Today, Mercury v2.2 is available for download. Well, it’s nearly easter, and whilst we are packing up for the long weekend we wanted to give you a little present.
We’re also giving away a free Android app (free, because it’s hopelessly riddled with security vulnerabilities) for you to download and try Mercury on.
So, what’s different? Following up on your feedback, we wanted to make Mercury more stable, and easier to use. We did that, fixed a few bugs on the way, and piled in a bunch more features to boot.
Not sure what Mercury is? Well, ok… That stings a little, but we forgive you. Mercury is the leading Android Security Assessment Framework. It allows security researchers and developers to interact with Android apps as if they were another app on the device, to search for security vulnerabilities, develop exploits and test fixes.
It was hard to pick our top three features, but here goes…
Mercury has always tried to do the typing for you – hit <TAB> and it will finish commands, module names and file paths. That was always cool, but what about all of the options that you had to pass to a module? You still had to type them out in full.
With Mercury v2.2 we can do a lot more of the typing for you. Type:
mercury> run app.activity.start --<TAB>
and Mercury responds with:
action component extra help category data-uri flags mimetype
Type f <TAB> and then hit <TAB> again:
mercury> run app.activity.start --flags ACTIVITY_BROUGHT_TO_FRONT ACTIVITY_NO_USER_ACTION ACTIVITY_CLEAR_TASK ACTIVITY_PREVIOUS_IS_TOP ACTIVITY_CLEAR_TOP ACTIVITY_REORDER_TO_FRONT ACTIVITY_CLEAR_WHEN_TASK_RESET ACTIVITY_RESET_TASK_IF_NEEDED ACTIVITY_EXCLUDE_FROM_RECENTS ACTIVITY_SINGLE_TOP ACTIVITY_FORWARD_RESULT ACTIVITY_TASK_ON_HOME ACTIVITY_LAUNCHED_FROM_HISTORY FLAG_DEBUG_LOG_RESOLUTION ACTIVITY_MULTIPLE_TASK FROM_BACKGROUND ACTIVITY_NEW_TASK GRANT_READ_URI_PERMISSION ACTIVITY_NO_ANIMATION GRANT_WRITE_URI_PERMISSION ACTIVITY_NO_HISTORY RECEIVER_REGISTERED_ONLY
The full list of what we provide suggestions for now is pretty long. Suffice to say that we can provide suggestions for just about everything you might otherwise have to look up.
Running Windows? No problem. Make sure to install pyreadline and you’ll get most of the auto-complete goodness.
As well as providing auto-complete suggestions, Mercury has always allowed you to access the last commands you typed by pressing the up arrow key. This was super, until you entered an Android shell, by typing shell or !. Then, the history got all confused, suggesting you type Mercury commands into the Linux shell, or vice-versa.
As of Mercury v2.2, we maintain separate command history for Mercury, shells and inside the interactive-Java module (auxiliary.develop.interactive). So, enter a Linux shell and we’ll offer the last Linux commands you wrote; come back to Mercury and there won’t be a Linux command in sight.
It is an odd feature of Android that if you have an open database cursor in a process that dies, your process is killed. This caused a lot of weird crashes when interacting with ContentProviders, particularly through the scanner.provider.* modules.
In Mercury v2.2 we try to work around this platform limitation, by transparently replacing the ContentResolver with an unstable ContentProviderClient.
In our testing, this has fixed the random crashes caused by other apps crashing.
Sieve is a password manager, but we wouldn’t recommend putting any real passwords in it! Sieve is riddled with security vulnerabilities for you to find with Mercury. It’s a great place to start if you are new to Mercury, to hone your skills, or just for the lulz.
You can download Sieve here.
We’ll be publishing some video walk-throughs in a couple of weeks showing how to find the vulnerabilities.
You can get it now, from the downloads page.
Please send us your feedback, questions and comments on the new version via Github. We’ll do our best to get them into the next release.
Remember, the more feedback you give us, the quicker we can compile it into cool new features, functionality and modules for Mercury.