Mobile App Forensics: Second App Completion

Introduction

As we near the end of the academic semester, the mobile app forensics team has begun completing reports on our second round of mobile application analysis. Our team operates in two independent groups, each focusing on a specific app exclusive to the iOS or Android app stores, as well as a second app that is available for download on both platforms. This round of analysis has been largely successful and we are very pleased with our findings for these new apps.

Analysis: iOS

Stemming from the Android team’s investigation of MapMyRun, the iOS team decided to delve into it to see if any artifacts would duplicate themselves, or if we would find new ones within the different operating system. We used two devices – one jailbroken, the other not – to see if jailbreaking the device had any effect on the data we could collect. The only additional step we needed to take was to download an application that would allow us to use Locational Services with our jailbroken device so it could track our movements in the app, ensuring that geolocational data such as distance and coordinate pinpoints would be tracked by the devices. As an additional task, we choose to see how much data could be found that connected MapMyRun with MyFitnessPal; these apps work together to allow a user to stay on top of their health and daily workouts. We realized there was a potential for forensic artifacts that could be created from communication between the two applications.

Our data generation began by creating two user profiles which would be used for both applications. We each found the other profile and began sending data through status updates and comments to each other. Next, we added basic information to our profile such as weight, height, and a profilepicture. We also entered a test meal log for the day to see if any of these items were recorded and saved locally by the app. Our team took the devices around Champlain College’s main campus again, staying within the range of our campus wide Wi-Fi to minimize data loss.

image-1

Figure 1: Account information displayed in Data.log.

What we found was truly incredible. After a week or so of analyzing our collected data, we were comfortable with what we had found: various databases contained our account information and locational data, all of which had been found by the Android team in their investigation earlier this semester. We then stumbled upon a seemingly normal log file, named Data.log, within a documents folder in the extracted file system. This log contained a lot of data: alongside much of what we had already encountered, we found evidence of our account’s associated email, username, password, and other provided information stored in plain text with timestamps. An example of the Data.log entry is shown above in Figure 1. We also found records of the device running the app, as well as what version of the software that device is running and its current version in this file, shown below in Figure 2.

image-2

Figure 2: Device and version information displayed in Data.log.

The above image shows plaintext notification data from when the two accounts friended each other, it also shows that user’s ID. We showed these findings to the Android team, who then re-evaluated their data from their investigation, they were unable to find a similar Data.log file on their Android system.

image-3

Figure 3: Log of accepting friend request.

We see this as having the potential to be a major forensics artifact that can be used to help law enforcement locate a victim by allowing them to gain access to the user’s account, or could pose a more serious privacy issue, allowing an attacker to easily gain access to a person’s account and learn their routine or popular workout spot.

Analysis: Android

The Android group decided to focus on analysing artifacts created by the popular walkie talkie app, Voxer. Voxer can be used as a simple instant messaging application similar to Facebook Messenger or Whatsapp, however its unique feature is the ability to send audio at the push of a button. Artifacts created by Voxer could be highly pertinent to an investigation as it could provide detailed information on conversations between individuals and their exact location at the time of the conversation.

To generate data we created two Voxer accounts and exchanged messages over the course of a couple hours. We participated in this data generation from multiple locations as a way to test the application’s geolocation feature. We sent text, images, and several voice recordings to each device.

After pulling the data using ADB (Android Developer Bridge), we were able to find our chat history in its entirety along with user information for the active account.

image-4

Figure 4: Chat history locally stored by Voxer.

While we were able to locate the audio files that were sent, we were unable to play them. The files were created with a ‘.0’ extension and weren’t recognizable by any media player even after changing the file extension.

GPS coordinates were also found for each and every message (from both devices) sent between the two accounts. This is interesting as we were able to locate the GPS coordinates of one device using the data pulled from the other.  

image-5

Figure 5: Geolocation data for each message sent between devices.

image-6

Figure 6: A map of gathered GPS information. Locations pictured: Miller Information Commons (A); SD Ireland Family Center (B); IDX Student Life Center (C); South Union Street (D).

Conclusion

The results from our analysis of MapMyRun and MyFitnessPal provided us with a wealth of artifacts and we are extremely happy to get to share them here. There is much more that we found from our examination that couldn’t make it into this blog post, so stay tuned for our final report for the complete presentation of findings!

After analysing Voxer artifacts we were able to find a large amount of information which could prove valuable to a future forensics investigation. While we couldn’t decrypt the audio files, they could still be relevant in an investigation to prove that an audio snippet had been sent or received, similar to the way that phone records are used in investigations.

Thank you for following our Mobile App Forensics blog! As always, if you have questions or comments about the project, you can leave a comment or contact the LCDI via Twitter @ChampForensics or email us at lcdi@champlain.edu.