Forensic Analysis of Personal Data Leakage on Android Phone

RESEARCH STATEMENT

The proposed research will explore personal data leakage on the android mobile application platform through forensic analysis of volatile and non-volatile memory.

PROPOSAL SUMMARY

The proposed research will employ both volatile memory forensic techniques and traditional disk forensic techniques to the android platform in order to identify privacy breaches primarily in android mobile applications [1]. The proposed research also aims to demonstrate that forensic artifacts can be found both in the disk drive (non-volatile) and memory (volatile).

AIMS AND OBJECTIVES OF THE PROPOSED RESEARCH

1. Acquire non-volatile data from an android device using the traditional forensic approach and the memory dump, analyse the acquired data for any forensic artifacts and make a comparative analysis of both approaches. This will be achieve by conducting an experimental simulation of both approaches.

2. Develop an effective methodology to improve the detection of personal data leakages and sensitive information from android mobile applications.

RESOURCES

The major part of this proposed research will be conducting an experiment, hence few equipments are essential to be in place in order to carry out the experiment. The proposed research is mainly memory dumping and disk drive imaging for forensic analysis. Some open source tools will be highly utilize during the course of this proposed research, such as android studio SDK, Odin, ADB and mem. Additionally, books on android forensics, mobile forensics, journals and YouTube video tutorials will also be utilize. As the research progresses more resources might be needed. The following is a non-exhaustive list of resources currently available for use:

â- Window 10 OS with processor Intel (R) Core(TM)i7, install memory of 16.0GB is the host operating system and forensic workstation for disk image analysis

â- Linux Ubuntu 15.10 x32 with kernel v2.6 is our forensic workstation for memory analysis

â- VMware Virtual Machine v11.1.2: Will be used to install guest operating system

â- Physical android phone Samsung galaxy S3: Is the subject of the experiment

â- Android SDK developer tool for Linux x32: Is a software development tool used for application development and analysis.

â- mem is an open source tool for dumping running process on android phone

â- Odin3.-v3.10 is open source tool that enable us to rooted android phone

â- Samsung usb drive for mobile phone used to enable debugging bridge between android phone and forensic workstation

â- CF-Auto-Root-2dcan-2dvl-sghi747m is used to update firmware during rooting process.

ï‚· AccessData Forensic tool kit version 3.4.2 ( Download FTK Imager 3.4.2) is forensic software tool used to analysis disk image file

3 | P a g e

CONNECTION TO THE COURSES OF MISSM PROGRAM

This proposed research is closely related to Digital forensic course (ISSM536), which is one of the course we had covered in our Information Systems and Security Management program. The proposed research used the techniques learned from this class and applied them in the android environment to reveal several types of personal information such as username, password, date of birth, postal addresses contact, photos, account number, messages etc. The comparative analysis method used covers the principles of digital evidence collection learned in Information Technology Security Laws and Ethics course (ISSM561). The proposed research has a beginning and ending, as a result it need to be managed in order to deliver the end result. Therefore, the knowledge learned from (ISSM545) System Development and Project Management.

REVIEW OF RELATED RESEARCHS

Fuchs, et al., [2] presented the first analysis tool for android called SCanDroid, a framework for Android to perform information flow analysis on applications in order to understand the flow of information from one component to another component. Consider a case where an application request permission to access multiple data stores i.e., public data store and private data store. The application requires permission for reading the data from the private store and writing data to the public store. SCanDriod analyzes the information flow of the application and reports whether the application will transfer the information in the private store to the public store or not. However, SCanDroid also suffers from the same limitation of security policy expressibility. In order to consider some information flow to be dangerous, the policy writers must define certain constraints prior to executing the policy. Similarly, if an information flow is not explicitly added to the set of constraints the framework will consider it to be safe.

In 2012, C. Gibler, et al., presented AndroidLeaks, a static analysis framework for automatically finding potential leaks of sensitive information in Android applications on a massive scale[4]. It informed the user if applications are leaking their personal information. AndroidLeaks drastically reduces the number of applications and the number of traces that a security auditor has to verify manually. To secure privacy information, they set up a mappings between Android API methods and the required permissions as the sources and sinks of private data for data flow analysis. However, AndroidLeaks does not yet analyze Android-specific control and data flows. This includes Intents, which are used for communication between Android and application components, and content providers, which provide access to database-like structures managed by other components.

Sasa Mrdovic et al., [3] proposed a combination of static and live analysis for memory image, which is obtained by hibernation mode (power management feature that exists in most portable computers). After they obtained the physical memory image, they used it to boot the investigated system in the virtual machine (live view) to resume the system to the same state before it went into hibernation mode. Their proposal of using hibernating feature was to obtain the memory contents without violating the evidence integrity, but during their analysis they found out that they lost all the information about network connections because hibernation mode terminates the network connections before it starts in Windows environment.

As one of best well-known analysis approaches, Taint Droid detects privacy leaks using dynamic taint tracking [5]. Enck et al. built a modified Android operating system to add taint tracking information to data from privacy-sensitive sources. They track private data as it propagates through applications during execution. If private data is leaked from the phone, the taint tracker records the event in a log which can be audited by the user. In 2015,Young ho Kim et al., proposed a methodology and an architecture for measuring user awareness of sensitive data leakage, which features runtime application analysis over timing distance between the user input event and actual privacy data leak[6]. 4 | P a g e

Nai-Wei Lo, Kuo-Hui Yeh, and Chuan-Yen Fan present a user privacy analysis framework called LRPdroid[7]. LRPdroid has been proposed for an Android platform to offer a user privacy management model. In the LRPdroid framework, they defined required models to achieve user privacy management: App execution data flow, user perception, leakage awareness, information leakage detection, privacy disclosure evaluation, and privacy risk assessment. To support the proposed privacy analysis model, two information capture modules for LRPdroid were designed to acquire incoming data inputted by a mobile user and outgoing data transmitted from a targeted App. A system prototype based on the LRPdroid framework was developed to evaluate the feasibility and practicability of LRPdroid. Two general App usage scenarios were adopted during the usage of Line App to evaluate the effectiveness of LRPdroid on user privacy disclosure by social engineering attack, user information leakage from normal operations of a running App, and privacy risk assessment of targeted running App.

In 2015[10], Pasquale Stirparo, Igor Nai Fovino, and Ioannis Kounelis developed a novel methodology called MobiLeak, for analysis of security and privacy level of mobile applications, which focuses more on user data instead of application code and its architecture. Their research work addressed and solved the problems related to the following three research questions for mobile environment and applications: (1)what are data and where can such data exist? (2) How is personal data handled? (3)How can one properly assess the security and privacy of mobile applications? They start their research work with a fundamental prerequisite in order to be able to properly treat them, which is studying and identifying every possibility state at which data can exist. After this step, they analyzed how real life mobile applications and operating systems handle users’ personal data for each of the states previously identified. Based on these steps they developed MobiLeak, which also combined concepts and principles from the digital forensics discipline.

DESCRIPTION OF PROPOSED RESEARCH

THE FOCUS OF THE RESEARCH

The aim of this proposed research is to examine user data storage mechanism on a mobile application in a context of android platform. Analyzing mobile application for personal data leakage require extensive analysis and in-depth understanding of both the OS and application architecture. The analysis is expected to be conduct to data at rest and data in motion. The result of this proposed research will help to create awareness to both application developers and the android community that user’s personal data information such as username, password and other sensitive information are at risk both in volatile and non-volatile memory.

Finding user sensitive data on android smart phone could be in three (3) locations: disk drive, memory and app server. Our research is limited to two out of the three application data store which is disk drive and memory, both storage areas could prove strategic locations for finding vital information for android smart phone users. The motive of this research is to examine whether applications encrypt user sensitive information both in the memory and the disk drive. This pose the following questions:

1. Does user credentials are encrypted on a memory ?

2. Among the two method which one is more forensically sound?

3. What information could be found in disk drive and not in memory?

During the experimental phase of the proposed research certain applications will be examining, such as VOIP applications, social media applications, financial applications and telecom applications. I chose this samples of android application from various categories. Because these applications are fairly popular and are used by millions of people around the globe. For each application I will look at how user sensitive data, such as user name, password, date of birth and account number are store both in the disk drive and the memory. 5 | P a g e

The rest of the proposed research section is divided into 4 parts: First I am going talk about my methodology, next I will present the series of preliminary result both in the memory analysis and disk analysis, third I give the highlight of the expected result and finally, I will discuss about certain obstacles that may arise.

METHODOLOGY

The method used in carrying out the experiment of the proposed research consist of four phases.

Phase One: Gather the require tool both in term of hardware and software

As the proposed research required memory dump and disk drive imaging analysis a physical android phone is needed to conduct our experiment.

1. Window Host OS and Ubuntu Guest OS as our forensic workstation

2. Android phone Samsung Galaxy S3

3. Installing Odin3.-v3 which will allow us to root our android phone

4. Install android SDK tool for using ADB(Android Debug Bridge) to get shell access on our android Phone

5. Mem application software loaded into our android phone through ADB which allow us to dump the running process from the Phone

Phase Two: Installation and configuration of experimental environment

At this phase all the required tools, such as the hardware and software are installed and configured.

Pre-experiment of memory dump and disk imaging is performed, and tools are verified.

Phase Three: Acquisition of disk image and memory dump

At this phase the disk image drive is acquired using dd command tool from the internal memory to internal SDcard of the phone and ADB pull is utilize to pull/copy the disk partitions to our forensic work station. Mem program software is utilize, this allow us to dump the running process. We used ADB to install mem application into our phone in order to dump the desired running application process.

Phase Four: Preservation and analysis of acquired data

The purpose of this phase is to examine acquired application data both in the memory and disk drive. For example, we will check if the application is encrypting users credential both data at rest and data in transit?

MEMORY DUMPING ANALYSIS

This section provide detail steps taken to analysis the dumped memory of certain applications selected for this proposed research. The result shows that user’s credential are not properly handle by the application, which can result in personal data leakage. A program called mem was used to facilities the process dump, ABD was also used to install mem program into our android phone. List the running process and dump them into the internal SDcard and finally pull it to our forensic workstation for further analysis. Strings and sqlite3 command were utilized to look for ASCII text format from the dumped memory to understand the output result. Interestingly, the result showed that user’s credential are not encrypted at all.

The applications analyse in this proposed research are as follows:

A) Africallshop App

Africallshop is a VOIP application which allows customers to buy credit online to make national and international calls and send text message worldwide to friends and family at a cheap rate. The application is 6 | P a g e

rated about 4.4 in the android play store and was downloaded by five thousand (5000) customers during the time of this proposed research. The prominent outcome of this application are as follow:

The username, password, caller id and user account balance are not encrypted.

We ran the sqlite3 and string command on the dumped memory, which produce the result below:

<?xml version=’1.0′ encoding=’utf-8′ standalone=’yes’ ?>

<map>

<string name=”Domain”>sip.africallshop.com</string>

<string name=”Password”>XXXXXXX</string>

<string name=”country”>CANADA</string>

<string name=”pwd”>xxxxxxxxx</string>

<string name=”proxy”>proxy.africallshop.com:443</string>

<string name=”user”>[email protected]</string>

<string name=”Balance”>0,434

</string>

</map>

B) EHarmony App

EHarmony is an online dating site for singles. Those using this app can communicate freely, share picture, video and text. During the time of this proposed research the application was downloaded by five million people and rated 3.1 in the app store. The prominent outcome of this application analysis are as follow: The user credential, such as username, password and device information are all in plaintext. The result below:

POST /singles/servlet/login/mobile HTTP/1.1

j_username=sdramme1%40student.concordia.ab.ca&j_password=123qaz&platform=androidj0r1D7fg4ArJ2uSVPgSti5zcEnltO919mHUV88E%2FKUWcan9NEMgT820MygiKsWf0Sg1147vdZbXIo

tLS HTTP/1.1

User-Agent: eHarmony-Android/3.1 (SGH-I747M; Android OS 4.4.2; en_CA; id f9d8a2acfec7b901)

X-eharmony-device-id: f9d8a2acfec7b901

X-eharmony-device-os: Android

X-eharmony-device-os-version: 19

X-eharmony-device-type: 1

X-eharmony-client: eHarmony

X-eharmony-client-version: 3.1

Accept: application/json

lBxp

c_te

j_username=sdramme1%40student.concordia.ab.ca&j_password=123qaz&platform=android

8KTB

stevedocwra on 7 | P a g e

C) Virgin Mobile My account App

Virgin mobile is GSM mobile application that allow user to manage their account features and usage. Users can make payment and add a buddy to their list. This application was downloaded by five hundred thousand (500,000) people during the time of this proposed research and was rated 3.4 in the app store. The prominent outcome of this application are as follow:

Sim sequence number, cell phone number, UMTS number, activation date, user data of birth, subscribe date, user e-mail address, initial password, pin unlock code and account number. all this information are not encrypted.

[email protected]:~/android-sdk-linux/platform-tools$ strings virginmobile | grep [email protected]

We run the ps and string command on the dumped memory, which produced the result below:

“imeioriginal”:null,”simsequenceNumber”:174392323,”esnequipmentType”:null,”imeiequipmentType”:{“value”:”LTEDevice”,”code”:”T”},”simequipmentType”:{“value”:”USimVal”,”code”:”U”}},”telephoneNumber”:”7802356780″,”networkType”:{“value”:”UMTS”,”code”:”85″},”language”:{“value”:”EN”,”code”:”E”},”isBillSixty”:false,”isTab”:false,”commitmentStartDate”:null,”commitmentEndDate”:null,”commitmentTerm”:0,”contractType”:{“value”:”OFF_COMMITMENT”,”code”:”O”},”paccPinStatus”:{“value”:”NOT_ENROLLED”,”code”:”78″},”padPinStatus”:{“value”:”NOT_ENROLLED”,”code”:”78″},”initialActivationDate”:1463112000000,”accountCommPref”:{“value”:”BILL_INSERTS”,”code”:”66″},”isAccountSMSPerm”:true,”birthDate”:512197200000,”lastUpdateDate”:1464062400000,”lastUpdateStamp”:9863,”lastHardwareUpgradeDate”:null,”daysSinceLastHWUpgrade”:null,”subscriberEstablishDate”:1463112000000,”daysSinceActivation”:16,”nextTopupDate”:1465704000000,”cancelledSubStatusDate”:1463371200000,”initialPassword”:”5069″,”isCallDisplayAllowed”:false,”pricePlan”:”VHV226″,”portInidicator”:null,”primeMateInidicator”:{“value”:”UNKNOWN”,”code”:”R”},”primeSubNumber”:null,”subMarket”:{“value”:”UAC”,”code”:”UAC”},”telcoId”:”MOBL”,”pinUnlockKey”:[36761817,63094923],”manitobaIndicator”:”O”,”thunderBayIndicator”:”O”,”portabilityIndicator”:”O”,”serviceArea”:”N”,”hasOrderInProgress”:false,”isWCoCSubscriber”:true,”hasDomesticDataServices”:false,”hasRoamingDataServices”:false,”domesticDSBlockedUntil”:null,”roamingDSBlockedUntil”:null,”isAccessible”:false,”promotionGroupCode”:null,”emailAddress”:”[email protected]“,”wcoCDate”:1463112000000}]},”emailAddress”:”[email protected]“,”arbalance”:{“name”:”{http://bside.int.bell.ca/customer/profile/types}ARBalance”,”declaredType”:”java.lang.Double”,”scope”:”ca.bell._int.bside.customer.profile.types.MobilityAccountType”,”value”:0,”nil”:false,”globalScope”:false,”typeSubstituted”:false},”ebillInfo”:{“isEBillEnrolled”:true,”isEBillNotifyEnabled”:true,”ebillStartDate”:1463112000000,”ebillEndDate”:null},”siowner”:{“value”:”BELL_MOBILITY”,”code”:”MOBL”},”arpuamount”:”19.13″}]},”wirelineAccounts”:null,”internetAccounts”:null,”tvaccounts”:null},”activeHouseholdOrders”:null,”emailAddress”:”[email protected]“}”,”username”:”7802986780″,”guid”:”SCP9O0ELLDDUN2J”,”profileType”:”BUP”,”savedTimeStamp”:”2016-05-29T01:30:38.458-04:00″,”profilebanNumbers”:”[{“accountType”:”Legacy”,”ban”:”527566075″,”profileSaveTime”:1463945744000}]”,”accountType”:””,”paymentData”:[“[{“paymentInfoList”:{“billAvailable”:true,”lastPaymentAmount”:40.18,”totalAmountDue”:40.18,”lastPaymentDate”:”2016-05-22T00:00:00.000-04:00″,”paymentDueDate”:”2016-06-06T00:00:00.000-04:00″,”billEnddate”:”2016-05-14T00:00:00.000-04:00″,”balanceForward”:0,”bankAccountNumber”:null,”creditCardNum”:null,”customerId”:null,”ban”:”527566075″,”mdn”:”52756607UAV580″,”eligibilityInd”:”Y”}}]”]}`

DISK IMAGING ANALYSIS

This section provided detail steps taken to conduct traditional forensic technique for non-volatile memory acquisition and analysis. During this phase the acquired memory will be examine and the primary concern will be user data stored, in particular share_pref folder. Share_pref folder is a storage location for key-value in side application database. Android application store user data within /dev/block[8]. With the use of common forensic command, such as dd, will be utilize to image disk drive partition. For this proposed research the following partitions are imaged for analysis:

System file

Cache file 8 | P a g e

User data

Persist

But our proposed research experiment will be focus on user data folder, as it is consider to be the storage location for application data. To image disk drive, shell access is need through android SDK, we then look for mount file on the disk drive before executing dd commands to copy the partition from the internal memory to internal SDcard and finally pulling it to our forensic work station using adb pull command.

1. Checking the mounted file on the disk drive

mount

/dev/block/platform/msm_sdcc.1/by-name/userdata

/dev/block/platform/msm_sdcc.1/by-name/cache

/dev/block/platform/msm_sdcc.1/by-name/system

/dev/block/platform/msm_sdcc.1/by-name/persist

2. Copying the user date partition and pull it to forensic work station

dd if=/dev/block/platform/msm_sdcc.1/by-name/userdata of=/mnt/sdcard/test1

17399538+0 records in

17399537+0 records out

8908562944 bytes transferred in 1934.464 secs (4605184 bytes/sec)

adb pull /mnt/sdcard/test1

3. Imaging the cache partition to internal SDcard

dd if=/dev/block/platform/msm_sdcc.1/by-name/cache of=/mnt/sdcard/cachefile1.img <

1720320+0 records in

1720320+0 records out

880803840 bytes transferred in 118.669 secs (7422358 bytes/sec)

4. Copying the system partition

dd if=/dev/block/platform/msm_sdcc.1/by-name/system of=/mnt/sdcard/systemfile.img

3072000+0 records in

3072000+0 records out

1572864000 bytes transferred in 255.874 secs (6147025 bytes/sec)

[email protected]:/ #

5. Copying the persist partition

dd if=/dev/block/platform/msm_sdcc.1/by-name/persist of=/mnt/sdcard/persist.img

16384+0 records in

16384+0 records out

8388608 bytes transferred in 0.865 secs (9697812 bytes/sec)

The above command will image each partition of the mounted file of dev/block with the default block size of 512 byte during bit-by-bit copy of the file and direct the output file to internal SDcard. Finally, copy it to our forensic workstation, Which can be analysis using forensic tool called AccessData FTK imager version 3.4.2. FTK is recommended forensic tool for disk image analysis by both forensic and legal community for its powerful carving capability, stability and ease of use.

AccessData FTK ANALYSIS

1. PayPal App

PayPal is an online payment system that allows its member to transfer funds locally and globally. Members can receive, send money and buy or pay for goods and services online. The application was downloaded by 10 million people at the time of this research and rated as a good app in the app store. We added evidence item to 9 | P a g e

FTK navigate to data and com.paypal.android.p2pmobile then share_pref folder. The folder share_pref/PresentationAccount.RememberedUsersta../ reveal user data information such as user first and last name, cell phone number, and email address.

2. AfricallShop App

Africallshop is a VOIP application that allow the users to make cheap international call worldwide, user can purchase credit online to communicate with peer by text message and voice call. After adding user data partition to FTK imager, navigate to com.v2.africallshop folder, expand the folder view share_pref folder. In sher_pref folder an xml file called com.v2.africallshop-prefrences.xml was view and contain user sensitive data such as app domain name, caller ID, country, ID, user password, username and account balance all in plain text. 10 | P a g e

3. Keku App

Keku is a VOIP application which facilitate call or text through Wi-Fi or mobile data. User buy credit online to make local and internationally calls. The package of the application contain probative information about the user. App database store was reveal through FTK analysis and the share_pref folder contain sensitive information about the user. In share_pref folder a file called Org.keku_preferences.xml, this file contain user’s sensitive data and device information such as, password, username, device-mac address and user phone number. 11 | P a g e

EXPECTED RESULTS

During the experimental phase of the proposed research, aim and objective of the experiment is to demonstrate or show that user’s personnel data information are at risk during application data process in transit and at rest. The research has observe the dumped process and disk drive imaged to reveal personal data leakage and has successfully uncover vital information about App users, such as username, password, date of birth etc.

OBSTACLE

The obstacles encountered during the experimental phase of the proposed research as follow:

1) Lack of enough material regarding android forensic as the field is immature

2) Unable to image the whole memory of the actual phone, as the system configuration file is missing and couldn’t be found to compile it with LiMe in order to acquire the whole memory.

3) Lack of enough analysis tool to cross examine or evaluate both the dumped and disk drive memory, Ubuntu Linux tool was used to do our analysis.

CONTRIBUTION TO KNOWLEDGE

The proposed research show that application developers are far less careful with user sensitive data when it being stored both in the disk drive and memory in running applications. Using very simple forensic investigation techniques running strings and sqlite3 on dumped memory and disk drive imaging analysis on FTK show quite a lot of private information.

OUTLINE OF FINAL RESEARCH PAPER ISSM 580/581

The final research document will be structure as follows [9]: Section 1, will be the abstract then the Introduction to the paper. Section 2, will discuss memory analysis technique. Section 3, will discuss disk imaging analysis 12 | P a g e

technique. Section 4, will discusses the forensic artifacts unveil during the analysis . Section 5, related work. Section 6, the result summary. Section 7; conclusion and future work.

RESEARCH DELIVERABLES

This research will be conduct in Fall Semester 2016, from September 2016 to December 2016. Nevertheless, some major preliminary steps have already being taken. Most of the required tools both hardware and software for the proposed research have already being obtained and implemented. Spring 2016
April	Researching the Topic of Interest
Week 1 – 2	Finalize the Topic with Primary Advisor
Week 3 – 4	Read the Area/Topic of Interest
May
Week 1 – 2	Read relevant Journal or Article related to the topic of interest
Week 3 – 4	Gathering and installation of test Environment, Conducting and Experiment.
June
Week 1	Writing First Draft proposal and submit
Week 2 -3	Edit and Improve proposal based on advisor guidance, Further Experiment and literature review read.
Week 4	Final Proposal and Submit.

Order Now