In a recent post (http://mobileappdev.learningtree.com/2012/11/08/nfc-a-security-risk/) I mentioned the Mercury assessment framework which is a great tool for analyzing the security of Android devices. In this post which is intended to be the first of a series on using the Mercury framework, I’m taking a look at getting started with the framework. In future posts, I’ll show you how to use the tool to find vulnerabilities.
The Mercury framework consists of two main portions: an agent which is installed on the device which you are investigating and the Mercury client which is a Python application which runs on the machine you are running the tests from. You can run the agent on either a real device or on the Android virtual device (AVD) and the client on anything which supports Python (Windows / *nix / OS-X) For this post, I’m running the agent on an AVD and using Ubuntu to run the client, the instructions are equally valid if you are using Windows and / or a real Android device.
I’m assuming that you have already got the following set-up:
On Windows, there is an installer so just run that. On Ubuntu, it is very slightly more complex. You need to do the following:
sudo easy_install ./mercury-2.0.0-py2.7.egg
At this point, I got an error indicating that python.h could not be located because the Python development files were not installed. Easily fixed by installing them (
sudo apt-get install python-setuptools). Then I re-ran the installation.
Once the installation is complete, check it by running the command
mercury. You should see something like this:
adb install agent.apkwhich will install the Mercury agent onto the Android device.
The server is now up and running waiting for us to send it a command. Just one final step to get the Android debug bridge to forward our commands:
adb forward tcp:31415 tcp:31415
mercury console connect you should get the prompt
You are now ready to start exploring with Mercury.
Running the command
The list command gives us a list of modules we can run so let’s try that:
I’ve cropped this image but as you can see, there are a lot of commands. It’s a little intimidating but check back for my next post where I’m going to show how to find an unprotected Content Provider. In the mean time, you can find out lot’s more about mobile security on Learning Tree’s new course on the topic: Mobile Application and Device Security: Hands-On