You're reading from Learning Android Forensics A hands-on guide to Android forensics, from setting up the forensic workstation to analyzing key forensic artifacts

Product type Paperback

Published in Apr 2015

Publisher

ISBN-13 9781782174578

Length 322 pages

Edition 1st Edition

Languages

Java

Tools

Android

Concepts

Forensics

Table of Contents (10) Chapters

Preface

1. Introducing Android Forensics FREE CHAPTER

2. Setting Up an Android Forensic Environment

3. Understanding Data Storage on Android Devices

4. Extracting Data Logically from Android Devices

5. Extracting Data Physically from Android Devices

6. Recovering Deleted Data from an Android Device

7. Forensic Analysis of Android Applications

8. Android Forensic Tools Overview

Index

Application reverse engineering

The vast majority of Android applications are written in Java. In order to truly reverse engineer Java code, one should generally be able to engineer Java code first. Teaching Java is well beyond the scope of this book. We will, however, show a few useful reversing methods that we think will be useful and can be done by an average mobile forensic examiner. Many hundreds of tutorials and guides have been written online for Android reversing, from the very basic to the highly advance.

Anyone looking for more information on the subject should easily be able to find what they are looking for. As always, www.xda-developers.com is an incredibly useful resource, and entire books have been dedicated to the subject. There is also an incredibly detailed, updated list of tools by Ashish Bhatia that can be found at https://github.com/ashishb/android-security-awesome.

Obtaining the application's APK file

Applications are installed via .apk files. The APK file for an app is stored on the device, even after the application is installed (and is removed when an app is deleted). This APK contains the compiled Java code for the app, the icons and fonts used in the app, and an AndroidManifest.xml file that declares the permissions the application needs.

The APK file for applications that are installed through Google Play can be found in the /data/app directory. Another method to find the APK location is to use the adb shell pm path <package_name> command. The APK file for preinstalled system applications (that cannot be deleted without root) can be found in the /system/app directory. The APK file itself is stored in a directory named after its package name, followed by a dash and a number. For example, the package name for Kik is kik.android, and the APK in /data/app is stored as inkik.android-1.

Here is the list of APK directories in /data/app for the device we tested:

Note that every application we tested has an APK file in this directory, as well as many apps that we did not look at.

Obtaining the APK file is as simple as using the adb pull command. To pull the Kik APK, we will use the following command:

adb pull /data/app/kik.android-1

This should pull a lib directory and a base.apk file, which will be in the current directory the command was run from:

Disassembling an APK file

For starters, the APK file is actually just a ZIP compressed file. Renaming the extension to .zip will allow an examiner to open the container and browse the files contained in it:

However, you might not be able to view the AndroidManifest.xml file. There are many tools and methods to fully disassemble the APK, and these can be found in the list we linked to above. Our personal favorite tool, though, is one that allows you to simply right-click on the APK and disassemble it (on Windows only). The APK_OneClick tool can be found at http://forum.xda-developers.com/showthread.php?t=873466.

The Java Runtime Environment (JRE) will have to be installed. It can be found at http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html.

Once the tool and the JRE have been installed, an examiner can simply right-click on the APK and select Disassemble APK and Decode Resources:

A pop-up window will appear to show the progress and will disappear if no problems are encountered:

If the disassembly ended successfully, there will now be a folder called base-disasm in the same directory as the APK. Browsing the directory will show many of the same files and folders we saw when the APK was renamed to a .zip file:

Determining an application's permissions

Knowing what an app has permission for can be very useful for an examiner. For starters, it can help narrow down where data is stored. An app without permission to write data to the SD card, for example, won't store any data there. One of the most commonly heard defenses when a suspect is caught with illicit material is that, of course, the suspect has no idea how it got there and it was placed there by a virus. If he says a particular app put that data on his SD card, an examiner can show that the app couldn't have done that because it didn't have permission to write to the SD card. These are just a few basic examples, but again, this is very basic reverse engineering!

The AndroidManifest.xml file from the disassembled APK discussed earlier will contain the app's permissions. These are the equivalent of what the user is shown and has to approve when the app is installed:

Determining an application's permissions

For the specifics of what each permission allows the app to do, Google maintains a list at http://developer.android.com/reference/android/Manifest.permission.html.

Viewing the application's code

To view the application's code using the APK_OneClick tool, simply right-click on the APK and select Browse Java Code of APK. Again, a window will pop up temporarily showing progress and will disappear if no errors are encountered. Once it completes, a Java Decompiler window will appear, allowing the examiner to browse through the Java code as follows: