What is Drozer?

Drozer is a Security & Attack Framework for Android Application Testing. Drozer is a tool that can be used for Mobile device review , Secure development of applications, BYOD approval and Mobile application testing.

There are 2 Versions of Drozer an Open Source and other one Pro version having following features

1. Gathering the information about the application
2. Find the attack surface
3. Test your Exposure to Public Exploits
4. Execute dynamic code on a device, to avoid the need to compile and install small test scripts.
5. Start Android emulators, provisioned with the drozer Agent and the app you want to investigate.
6. Simulate sensor input, such as GPS, to emulators to test the full attack surface.
7. View the attack surface as a graph. this will be helpful for the risk assessment reporting.

Drozer is having agent & server architecture so to start with assessment we have to install the agent in the emulator or connected device.

Command to install the Drozer agent on emulator or device

adb install drozer.apk

Start the service on the emulator or device

then give below command

adb forward tcp:31415 tcp:31415

open cmd and browse to drozer directory

To check drozer functionality or device connected

To connect to the device or emulator

drozer console connect

To search for an app

run app.package.list -f [keyword]

To get info of an app

To check the attack surface 

run app.package.attacksurface [package name]

To get info about the activity 

run app.activity.info -a [package name]

To start the activity 

run app.activity.start --component[package name] [activity name]

To get info about providers 

run app.provider.info -a [package name]

To find uri for providers 

run app.provider.finduri [package name]

To get info from providers 

run app.provider.query [uri]

To check path traverssal vul in provider 

run scanner.provider.traversal -a [package name]

To check for Sql injection 

run scanner.provider.injection -a [package name]

To download a file from android device to local machine 

run tools.file.download [source path] [destination path]

To get info abt a service 

run app.service.info -a [package name]

To interact with the service 

run app.service.send [package name] [service name] --msg [msg to service]

To interact with broadcast receiver

run app.broadcast.send --action [action from android_manifest file] --component [package name] [broadcast reciever] --extra string[string to send like in sendind sms we can send phone number for that we need to check source for input parameter]
For eg: run app.broadcast.send --action org.owasp.goatdroid.fourgoats.SOCIAL_SMS --component org.owasp.goatdroid.fourgoats org.owasp.goatdroid.fourgoats.broadcastreceivers.SendSMSNowReceiver --extra string phoneNumber 5554 --extra string message U R Just PWNED!!!!!