As the midpoint of the semester flies by, the Mobile App Forensics team has begun preparations on our final reports. This team operates in two independent groups, each focusing on a particular application available on both the iOS App Store and Android Google Play Store. Thus far both groups have completed an analysis on their respective app. The search for forensic artifacts has been quite successful despite minor setbacks, which means we are very pleased to share our findings up to this point in our process.
Our iOS team chose to investigate the artifacts of potential forensic value present in the game data of Pokemon Go. We began by jailbreaking the devices to more easily extract data from its system files. Next, we had to download applications allowing us to execute Pokemon Go with a jailbroken device because of security features within the app that bar jailbroken devices from playing it. Doing so, we were able to operate the application to its full ability and gather the most information we could.
During our data generation, we took two Apple iPad Air 2 tablets out of the lab to create a diverse series of geolocation datasets. Since the app always needs to be connected to a network in order to function, we created data in our lab and all around our main campus. We leveled up our profile until we could access more advanced portions of the game, then focused on gathering as much GPS data as possible. We hoped that doing this would provide us with location data from all aspects of the game separately.
Unfortunately, there was not very much recoverable data. We suspect useful information is present, but is obfuscated by some form of encryption; some files do not have any recognizable file structure. We can determine that these files are used by the app to record some form of ingame activity, however we cannot ascertain their exact use.
To us, a lot of files that were recovered seemed to be nonsense. If we were able to gather more details on these files, we may have been in a better position to translate this into a working artifact. Despite being disappointed by this, we still found significant artifacts such as timestamps and location data that trace us back to when and where we first downloaded the game and set up the user profile.
Our Android team decided to take a look into the popular fitness app by Under Armour, Map My Run. This app allows users to track their workouts using the GPS hardware in the device. The application records location data and correlates it with average speed to determine pace. Data from this application could prove very useful in an investigation, allowing investigators to trace an exact map of where the phone was while the app was on and collecting data.
After two separate walks around the Burlington/Champlain area, we used ADB (Android Developer Bridge) to pull data from the rooted device and perform analysis. We were able to locate user information, timestamps, average speed, altitude and location data for the entirety of our walks. This data was also found for the walk that was purposely deleted.
We created a visual representation of this data below.
Although not many tangible results came from our analysis of Pokemon Go on iOS, we were still able to gather enough to indicate that there is a potential for more. We know that with a deeper understanding of how a jailbreak can affect the files of an application, we would be able to recover more if given the opportunity.
A significant amount of data is obtainable regarding each exercise while using Map My Run. We were able to access very accurate GPS locations and timestamps as well as detailed information about the user. We also could map the coordinates along with factors such as timestamps, altitude and time differentials to create a timeline of events.
Questions or comments? Please share with us in the comment section below! You can also reach out to our Twitter and Facebook or email us at firstname.lastname@example.org. Also don’t forget to check out our Blogs!