Let’s face it: Android often gets a bad rap over security. Whilst I’m not setting out to defend the platform here, I did think it worth talking about a great tool for assessing vlunerabilities: The Mercury Security Assesment Framework from MWR labs. This great tool (to which I have no commercial links!) provides an excellent mechanism for exploring potential vulnerabilities on the Android platform.
The Mercury assessment framework consists of a server component which is an Android APK which must be installed onto the target device. Once installed, the server component can be driven from the Mercury client. The client, written in Python provides a suite of tools to examine and potentially exploit an Android device.
Mercury provides tools to discover and interact with actives, services, broadcast receivers and content providers. Which, is pretty much every component of an Android application. In addition, there is a modules section which contains a set of extension modules to perform (amongst other things) a set of known exploits and a set of scanners for things such as SQL injection vulnerabilities. If all that is not enough, you can gain shell access. The client can connect to the server via either IP of the USB cable so there is no requirement for the client to have direct access to the device.
It’s worth playing with this tool for a few hours just to see how much control an attacker could gain over your device.
Of course, all the framework will only do anything if installed onto an Android device. This can be done in several ways:
- With the users consent as part of a formal vulnerability assessment
- Forcibly injected as part of an attack (as demonstrated by MWR as demonstrated at the EuSecWest Conference).
- Embedded into another application as a Trojan
In the first of these scenarios, Mercury is a great tool in the security professional’s armoury. The second two are actually a little frightening. As with all security tools, the key question is who is using the tool…