Drozer: Open-source Android security assessment framework

Drozer is an open-source security testing framework for Android, whose primary purpose is to make the life of mobile application security testers easier.

Drozer

Drozer features

The solution enables the identification of security vulnerabilities in applications and devices by taking on the role of an app and facilitating interactions with the Dalvik VM, other apps’ IPC endpoints, and the operating system.

“When performing security assessments, we must consider whether other device apps could maliciously manipulate the target app. Conventionally, this used to be done by creating a proof-of-concept application, installing it on the same device as the target, and modifying this app for every test scenario. This was time-consuming – the application would have to be modified, recompiled each time, and installed on the device. Drozer simplifies this process – rather than creating custom apps for each test, the tester can issue commands through a console, achieving the same goals faster and more conveniently,” Miłosz Gaczkowski, Mobile Security Lead at WithSecure Consulting, told Help Net Security.

Drozer offers tools that assist in understanding and using publicly available Android exploits. It is effective for mimicking a malicious application. Penetration testers don’t need to create a custom app to interact with a specific content provider. Instead, Drozer can be utilized with minimal or no programming skills to demonstrate the consequences of exposing specific components on a device.

Future plans and download

“We plan to release a new major version of Drozer to resolve some of its compatibility issues. Drozer 2 relies on dated libraries and SDKs, making it difficult to run natively. Drozer 3 does not introduce new major features, but it does make the application much easier to run – hopefully rendering mobile security more accessible,” Gaczkowski concluded.

Drozer is available for free on GitHub.

Must read:

OPIS

Subscribe to the Help Net Security breaking news e-mail alerts:

OPIS

Don't miss