Mobile App Forensics: Final Blog Update

mobile-app-3-banner

Introduction:

The LCDI’s Mobile App Forensics team is wrapping up the academic semester, but that doesn’t mean we’ve run out of things to show you. Over the past fifteen weeks, we have analyzed five applications in the Android and iOS marketplaces. With both some major successes and disappointing failures, we as a team are confident that we have not only learned a lot from these applications but have also found enough within them to say the time we spent here doing this was very worthwhile. We’d like to give you a taste of some of our findings as we prepare to roll out the fully detailed reports on each of our apps.

iOS Artifacts:

Our iOS team completed the analysis of two applications available on both app stores, Pokemon GO and MapMyRun/MyFitnessPal. For both applications, we used one jailbroken iPad Air 2 and one not jailbroken, in order to see if the data we retrieved would be affected by Jailbreaking the device. In order to use the Locational Services feature to track our GPS coordinates for both applications on the Jailbroken device, we had to download one additional application from the Cydia marketplace.
Our analysis of Pokemon GO yielded few good artifacts that we considered noteworthy. Instead, with the information we gathered, we came to a conclusion that the data collected by Pokemon GO is obfuscated in order to protect user privacy while playing the game.

image-1

image-2

The one major artifact that we recovered was timestamps and GPS coordinates that trace us back to when we first created the user profile on the Jailbroken device. We were unable to determine if these numbers were reflective of data created by the app itself or from the locational services assistance application we downloaded to make the game work, but this still proved that something had the capability of tracking and recording our location.
We had significantly more luck with our analysis of MapMyRun and MyFitnessPal.

image-3image-4

These apps yielded a plethora of artifacts, most of which were found in not only one place on the file systems of our devices, but two. The most stunning find of them all being data found within a single log file named Data.log. Data.log contained plaintext user info, from the email it was registered with as well as the password, to detailed information about the device the apps were running on. The above images reflect just some of the data we collected from this log.

Android Artifacts:

Our Android team focused on three apps available on the Google Play Store. The analysed apps were Tinder, Map My Run, and Voxer. For data generation and analysis, we used a Nexus 6p and a Nexus 7. Both devices were running TWRP and were rooted in order to grant superuser access.

In order to generate data for the Tinder application, we created two accounts of opposite gender and set their age each to 80 years old. Our separate accounts were matched rather quickly and we began sending messages back and forth. After we completed our data generation we analyzed the data and found plentiful databases containing every single message that was sent/received, location data, all personal profile information, and cached images of other tinder users.

For the Voxer application, we created two accounts and communicated back and forth over the course of a couple hours. We sent these communications from multiple locations in order to test the geolocation feature of the application. We sent voice messages, text, and various images. After analyzing the data we were able to locate all of the messages including voice and image links. However the audio files were encrypted/obfuscated and we were not able to play them back successfully.

image-5image-6

The last application we analyzed was Map My Run by Under Armour. The Android team created an account and used the app to record two separate walks around the general Burlington area. Located in the application’s databases, we found every bit of location data the application stored. In addition to location data, we were able to recover average pace, altitude, and time-stamps for the runs.

image-7

Conclusion:

We hope this gives you just enough to tide you over while you wait for us to publish our full findings! Again, it has truly been a pleasure getting to dive into these apps and find what secrets they have in store for us. Stay tuned for our full findings in the next couple weeks.
Thank you for following our Mobile App Forensics blog! As always, if you have questions or comments about the project, you can leave a comment or contact the LCDI via Twitter @ChampForensics or email us at lcdi@champlain.edu.

One thought on “Mobile App Forensics: Final Blog Update

Leave a Reply

Your email address will not be published. Required fields are marked *