📲
Android Reversing with Frida for Examiners
Authors:M. WilliamsonC. Atha
  • Android Reversing for Examiners
  • Setting Up
    • Prerequisites
    • Our Target: Private Photo Vault
  • Lab
    • [1] Lab setup and initial app exploration
      • [1.1] Upload frida-server to the emulator or device and run using nohup
      • [1.2] Review files in the app data directory
    • [2] Perform static analysis to locate some functions of interest
    • [3] Deploy method hooks using frida REPL
    • [4a] Moar Static Analysis
    • [4b] Cast a wide net with DBI
    • [4c] PIN bruteforce
      • [4c.1] PIN bruteforce (in depth)
  • Bonus Labs
  • Ready for more?
  • Frida-tools Reference
    • Installation & Common Flags
    • frida
    • frida-ps
    • frida-trace
  • Other Processes Reference
    • Extracting an APK specimen from the device
    • Troubleshooting frida connectivity
  • What's Next
    • Recommended Toolkits and Scripts
    • Additional Resources / Questions
  • Contact Us
Powered by GitBook
On this page
  • Shared Preferences (SharedPrefs)
  • Database
  • Encrypted Media

Was this helpful?

  1. Lab
  2. [1] Lab setup and initial app exploration

[1.2] Review files in the app data directory

Previous[1.1] Upload frida-server to the emulator or device and run using nohupNext[2] Perform static analysis to locate some functions of interest

Last updated 5 years ago

Was this helpful?

In the early stages of our reversing workflow, we can look through the filesystem of this app to see if there are any leads. This could include things like shared preferences, databases, or basically anywhere within the app's sandbox.

Shared Preferences (SharedPrefs)

If you're using the lab kit, a complete copy of the data directory has been provided under 'app_data_directory'. If you wanted to pull it off the device, it's located at: /data/data/com.enchantedcloud.photovault

A couple of artifacts of interest include the shared preferences xml (com.enchantedcloud.photovault_preferences.xml), content shown here:

Of interest are the pin , passcode_type, andenc_keys_pin entries. Let's make a note of them and continue.

There's also a file called crypto.xml - which hits on a certain subject were interested in! So let's take a look:

It may be helpful to start a textfile in notepad++, wherein you mark down interesting or potentially significant data as you go. As you go along, you can use this as a sort of index for testing values you might retrieve during DBI.

Database

You might also notice simplenosql.db , which is stored in the databases folder. If you open it, there are only two tables.

Inside the table simplenosql, there are a couple of rows:

Each row appears to pertain to a 'bucket', which in our case is either albums or albums_decoy. Inside the data column is quite a bit of JSON data:

It appears that this may provide some intelligence as to where our encrypted media could be stored. Let's see if we can find these files in the files/media/orig/ directory as indicated.

Encrypted Media

As expected, we have a number of jpg files with timestamps as names. If we view them using a hex editor we can see they appear to be high entropy crypto containers.

If we continue to look through the other encrypted media, the only obvious similarity you may note between them is that they all begin with 01 01.