[Android Tool] Replace Outdated Drozer when Possible

[righettod]

PR closes #1839

• Your contribution is written in the 2nd person (e.g. you)
• Your contribution is written in an active present form for as much as possible.
• You have made sure that the reference section is up to date (e.g. please add sources you have used, make sure that the references to MITRE/MASVS/etc. are up to date)
• Your contribution has proper formatted markdown and/or code
• Any references to website have been formatted as [TEXT](URL “NAME”)
• You verified/tested the effectiveness of your contribution (e.g.: is the code really an effective remediation? Please verify it works!)

[righettod]

Failure of check links are not related to the PR 😢

[righettod]

Now Drozer is only present in the following documents and the usage described of it is consistant in terms of usage:

I propose to handle these documents in a next PR in order to move, step by step, and keep the guide consistant in terms of tools used to prevent switching inside the same test phase.

[righettod]

Thanks for the info, I will do it coming weekend and push a commit in the feature branch

[cpholguera]

First round review done ;) Please also consider the comment I've sent before that is not included in this review. Thanks!

[righettod]

Thanks a lot, I will work on it coming weekend and push commit in a the feature branch.

[cpholguera]

Awesome! Thanks 😌

[righettod]

@cpholguera : Update pushed in the feature branch and status described here.

[righettod]

Hi @cpholguera and @TheDauntless
Did I need to fix or change something?
Thanks in advance 😃

[righettod]

Hi @cpholguera and @TheDauntless

Any news?

Thanks a lot in advance 😃

[cpholguera]

hi @righettod, we were very busy with the new release:

https://github.com/OWASP/owasp-masvs/releases/tag/v1.3

We'll get back to you as soon as we can. Sorry for the wait. Have a great day!

[righettod]

Hi @cpholguera ,
Ha ok I apologize for my message, I was not aware of the coming release.
Congratulations 💯
Do not worry with my PR, take the time you need 😃
Have a nice day too!

[righettod]

Hi @cpholguera and @TheDauntless ,

Any news about this PR?

No stress at all, i'm just asking in case of you are waiting on a action on my side 😃

[cpholguera]

Hi @righettod we're very sorry that we cannot give any feedback yet. We're still dealing with a lot of things regarding the next big steps for both MASVS and MSTG so we cannot really address any PRs yet. we'll let you know as soon as we manage to go back to normal. Thanks again for your patience!

[righettod]

Hi @cpholguera ,

No stress at all, as said, it was just to know if you are waiting any action on my side.

Take the time you need, no stress at all once again 😃

Thank a lot for all your work on MSTG and MASVS, the team rocks!!!!! ❤️ ❤️ ❤️ ❤️

[TheDauntless]

We definitely want to replace Drozer wherever possible with adb comments. Drozer is outdated and the added value is super limited.

The one place where I do see added value is when you're trying to attack the system; Using Drozer it's possible to scan which applications have requested a specific permission and which of those applications are system applications. I think that's currently not easily possible through adb comments, but some more research may need to be done here.

We will probably be doing some heavy refactoring in the near future, but we should try to merge your PR before we do that, as it fully aligns with our goals.

[righettod]

@cpholguera @TheDauntless Thank you very much for your feedback.

[cpholguera]

Hi @righettod, we're very sorry for the delay and hope that you're aware of our situation and everything that's going on in the project. I finally could take some time today to do the final review. If you agree with the suggestions please apply them directly and we can merge ;)

[cpholguera]

We already wrote above about this. In this section we only focus on testing and interpreting results.

Suggested change

	When doing the dynamic analysis: validate whether the permission requested by the app is actually necessary for the app. For instance: a single-player game that requires access to `android.permission.WRITE_SMS`, might not be a good idea.
	To obtain detail about a specific permission you can refer to the [Android Documentation](https://developer.android.com/reference/android/Manifest.permission "Android Permissions").

[righettod]

Suggestion accepted 😃

[righettod]

@cpholguera You will never need to apologize with me, I know the both sides of the life of an OWASP PL (moreover with a flagship one like the MSTG) and the heavy load implied on spare times. I have accepted and committed all your proposal 😃

Thank a lot again for your amazing work on this project as well as your support on this PR ❤️

Links validation failure does not seem to come from my PR 😢

[cpholguera]

Thanks for the quick response and for the nice words ☺️ It's also an honor to have such great contributors as you. Thanks a lot for your support!