This section is one of the most interesting sections when working with Drozer. We can identify the attack surface of our target application with a single command. It gives the details such as exported applications components, if the app is debuggable, and so on.
Let's go ahead and find out the attack surface of testapp.apk
. The following command is the syntax for finding the attack surface of a specific package:
dz> run app.package.attacksurface [package name]
In our case for testapp.apk
, the command becomes as follows:
dz> run app.package.attacksurface com.isi.testapp
As we can see in the previous screenshot, the testapp application has two activities, which are exported. Now it's our job to find the name of the activities exported and if they are sensitive in nature. We can further exploit it by using existing Drozer modules. This app is also debuggable, which means we can attach a debugger to the process and step through every single instruction and...