Exploring Android Platform - Mercury
The Heavy Metal That Poisoned the Droid
Mercury is a framework for exploring the Android platform; to find vulnerabilities and share proof-of-concept exploits.
A number of published security assessment methodologies currently exist to support researchers reviewing the security of Android applications and devices. The majority of these methodologies include static analysis methods and require the use of custom scripts and tools to perform single tasks. The general process of assessing the security of Android applications typically involves the following steps:
ºDownload the target application packages
ºExtract the application manifests
ºDecompile the application into readable source code or byte code representations
ºAnalyse the application manifests and code
ºWrite a custom application to test anomalies in the entry points of the applications
ºExploring Android Platform: Mercury documentation
This general process often requires a separate approach for each step, many different tools and lots of time, especially when a large number of applications need to be assessed as part of a project. If the process can be simplified and tools provided to automate the repetitive parts, it would enable a security researcher to assess applications and devices in a more consistent manner and ultimately perform more comprehensive assessments. This could also be done in less time whilst providing more assurance. Mercury is a framework that solves this problem by providing interactive tools that allow for dynamic interactions with the target applications running on a device. This dynamic interaction greatly benefits vulnerability hunters and auditors who are under time constraints. At the time of writing, there were no known frameworks for performing dynamic analysis on Android, making Mercury unique in its space.
This paper will lay the foundations for performing dynamic analysis and finding ways to automate some of the tasks that are needed when assessing the security of Android applications and devices. It will also delve into some techniques that could be used by malicious applications with minimal permissions to steal information from devices.
Exploring Android Platform
Mercury allows you to assume the role of a low-privileged Android app, and to interact with both other apps and the system.
Use dynamic analysis on Android applications and devices for quicker security assessments
Share publicly known methods of exploitation on Android and proof-of-concept exploits for applications and devices
Write custom tests and exploits, using the easy extensions interface
Mercury allows you to:
1. Interact with the 4 IPC endpoints – activities, broadcast receivers, content providers and services
2. Use a proper shell that allows you to play with the underlying Linux OS from the point of view of an unprivileged application (you will be amazed at how much you can still see)
3. Find information on installed packages with optional search filters to allow for better control
4. Built-in commands that can check application attack vectors on installed applications
5. Transfer files between the Android device and your computer
6. Create new modules to exploit your latest finding on Android, and playing with those that others have found
Mercury does all of this over the network: it does not require ADB.