# 3.4 Attack surface

### AT THE BEGINNING

*within drozer shell:*

```
run app.package.attacksurface com.x.x.x
```

### INFO

{% hint style="info" %}

* The command above lists:
  * *Activities*
  * *ContentProvider*
  * *BroadcastReceiver*
  * *Services*
    {% endhint %}

### THINGS TO REPORT

{% hint style="danger" %}

* If "**is debuggable**" output shows up \
  (allows attaching a debugger to a process, using *adb*, and stepping through the code)
  {% endhint %}

### MORE DETAILS

* [How to use drozer ](http://showmeshell.top/2018/09/28/How-to-use-drozer/)(translation needed)
* [Using drozer for application security assessment](https://mobiletools.mwrinfosecurity.com/Using-Drozer-for-application-security-assessments/)
* [Android app hacking w/ drozer](https://cyberincision.com/2017/09/13/android-app-hacking-with-drozer-usage/)