Categories
Cyber Security Mobile App Testing

Android App Hacking with Drozer – The Setup

 

Why Drozer?

 

MWR Labs has done an excellent job putting together this attack framework for Android Applications, Drozer Rocks.  They even have an excellent tutorial to help you get everything setup, what I found myself doing when I first learned how to use this tool was still needing other resources in order to complete my setup and get things working, here we bring it all together and get you up and running.

This tool helps analyze attack surfaces and display any attack surfaces in which Android applications have, and allow you to then use public exploits against the applications to make sure that your application has been tested and Validated!

This tool can also be used for Remote Exploits, when a shell is obtained, install the shellcode that Drozer generates, and now you have a remote administration tool on your target device.

You should need no other convincing than this that this tool needs to be in your suite of Android testing Tools right next to Mobile Security Framework (MobSF), Burp, and AndroidStudio.

Setup and Install~

 

First boot up Genymotion (instructions to load this tool are in the MobSF article posted here)  Pick an android device to emulate which is running anything after Android 2.1 and have your application downloaded from the Google Play Store (or sideloaded).

 

To begin head over to Team androids Page and Download the latest Google Drivers available and unzip them into your Mobile Web App Folder (or one that you will remember) Then right click your command console and run as an administrator.  We need to set our path to this folders location in order to use ADB at the command line.

chdir "C:\Desktop\FOLDER\Platform-Tools\"  Replace the words within the quotes to the files location on your workstation when running.

adb devices

In order to run the ADB command in the console you must be in the platform tools folder, this is important to note as the next thing we need to do is install the Drozer agent onto your genymotion device.

Side Note*** If using a physical android device please continue installing to Google USB Drivers onto your computer shown in the Team Android Post then connect the device to your workstation with a USB cable.

Then type adb devices as shown above in the screen capture.

this will pop up a list of the android devices which you have connected either via USB cable or via Genymotion Android Emulator

Building for Windows

NOTE: Windows Defender and other Antivirus software will flag drozer as malware (an exploitation tool without exploit code wouldn’t be much fun!). In order to run drozer you would have to add an exception to Windows Defender and any antivirus software.

We must also have python on our device as it is one of the dependencies of being able to use the Drozer toolset.

git clone https://github.com/mwrlabs/drozer/
cd drozer
python.exe setup.py bdist_msi

Installing .msi (Windows)

Run dist/drozer-2.x.x.win-x.msi 

**As you download this file, Windows Defender should catch it, back click on the alert and add the entire Folder as an exception to Windows Defender and Firewall in order to proceed.

Agent.APK Setup

Now download the Drozer agent.apk file here (this will be installed on your Android device so it can communicate back to the Drozer program on your workstation).

Stay in your platform tools folder so you can run this adb command and install it onto your Android device using the following command:

adb install "C:\Desktop\FOLDER\Drozer\agent.apk" Once again please replace with Your download location of the agent.apk file.

adb install agent.apk

You should then see the orange Drozer agent application symbol on your device.  finally forward your ports to the ports that Drozer uses with the following adb command:

adb forward tcp:31415 tcp:31415

drozer setup

Here you can see the setup I am using.  In Genymotion I have been using Google Nexus 9 – 5.1.0 API 22 devices with a screen size of 1536×1048.

I  find that I like the bigger screen size when working in Geny and it fills exactly half of my UHD display.

drozer agent on

 

Now, click your Drozer agent icon, and in the bottom right hand corner click the “off” button to turn it on.

 

Boom congratulations, you have now setup Drozer and are read to begin testing your Android Application.  Install it off of the Google Play store or sideload it into your Genymotion device, then head back to your command line.

You will navigate over to your Drozer folder which has all of the program files within it and run:

drozer console connect

***On a real(not an emulator) android device the ip of the device must be specified drozer.bat console connect --server 192.168.0.9

drozer running

If you are already knowledgeable on the inner workings of Android Testing Tool Drozer, hack on.  If not follow me on over to my next post.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In this article we jumped between three main articles, none of these will get you completely setup by themselves unfortunately which is why I am here to put all the steps together into this one article and be your one stop shop here at Cyber Incision.

  • The first being from Team Android who is going to get you up and running with fastboot, ADB (<—gotta have it), and Fastboot onto Windows 10
    • This set of drivers is also known as the Android SDK Tools (Follow this link to set this up) which is an advanced command line tool which will allow you to run operations on your Android Device and Emulator that would not have been possible before.
  • The Second Article worth reading is from the INFOSEC Institute which has provided an excellent introduction to Drozer, and can be used as a reference for many of the commands you will see here in this article
  • Finally is the MWR Drozer instructions manual which is an excellent reference point especially once you get past the introductory learning curve and begin using the Drozer modules.
Categories
Cyber Security Mobile App Testing

How to use MobSF to analyze a Mobile Web Application

There are a number of excellent tools that exist when it comes to testing mobile web applications.  Unfortunately many of them cost a significant amount of mulah.  There are a few though that currently are free to use and we are going to take a deep dive into getting you your first Mobile Security Framework report from the Mobile Web App that you are testing today.

Before testing Mobile Web Applications please be sure that your organization has the required documentation and written consent from the organization in order for you to do so.  Typically this will be included in a SOW (Statement of Work) and ROE (Rules of Engagement)

 

 

MobSF Install and Use:

Now that we have the .APK and have it in our Kali box, lets get our Mobile Security Framework up and running.

I would be doing you a disservice if I tried to go step by step on the setup and did not tell you that MobSF and ajinabraham don’t already have excellent tutorials in getting up and running with the MobSF tool, because they do.

Feel free to visit their page or continue on and follow the next few steps.

**For Windows or Mac please see MobSF documentation at this link **

The reason I use Kali in a Virtual Environment is so I can suspend it, have a dedicated MobSF VM, and it saves my MobSF reports in the ‘recent MobSF reports’ so I can actively switch back and forth to it and analyze source code.

https://github.com/MobSF/Mobile-Security-Framework-MobSF/wiki/1.-Documentation

For Kali Linux follow along here and run this syntax:

Pull up your terminal/command line in Kali Linux and run:

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF

clone the file, then switch your directory as shown above.

sudo apt install build-essential libssl-dev libffi-dev python-dev
pip install -r requirements.txt --user

Then install these libraries which are essential to getting up and running, along with installing the requirements and dependencies.

 

Now in every pentest I have been apart of, there is always a pentester who claims to have done the work but has NO report to back it up…..Don’t be that GUY/GAL!

Run this command apt-get install wkhtmltopdf

This will give you the option at the end of uploading your .APK file to download the pdf and have a report to show that the analysis has at least been run, an artifact exists, and that it can be referenced back to.

 

After this, we are ready to start the MobSF Server.

In your terminal run

python manage.py runserver

MobSF server running.PNG

Now you have your server running, but wait there is nowhere to insert my APK file!?

Thats because MobSF is AWESOME!

Pull up your browser and go to http://localhost:8000/

You will now see the Web Interface that is click and drag ready for that .APK file that you have already downloaded from your Google Drive/Dropbox Account

MobSF Analyzing.PNG

Throw it in, and you will see the server in the background have fun analyzing this .APK while you sit back and relax.

MobSF report.PNG

Be sure you are aware of the OWASP Mobile Security Checklist this is essential to making sure you cover your bases as a pentester.  You are not required to know everything, but you are required to have to know how and where to find EVERYTHING.

So hop to it, get analyzing you have your report, at the bottom left side you can see download report as a pdf, but please use the web interface, it allows you to download the Java code for the application and really get your hands dirty along with be more user friendly than the PDF report (which you should still keep as an artifact).

Analysis.PNG

Here is the certificate for the Application which you are able to make sure it is up to industry standards.

permissions.PNG

 

Also make sure the permissions for your application Make Sense!  Go through these while testing the functionality of the application and make sure that the user is asked for the appropriate permissions and they are not assumed (many a lawsuit has happened by the creator of mobile applications assuming that data can be taken and/or shared).

Manifest Analysis.PNG

As you can see in the Manifest Analysis MobSF rates many items as high severity.  There is a fine line between Customer Experience and Security which is why you see what you see, read the description and use your God given critical thinking skills to analyze them, do not just throw this report at your Project Manager or client and say fix these things!  If you find something out of the ordinary, or seriously think you have a few items that may lead to vulnerabilities, do some research, or crazier yet ASK someone!

MobSF allows you to download the Android manifest, the java code, and the smali code.  Unfortunately this tool does generate false positives.  Verify the issues described by Mobile Security Framework by downloading the code and analyzing it. Do your due diligence.  Prove vulnerabilities exist.

Have fun, learn lots.

~Cyber Incision out