Hack an Android App: Finding Forensic Artifacts
In this Android tutorial, you’ll learn the basics of forensic analysis by hacking into devices and extracting data from private files and databases. By Kolin Stürt.
Sign up/Sign in
With a free Kodeco account you can download source code, track your progress, bookmark, personalise your learner profile and more!
Create accountAlready a member of Kodeco? Sign in
Sign up/Sign in
With a free Kodeco account you can download source code, track your progress, bookmark, personalise your learner profile and more!
Create accountAlready a member of Kodeco? Sign in
Sign up/Sign in
With a free Kodeco account you can download source code, track your progress, bookmark, personalise your learner profile and more!
Create accountAlready a member of Kodeco? Sign in
Contents
Hack an Android App: Finding Forensic Artifacts
25 mins
- Getting Started
- Extracting Data From a Real Device
- Examining Installed Apps on a Device
- Extracting Data From a Package
- Extracting Data From the Emulator
- Examining SharedPreferences
- Examining Other Files
- Analyzing Databases
- Recovering Deleted Data
- Reverse Engineering
- Understanding Bytecode
- Using Reverse Engineering Tools
- Obfuscating Code
- Working With Locked Devices
- Rooting and Unlocking the Bootloader
- Bypassing the Lock Screen
- Where to Go From Here?
Bypassing the Lock Screen
Another way to hack an Android device is to bypass the lock screen. Users often use a pattern, pin or a Smart Lock such as a trusted face to secure their devices.
- Android stores pattern locks at /data/system/gesture.key.
- The OS hashes pin and passwords at /data/system/password.key.
- Android salts those hashes and stores them at /data/system/locksettings.db.
Tools such as andriller and androidpatternlock attempt to crack these files.
While you don’t want to alter evidence, on some devices you can bypass the lock screen by deleting the files. You can also experiment with LiME to extract passwords and keys from memory.
Where to Go From Here?
Congratulations! You’ve scratched the surface of what it’s like to hack an Android app using forensic analysis. :]
To learn how to secure that data, continue on to the Encryption Tutorial For Android and App Hardening Tutorial For Android.
Code protection tools like DexGuard offer obfuscation and encrypt the classes and strings as well as assets and resource files. DexGuard also provides app integrity checking which is important for keeping malicious users out of your app.
Reverse engineers also look at the data an app sends and receives over the network to understand how the app works. To learn about how that works and how to secure that data, see the Securing Network Data tutorial.
For a deeper dive into advanced forensic techniques:
- Read about JTAG and Chip-off methods.
- See the open source digital forensics platform, Autopsy.
- Check out Santoku Linux‘s mobile and malware forensics information.
If you’re interested in professional reverse engineering, some popular commercial products are:
- IDA Pro: You can disassemble and debug Dalvik code since IDA Pro v6.1. IDA works well because of its support for scripting and because it has a graph view which unwinds the flow of the app. There are also lots of scripts people write to assist in unwinding obfuscated code.
- JEB: JEB can understand ARM and ELF formats. It has a powerful UI for both Dalvik and native code.
Last but not least, check out Drozer. It allows you to assume the role of an Android app and interact with other apps. One of the modules in Drozer, app.package.manifest, will parse the manifest file and display it on-screen.
If you have any questions, feel free to ask in the discussion below.