Write your own Drozer Module for Android Application Security Testing

. 5 min read

If you have worked in penetration testing or application testing, you already know how often you are repeating common tasks. This is where Drozer comes into the picture.

Drozer : Android Application Security Assessment Framework

Drozer is a Python based framework to help automate Android application testing. It consists of two parts: a console and an Android agent with limited permissions.

Drozer is based on a client-server architecture. The client is installed on your local instance, whereas the server is the Android app or agent. Once you run the Android app, it starts the Drozer server on port 31415, which is also the port on which it communicates with the client.

In order to start up Drozer, all you need to do is

adb forward tcp:31415 tcp:31415 drozer console connect

Its only permission, by default, is android.permission.INTERNET, which is needed to receive commands from the console. While additional permissions can be added to the Drozer agent, if there is a vulnerability with the default permissions, it is a more serious vulnerability.


One of the key advantages of Drozer is its modular nature. Users can extend the capabilities of the framework and create modules to automate vulnerability research and exploits.

Getting started with Drozer Modules

Drozer modules follow a simple structure with required metadata (for the required metadata, see the Drozer module writing documentation) and the execute() method. Another popular method is the add_arguments() method, which uses argparse to easily parse command line parameters.

The real power of Drozer scripting comes from its use of Java’s Reflection API to allow Python code to create and interact with Java objects right on the Android’s Dalvik VM. A module author is able to directly utilize the all the objects and methods available in the Android API. Reflection can be a difficult concept to grasp without an example or two.

Writing a Drozer module to collect device information is a great, simple example of how reflection can be used. The android.os.BUILD object provides information about the device hardware and operating system. First we need to instantiate a new build object in Python using build = self.new(“android.os.Build”).

Then, we can use any of the features of the object native in the Python! For example, we can use build.BOARD to access the information for the device’s underlying board. To see the entire example, see Keith Makan’s ex.device.info module from Android Security Cookbook**.

Writing our own Module to Automate Android Security Testing

Let’s go through a quick example of creating a Drozer module. For this example, we will create a Drozer module to create a SMS based on the user provided number and message. (This would be equivalent to running am start -a android.intent.action.MAIN –es “sms_body” “message” –es “address” “number” com.android.mms/.ui.ComposeMessageActivity from the Android shell.)

The trickiest part of this module is building the Intent. In Drozer, the syntax is

intent = android.Intent(action=*action*, *additional arguments*)

From above, our action is android.intent.action.MAIN . We will also need to define the component for the intent (“com.android.mms”, “com.android.mms.ui.ComposeMessageActivity”)  and the extras (commands carried by the Intent) [‘string’, ‘address’, str(arguments.number)],[‘string’, ‘sms_body’, str(arguments.message)]] . The values of the extras are pulled in by user defined command line parameters.

Finally, we will need to set a flag that we will be starting an activity outside of an activity context ['ACTIVITY_NEW_TASK'].

Putting it all together, we end up with intent = android.Intent(action=act, component=cmp, extras=extr, flags=flg). I created variables for each of the arguments to build the Intent to make building the Intent easier to read.

BuildIntentWith the Intent built, we need to start the Activity and pass the Intent in order to create the SMS. In Drozer, that looks like self.getContext().startActivity(intent.buildIn(self)).

Installing and Running the Drozer Module

Once you have written the module and saved it (I called mine ex.SMS.create), you need to install it before you can use it. Drozer recommends creating your own repository to install custom modules to prevent issues with upgrading in the future.

To create a repository and install a module, you need to first be in the Drozer console. You can create a repository with

module repository create /absolute-path-to-new-repo

Thereafter you install the module with

module install /absolute/ex.SMS.create

In the case that you have more than one module repository, Drozer will ask you select the repository to install it to.

Finally, you can run the module with

run ex.SMS.create -n *telephone number* -m *message to send*

[embedyt] http://www.youtube.com/watch?v=FVETxPF_KMA[/embedyt]

This simple module can be expanded to build in validation of user input and the Intent. Or, you can build off these concepts to write your own Drozer module to exploit the SMS resend vulnerability in Android(CVE-2014-8610).

In either case, if you plan on working with Drozer and creating your own modules, I highly recommend installing the mwrlabs.developer module. This module has an interactive shell that you can use to test the creation and interaction of Java objects.

Now you are ready to start writing and sharing Drozer modules for your own Android application testing!

Full code for ex.SMS.create module

from drozer import android 
from drozer.modules import Module 

class Create(Module): 
	name = "Create an SMS" 
	description = "A sample module to create an SMS" 
	examples = """ run ex.SMS.create -n 1234567 -m "Hello, World!" """ 
	date = "2015-12-20" 
	author = "Norman" 
	license = "GNU GPL" 
	path = ["ex","SMS"] 

def add_arguments(self, parser): 
	parser.add_argument("-n", "--number", default=None, help="telephone number") 
	parser.add_argument("-m", "--message", default=None, help="message") 

def execute(self, arguments): 
	act = "android.intent.action.MAIN" 
	cmp = ("com.android.mms", "com.android.mms.ui.ComposeMessageActivity") 
	extr = [['string', 'address', str(arguments.number)],['string', 'sms_body', str(arguments.message)]] 
	# Build Intent 
	intent = android.Intent(action=act, component=cmp, extras=extr, flags=flg) # Start Activity self.getContext().startActivity(intent.buildIn(self))

Norman Shamas is a digital security trainer, activist, and budding security researcher. He has done extensive work with community organizations and activists to train them on security in a holistic framework (digital, physical, psychosocial). Norman is very excited to be working with Attify to help protect the tools most activists use to communicate: their phones.

For further details on Android application pentesting and security auditing services, or to conduct a security training at your organisation, please contact us using the contact form.

Get IoT Security Training

IoT Pentesting Exploitation Training


analog modulation Android android application security android hands on security and exploitation training android security Apktool application auditing application security auditing appsec usa appwatch arduino nano arm ARM binaries ARM course ARM exploitation book ARM exploitation video training ARM gadgets ARM Training attify attify badge attify training best security practices biggest iot attacks of all time binwalk blackberry pentesting blackhat ble BLE attacks BLE dangers BLE hacking and exploitation BLE security issues BLE sniffing BLE vulnerabilities bleah bluetooth technology box brut Exception BtleJuice capture radio traffic career in cybersecurity CCTV cameras challenges in iot retail chroot cloud based mobile application security scanner consulting CTF cyber attacks cybersecurity Damn Vulnerable iOS App dangers of iot DDoS attacks devops digital modulation dumping memory embedded hacking expert Exploit ARM devices exploitation exploiting ble exploiting smart devices firmadyne firmware analysis toolkit firmware emulation Firmware hacking firmware reverse engineering Flare-on frida getting started with firmware hacking ghidra GSMA guide to ARM exploitation hacked security IP cameras hacked smart devices hackers hackfest hacking smart devices healthcare business protection against iot threats healthcare cyber security how can healthcare fight iot threats How Mirai botnet infects your device How Mirai works how retail can prevent cyber attacks how to exploit ble how to hack radio waves how to protect iot devices how to secure iot device IDA internet of things Internet of Things Security internet security ios application security ios security iot iot attacks iot bots, malwares iot device IoT Devices IoT Exploitation iot hacking iot hacks IoT hacks on ARM devices iot penetration testing iot pentest iot pentesting iot security IoT security guidelines iot security training iot threats iot threats to healthcare industry iotsecurity IP cameras jtag jtag debugging latest iot attacks learn ARM exploitation measures to prevent cyber attacks on healthcare organisations Mirai Botnet mirai history mobile app mobile application security mobile application security testing mobile security monitor iot devices Mozilla network security in retail ninja recon technique NIST offensive iot exploitation ola cabs owasp owasp appsec penetration testers penetration testing pentesting pentesting mobile apps phishing attacks powerofcommunity PrinterSecurity privacy protection profession professional qemu quizup radio communication protocol radio coomunication radio waves hacking recent ARM attacks recent cyber attacks recent iot attacks recent security camera attacks retail iot Reversing safety measures to protect privacy sdr secure coding guidelines security security cameras security challenges in retail IoT security in healthcare iot security issue security issues faced by e-retailers security services security training security vulnerability setup smart devices smart user security social networking spi steps to prevent iot attacks on healthcare surveillance cameras hijacked threat modeling tools to exploit ble training uart Understanding Mirai Botnet virus vulnerabilities discovered in popular IoT IP cameras vulnerabilities in internet connected cameras vulnerability vulnerable ARM devices What is mirai botnet? why choose career in cybersecurity writeups xposed hooking zigbee zigbee exploitation zigbee security zwave