Hack an Android App: Finding Forensic Artifacts

In this Android tutorial, you’ll learn the basics of forensic analysis by hacking into devices and extracting data from private files and databases. By Kolin Stürt.

Leave a rating/review
Download materials
Save for later
Share
You are currently viewing page 4 of 4 of this article. Click here to view the first page.

Bypassing the Lock Screen

Another way to hack an Android device is to bypass the lock screen. Users often use a pattern, pin or a Smart Lock such as a trusted face to secure their devices.

  • Android stores pattern locks at /data/system/gesture.key.
  • The OS hashes pin and passwords at /data/system/password.key.
  • Android salts those hashes and stores them at /data/system/locksettings.db.

Tools such as andriller and androidpatternlock attempt to crack these files.

While you don’t want to alter evidence, on some devices you can bypass the lock screen by deleting the files. You can also experiment with LiME to extract passwords and keys from memory.

Where to Go From Here?

Congratulations! You’ve scratched the surface of what it’s like to hack an Android app using forensic analysis. :]

To learn how to secure that data, continue on to the Encryption Tutorial For Android and App Hardening Tutorial For Android.

Code protection tools like DexGuard offer obfuscation and encrypt the classes and strings as well as assets and resource files. DexGuard also provides app integrity checking which is important for keeping malicious users out of your app.

Reverse engineers also look at the data an app sends and receives over the network to understand how the app works. To learn about how that works and how to secure that data, see the Securing Network Data tutorial.

For a deeper dive into advanced forensic techniques:

If you’re interested in professional reverse engineering, some popular commercial products are:

  • IDA Pro: You can disassemble and debug Dalvik code since IDA Pro v6.1. IDA works well because of its support for scripting and because it has a graph view which unwinds the flow of the app. There are also lots of scripts people write to assist in unwinding obfuscated code.
  • JEB: JEB can understand ARM and ELF formats. It has a powerful UI for both Dalvik and native code.

Last but not least, check out Drozer. It allows you to assume the role of an Android app and interact with other apps. One of the modules in Drozer, app.package.manifest, will parse the manifest file and display it on-screen.

If you have any questions, feel free to ask in the discussion below.

Kolin Stürt

Contributors

Kolin Stürt

Author

Ryan Burns

Tech Editor

Sandra Grauschopf

Editor

Adriana Kutenko

Illustrator

Vijay Sharma

Final Pass Editor

Eric Soto

Team Lead

Over 300 content creators. Join our team.