Professional Documents
Culture Documents
none@books24x7.com
All rights reserved. Reproduction and/or distribution in whole or in part in electronic,paper or other forms
without written permission is prohibited.
Android Security: Attacks and Defenses
8.1 Introduction
Mobile device forensics is a branch of digital forensics that relates to the recovery of digital evidence or data from a mobile
device under forensically sound conditions (http://en.wikipedia.org/wiki/Mobile_device_forensics).
As discussed in Chapter 1, mobile devices today are a different beast. They are used for all kind of communications,
transactions, and tasks. The following kinds of personal information are typically found on a smartphone: contacts, photos,
calendars, notes, SMS, MMS, e-mail, browser history, GPS locations, social media information, financial data, passwords, and
so forth. You get the idea! If we have a device that is evidence in a legal investigation or needs to be analyzed for a security
investigation, it can provide a goldmine of information, provided one knows how to extract this information carefully. Our focus
in this chapter is on extracting as much information as we can, rather than "extracting under forensically correct" conditions.
The latter is a topic for a different book.
To perform forensics on Android devices, it is important to understand the Android system. We have already covered Android
architecture and the security model. In this chapter, we will walk through file system specifics (directories, files, mount points,
and file systems). We need to understand how, where, and what type of data is stored on the device, to perform the actual
extraction of useful information. Data can be stored on a file system as files, in application/system-specific formats, or in SQLite
DBs.
Let's look at various partitions on an Android device and analyze relevant ones for their directory structures. Typing "adb shell
Page 2 of 18
Reprinted for W15UW/6aau200e, Orange Groups CRC Press, Taylor & Francis Group, LLC (c) 2013, Copying Prohibited
Android Security: Attacks and Defenses
mount" (Figure 8.2) shows mounted file systems on the device, whereas typing "adb shell cat /proc/filesystems" gives us a
listing of supported file systems (see Figure 8.3). Table 8.1 shows various partitions and their descriptions.
Page 3 of 18
Reprinted for W15UW/6aau200e, Orange Groups CRC Press, Taylor & Francis Group, LLC (c) 2013, Copying Prohibited
Android Security: Attacks and Defenses
Android supports quite a few file systems (based on the Linux kernel). One can obtain a list of supported file systems by typing
"cat /proc/filesystems" at the command line. As can be seen from Figure 8.3, the nodev entry next to file system indicates that
there is no physical device associated with that particular file system, thus making a nodev virtual file system. Note that Android
supports ext2, ext3, and ext4 file systems (used by Linux systems) and the vfat file system used by Windows-based systems.
Since it is targeted for mobile devices, Android supports YAFFS and YAFFS2 file systems (needed to support NAND chips used
in these devices). Table 8.2 provides more information on these file systems.
Page 4 of 18
Reprinted for W15UW/6aau200e, Orange Groups CRC Press, Taylor & Francis Group, LLC (c) 2013, Copying Prohibited
Android Security: Attacks and Defenses
Let's look at the directory structure of a typical Android device. One can access the file system through the command line (adb)
or through Eclipse/DDMS (Figure 8.4). There are three main directories that are of interest to us: /system, /sdcard, and /data.
As mentioned earlier, /system holds most of the Operating System (OS) files, including system applications, libraries, fonts,
executables, and so forth. /sdcard is a soft link to the /mnt/sdcard and refers to the SD card on the device. /data directory
contains user data. More specifically, each application has an entry in /data/app/<application name>, and user data resides in
/data/data/<application_name>. On the device itself, one would not be able to access the /data folder, as it is accessible only
to the system user (as opposed to the shell user). We use an emulator to demonstrate the contents of the /data directory. Since
user data for an application resides in /data/data/<application_ name>, it is important that only that application has access to
that particular folder. This is accomplished through user permissions (each application has its own UID, and only that UID/user
has permissions to access the folder). Table 8.3 provides a summary of important files/directories on Android that an
application might interact with. We will cover the structure of the /data/data/folder later in this chapter.
Page 5 of 18
Reprinted for W15UW/6aau200e, Orange Groups CRC Press, Taylor & Francis Group, LLC (c) 2013, Copying Prohibited
Android Security: Attacks and Defenses
Android provides multiple options whereby an application can save persistent data (depending on the application's needs).
Table 8.4 shows various options for storing data.
WORLD_READABLE or MODE_WORLD_WRITABLE
8.3.2 /data/data
Now that we have covered options available to an application for storing data, let's examine some real-world applications and
analyze their /data/data/ directory. We installed the Seesmic application, which allows you to connect you to multiple social
media accounts. Figure 8.5 shows subdirectories of the /data/data/com.seesmic application. The Seesmic application has
three folders: databases, libs, and shared_prefs. Accessing the /data/data directory on the device would not be possible, as
permissions are restricted to the system owner (as opposed to the shell user). One has to either root the phone or image it to
be able to obtain access to the contents of this directory.
Looking at the folder structure suggests that the application might be storing some data in SQLite databases, as well as in the
form of Shared Preferences. It might be worthwhile to investigate these files and see if we can gather more information.
Browsing to the shared_prefs directory and performing "cat" on one of the XML files, we get information used by the application
(key-value pairs). Please note Figure 8.6. One of the key-value figures defined in the file is req_token_secret, and another is
req_token. If application developers are not careful, they might store all kinds of sensitive information in here (including
passwords in plaintext).
Page 6 of 18
Reprinted for W15UW/6aau200e, Orange Groups CRC Press, Taylor & Francis Group, LLC (c) 2013, Copying Prohibited
Android Security: Attacks and Defenses
Figure 8.6: Contents of One of the XML Files in the shared_prefs Folder
We have noted that there is a database folder inside data/data/com.seesmic. Browsing to the folder, we find a database named
twitter.db, indicating that the user of the device had a twitter account. Let's see if we can get details of the twitter account from
the database. This can be done through the sqlite3 command line utility. As seen from Figure 8.7, we can understand the
schema of the database and then query different tables to retrieve information.
Page 7 of 18
Reprinted for W15UW/6aau200e, Orange Groups CRC Press, Taylor & Francis Group, LLC (c) 2013, Copying Prohibited
Android Security: Attacks and Defenses
1. Determine the version of the Android OS running on your device. This can be found by going to "Settings" -> "About
Phone." This should give you the Android and kernel version details (Figure 8.8).
2. Connecting through the adb shell and executing the "ID" command should show you as a "shell" user (UID = 2000 [shell]).
3. Download Gingerbreak.apk (Figure 8.9) (given you are running Android Froyo 2.2.2, Honeycomb, Gingerbread).
5. Install Gingerbreak on the phone by executing the following command "adb install gingerbreak.apk."
6. Open the Gingerbreak application on the phone. This will install the super user application.
Page 8 of 18
Reprinted for W15UW/6aau200e, Orange Groups CRC Press, Taylor & Francis Group, LLC (c) 2013, Copying Prohibited
Android Security: Attacks and Defenses
7. Now, connect to the device using the command line (adb) and execute the su command (see Figure 8.10). You should
now be rooted on the device and be able to browse to directories such as /data/data.
Page 9 of 18
Reprinted for W15UW/6aau200e, Orange Groups CRC Press, Taylor & Francis Group, LLC (c) 2013, Copying Prohibited
Android Security: Attacks and Defenses
Page 10 of 18
Reprinted for W15UW/6aau200e, Orange Groups CRC Press, Taylor & Francis Group, LLC (c) 2013, Copying Prohibited
Android Security: Attacks and Defenses
1. Download mkfs.yaffs2 and copy it onto the SD card connected to your device, through the following command:
2. Open adb shell and change to root user (su). Change the permission of /mnt/sdcard/tmp/yaffs2 file to 755
3. Create an image of the Android device by executing the command that follows. This will create data.img, which will
contain the image of the Android device
/mnt/sdcard/tmp/mkfs.yaffs2 data.img.
4. Pull data onto your workstation by using the "pull" command from adb shell
Now that you have the device image on your workstation, you can use tools such as yaffey to analyze the image (Figure 8.11),
Page 11 of 18
Reprinted for W15UW/6aau200e, Orange Groups CRC Press, Taylor & Francis Group, LLC (c) 2013, Copying Prohibited
Android Security: Attacks and Defenses
browse through different directories, review files, and so forth. Yaffey is available at the following URL:
http://code.google.com/p/yaffey/.
1. Root and image the /data partition on your phone (as shown in the previous section).
3. Browse to the SQL database of an application through yaffey and pull the application database onto your workstation (see
Figure 8.12) or execute the command below:
Page 12 of 18
Reprinted for W15UW/6aau200e, Orange Groups CRC Press, Taylor & Francis Group, LLC (c) 2013, Copying Prohibited
Android Security: Attacks and Defenses
Page 13 of 18
Reprinted for W15UW/6aau200e, Orange Groups CRC Press, Taylor & Francis Group, LLC (c) 2013, Copying Prohibited
Android Security: Attacks and Defenses
1. Make sure your device is rooted (see previous sections in this chapter).
3. Input your device's IP address into the MOBLedit application (see Figure 8.15).
4. Once the application connects to your device, you can download/view information, including call data, SMS messages,
photos, and so forth (see Figure 8.16).
5. You can also download data from the MobilEdit and use the techniques described in the previous sections to do a further
analysis analysis (see Figure 8.17).
Page 14 of 18
Reprinted for W15UW/6aau200e, Orange Groups CRC Press, Taylor & Francis Group, LLC (c) 2013, Copying Prohibited
Android Security: Attacks and Defenses
Page 15 of 18
Reprinted for W15UW/6aau200e, Orange Groups CRC Press, Taylor & Francis Group, LLC (c) 2013, Copying Prohibited
Android Security: Attacks and Defenses
Page 16 of 18
Reprinted for W15UW/6aau200e, Orange Groups CRC Press, Taylor & Francis Group, LLC (c) 2013, Copying Prohibited
Android Security: Attacks and Defenses
Figure 8.17: Obtaining Data from the File System on the Device
Page 17 of 18
Reprinted for W15UW/6aau200e, Orange Groups CRC Press, Taylor & Francis Group, LLC (c) 2013, Copying Prohibited
Android Security: Attacks and Defenses
8.8 Summary
In this chapter, we described different file systems used by Android. We reviewed relevant partitions and mount points that
would of interest to security professionals to to analyze a device or applications. We reviewed different mechanisms through
which an application can store persistent data (databases, preferences, files, and so forth) and how to obtain and analyze
these bits. We covered steps to root an Android device (though this will be different from release to release) and how to use
third-party applications to retrieve data from Android devices.
Page 18 of 18
Reprinted for W15UW/6aau200e, Orange Groups CRC Press, Taylor & Francis Group, LLC (c) 2013, Copying Prohibited