it running.

Before we begin setting up drozer and writing some sample scripts, something that's very important for you to understand is a little about how drozer operates and how it solves some problems in the Android security assessment game.

drozer comes in two parts: one is the "console" that runs on your local machine and the other is the "server", which is basically an application installed on a target Android device. When you're using the console to interact with the Android device, you are basically injecting Java code into the drozer Agent that gets executed on the actual device.

Why design it this way? Well before drozer came along, writing application-vulnerability-focused exploits meant having to compile an Android app, to exploit a given vulnerability, deploy it to the target phone, and check if it worked. And then if it didn't, you would need to redo the entire process! This practice is very tedious and can make Android security assessments feel like a chore. drozer makes it easy to deploy and test exploits by passing commands to the device on the fly by proxy of the drozer Agent, which means you never need to touch an Android development environment or recompile an exploit app multiple times.

drozer is called a framework because it allows you to extend its functionality by writing your own modules or plugins and adapting it to your needs. It is essentially the closest thing to the Metasploit of mobile security assessment.

Another effect that the standard drozer framework has is that it is essentially an Android application—one component of it—with no permissions, which means whatever exploits you manage to pull off on an Android device will automatically be quite portable and require very low privilege levels to succeed. The aim is to demonstrate how effective a "no-permission" application can be at exploiting an Android device and the applications hosted on it.

And that's it as far as some basic background into drozer goes. As far as the rest of the chapter is concerned, you may require some basic knowledge of the Python programming language, since drozer's modules are developed in Python. It may also help if you know something about Java Reflection and either know how to or have developed some Android apps. If you've never developed anything serious or generally never programmed in Python, don't fret—I'll make sure to walk through all the Python code and explain it carefully.

So without further ado, let's get going!

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.21.247.16