Mobile App Investigations
Date: Oct 1, 2020
In this sample chapter from A Practical Guide to Digital Forensics Investigations, 2nd Edition, you will explore the importance of mobile apps in investigations, learn how to perform a static and dynamic analysis, analyze SQLite databases, and more.
Chapter 10. Mobile App Investigations
Learning Outcomes
After reading this chapter, you will be able to understand the following:
The importance of mobile apps in investigations;
How to perform a static and dynamic analysis;
The digital evidence available from dating, rideshare, and other popular apps;
The value of deep-linking in investigations; and
Analyzing SQLite databases.
Mobile applications (apps) are extremely important today in investigations for a variety of reasons. Interestingly, the databases associated with many apps, are unencrypted and are not too difficult to analyze. Furthermore, if a mobile device is locked or inaccessible, there are many other options available, which may include analyzing a linked desktop version of the app or sending a subpoena, or court order, to a third-party provider to obtain a suspect’s data. Third-party companies collect, and store, a tremendous amount of data on their customers. Finally, many users opt to back up their data to cloud storage. For example, WhatsApp has the option for Apple iPhone/iPad users to back up their chats to iCloud, and that backup can be requested from Apple. Nevertheless, organized criminals and terrorist groups largely use mobile apps that utilize strong encryption or proprietary encryption, which can seriously hamper the work of law enforcement. Compounding these concerns is the fact that many apps maintain their servers in countries like Russia, which is beyond the reach of law enforcement in the West. Popular communication apps that use strong encryption include Telegram, Signal, Wickr, and Threema to name but a few. Nevertheless, zero-day exploits are frequently found in mobile apps, including Telegram, which can help investigators to gain access to an encrypted app. A zero-day exploit is a security vulnerability that is a threat on the day that it is discovered because a software patch, to fix the exploit, does not yet exist.
Static Versus Dynamic Analysis
During app installation, typically a SQLite database will be installed on the user device. This is a relational database that is comprised of tables. The data stored in these tables may or may not be encrypted. A table may contain a user’s contacts, while a related table may store communications with contacts, for example. It is important to understand that these databases contain an extraordinary amount of personal information and, when unencrypted, can put an individual at risk for social engineering. Additionally, we should always consider the possibility to subpoena a third-party service provider for evidence.
When analyzing mobile apps, there are several approaches that an investigator can take, in order to examine the user data. A static analysis includes an examination of the SQLite database associated with that app. A dynamic analysis of the app is an analysis of the behavior of the application once it has been executed (or run). The sections that follow examine static analysis and dynamic analysis in more detail.
Static Analysis
A SQLite database is a relational database that is the preferred storage for data associated with mobile apps. SQLite is a C-language library that is responsible for the SQL database. SQLite source code is source code that resides in the public domain. Forensic tools, like BlackLight, enable the user to easily browse through application SQLite databases but there are other standalone tools that can be used. One of these tools is SQLite Database Browser, which is freeware. Later in this chapter we shall detail the types of evidence available from a number of popular mobile apps. Figure 10.1 shows an example of a SQLite database for the Tinder app on an iPhone.
FIGURE 10.1 Tinder SQLite database on iOS (iPhone)
A cursory view of the information in Figure 10.1 shows that there are many folders and files associated with a mobile app SQLite database. Ultimately, the database could have five tables or could have 100 tables, which means that a thorough examination can be a painstaking process. Within each SQLite database (.sqlite) you will find databases, which will contain the file extension .db; for example, google_analytics.db. You will often find recognizable files, like .jpg (picture images), .vcf (or vCard for your contacts), or .mp3 (sound file).
The chart in Figure 10.2 provides a general outline of how an iOS application is stored on an iPhone or iPad.
FIGURE 10.2 Application storage on iOS
The Library folder, which is highlighted in Figure 10.2, is where you will find the all-important user data, including cache, cookies, and other personal information. In the Preferences folder, which is displayed and highlighted in Figure 10.3, you may actually discover usernames and passwords that are stored in plaintext.
In Figure 10.4, we can view the name com.cardify.tinder and this is referred to as a bundle ID. A bundle ID is a uniform type identifier, which is comprised of alphanumeric characters, that uniquely identifies a specific app. The bundle ID for Microsoft’s iOS Outlook app is com.microsoft.Office.Outlook. Thus, the format for the bundle ID is generally com.<YourCompany>.<AppName>, which is referred to as a reverse-domain name style string. When you visit the Apple App Store and search for the Microsoft Outlook app for iOS, then you will arrive at this URL in your web browser: https://apps.apple.com/us/app/microsoft-outlook/id951937596. Notice the “id951937596”, which identifies this app on the App Store. An iOS app also has a unique identifier known as an App ID. An App ID is a two-part string that identifies a development team (Team ID) and an application (bundle ID). The Team ID is created and assigned by Apple, while the bundle ID is generated by the app developer.
FIGURE 10.3 Tinder SQLite database on iOS
FIGURE 10.4 Tinder SQLite database on iOS
Static Analysis: Code Review
Another form of static analysis refers to performing a code review on a mobile app, which can help the investigator understand the type of evidence that is available. In terms of the evidence available for an Android app (.apk or Android Package) there is the manifest, which shows the permissions associated with a particular app. For example, the manifest may show that the app is collecting user location information (“COARSE_LOCATION” and/or “FINE_LOCATION”). ACCESS_COARSE_LOCATION is a permission that enables the app to access the approximate location of the user device, which is based on NETWORK_PROVIDER (cell sites, i.e. cell towers). ACCESS_FINE_LOCATION enables the app to determine the location of the user device based on NETWORK_PROVIDER and GPS (GPS_PROVIDER). An Android application contains a file at the root of the project source set, which is called AndroidManifest.xml. An Android manifest file contains the application’s package name, its functionality, permissions, hardware, and software requirements for installation.
Understanding the permissions associated with an app allows the investigator to understand the type of evidence that can be requested from the provider and the type of evidence to look for when examining the SQLite database. The latter is important because examining one database can take many days, or even weeks, and therefore limiting the scope of your analysis is key. Example 10.1 shows a small extract from an Android manifest for WhatsApp.
Example 10.1 Android Permissions Manifest for WhatsApp
<manifest xmlns:"http://schemas.android.com/apk/res/android" android:versionCode="451048" android:versionName="2.12.550" package="com.whatsapp" platformBuildVersionCode="23" platformBuildVersionName="6.0-2166767"> <uses-sdk android:minSdkVersion="7" android:targetSdkVersion="23" /> <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" /> <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" /> <uses-permission android:name="android.permission.ACCESS_WIFI_STATE" /> <uses-permission android:name="android.permission.AUTHENTICATE_ACCOUNTS" /> <uses-permission android:name="android.permission.BLUETOOTH" /> <uses-permission android:name="android.permission.BROADCAST_STICKY" /> <uses-permission android:name="android.permission.CAMERA" /> <uses-permission android:name="android.permission.CHANGE_WIFI_STATE" /> <uses-permission android:name="android.permission.GET_ACCOUNTS" /> <uses-permission android:name="android.permission.GET_TASKS" /> <uses-permission android:name="android.permission.INSTALL_SHORTCUT" /> <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.MANAGE_ACCOUNTS" /> <uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS" /> <uses-permission android:name="android.permission.READ_CONTACTS" /> <uses-permission android:name="android.permission.READ_PHONE_STATE" />
An understanding of the manifest is also important from a mobile security perspective. Many privacy policy statements are misleading or confusing and provide poor guidance about how trustworthy a mobile app is. The Federal Trade Commission (FTC), for example, investigated a popular free app for Android, called the Brightest Flashlight, after it was discovered that the app requested many more permissions from the user’s device beyond the light function on the device. Therefore, some app permissions are high risk, while other permissions are low risk.
A Web search for the “Uber APK file”, or any other APK file, quickly identifies where the application package can be downloaded. Once the APK has been downloaded, there are a number of applications that can be used to review the code and manifest for the APK. One tool for reviewing the APK developer code is dex2jar (dex compiler), which can be downloaded from SourceForge. Another application for viewing the APK is FileViewer Plus. One preferred tool is an online Java APK decompiler application, which is available from www.javadecompilers.com/apk. With this tool, you can decompile your APK in a web browser without downloading an APK decompiler to your computer. Therefore, you do not need to worry whether the application that you are downloading is from a trusted source because the application is being run from their web server and not from your computer. There are numerous other source code analytical tools that an investigator can use, including SourceMeter, JSLint, and FindBugs. Figure 10.5 shows the JSLint user interface.
FIGURE 10.5 JSLint user interface
Dynamic Analysis
A dynamic analysis of the app is an analysis of the behavior of the application once it has been executed (or run). An Android emulator is an application that simulates, or runs, the Android operating system in a virtual machine. These applications are generally developed for use with a personal computer and run as a virtual machine. App developers use an emulator to analyze how their apps will run before making them available to the public. However, an emulator can also benefit investigators who are interested in viewing the behavior of an app—especially if an app potentially contains malware. This is the benefit of using an emulator that operates as a virtual machine. An investigator may also be interested in monitoring the permissions and DNS connections associated with an executed mobile app. In terms of monitoring DNS connections (connections to servers), there is Wireshark (Windows) and Debookee (macOS), which are very effective at monitoring these connections over a wireless network. Figure 10.6 shows a screenshot of a pcap (packet capture) file from Wireshark. A pcap file is a wireless packet that contains user data and network data related to the sender and receiver of that data.
FIGURE 10.6 Google Maps API identified in a PCAP captured by Wireshark
To remain safe and compliant, consider using a personal hotspot device, like a Verizon Jetpack, in a secure lab. A tool like Debookee also has the ability to encrypt some wireless traffic, which means that while app data may be encrypted on the device and on the server, often companies will implement poor encryption protocols, whereby the data in transmission can be intercepted and viewed in plaintext. Thus, tools like Debookee can also be used, by security professionals analyzing apps, to try to determine how secure apps are.
Introduction to Debookee
Debookee is a comprehensive wireless packet sniffer for macOS. The tool is not passive as it performs a man-in-the-middle (MITM) attack to intercept data from mobile and IoT devices. A man-in-the-middle (MITM) attack is an attempt to intercept electronic communications between two computing devices, with the intent to decipher encrypted messages. The tool also performs SSL/TLS decryption. Debookee supports numerous protocols, including HTTP, HTTPS, DNS, TCP, DHCP, SIP, and RTP (VoIP). The tool can be used to identify what data is being collected and shared by mobile apps. In other words, you can identify DNS connections to servers around the world and other companies that could be potentially subpoenaed for information. The data generated from one mobile app can be shared with fifty or more third-party companies, which are mostly analytics companies like Crashlytics, UXCam, Fabric, etc.
On the homepage of the Debookee website, click the Download button and install the software.
Once you install the software and start the program, you will see an interface, similar to Figure 10.8. The IP address, MAC address, and host name that are displayed provide information about your device.
Figure 10.9 shows a close-up of the information that we just discussed. Click the Start LanScan button as highlighted in Figure 10.9.
FIGURE 10.7 Debookee home page
FIGURE 10.8 Debookee user interface
You will then see a list of all devices that are connected to the same wireless access point as your computer. Once you select your target device, click the Pcap option, on the upper left of your screen, and then click Save Pcap files, as shown in Figure 10.10.
FIGURE 10.9 Debookee user interface with host computer information displayed
FIGURE 10.10 Save Pcap files option in Debookee
You can then click the Open Export Folder button to change the default export folder. There is an add-on tool in Debookee, which allows you to decrypt the contents of the pcap files. If you purchase this option, you can click the SSL/TLS button displayed in Figure 10.11.
The next step in the TLS decryption process is to install the certificate authority (CA) on the machine (see Figure 10-12). To start your NA, click the Play button ▸ in the very top left of your application screen (underneath it says, “Start NA”). Once the trust certificate has been installed, you should stop the NA (Network Analysis) by clicking the same button.
FIGURE 10.11 SSL/TLS decryption option in Debookee
FIGURE 10.12 Decryption option in Debookee
From the screen in Figure 10.13, click the Start NA ▸ button again. Open the webpage, or application, you want to analyze (or the device that you wish to monitor), and begin generating data packets by opening and closing different functions, sending messages, or just using the application.
FIGURE 10.13 Start NA option in Debookee
On the left column in Figure 10.14, under Own Traffic, you will see that DNS and HTTP have populated. The NA will run continuously until you terminate it. When you are satisfied with the data collected, press the stop button. Remember that your pcap files are automatically exported to the folder that you previously selected.
Click DNS in the left column and you will see all DNS connections made during the NA (timestamped) with the hostname and/or IP address. These are the IP addresses and hosts that you can analyze, in addition to the pcaps.
It is recommended that you click File > Export and save this list as a .doc or a .txt file. You can then use some open source DNS analysis tools, including www.robtex.com and www.dnsdumpster.com.
Clicking the HTTP button, as shown in Figure 10.15, will display an itemized list of every packet transmitted over HTTP, HTTPS, TCP, SIP, IMAP, and other protocols. If you did not purchase the SSL/TLS decrypt module, HTTPS packets (transmitted over port 443 using TLSv1.2) will display in red, and you will not be able to read the data until you decrypt the packets. Port 443 is the port number for secure HTTP communications—in other words, Web traffic. If you did purchase the SSL/TLS decrypt module, HTTPS packets will display in black, and when you click on them, the data will be displayed in plaintext in the data field.
Click on a packet that you wish to examine. In the data field you will see some text populate underneath the tab labeled Request. Upon further inspection of the data field, you will see the full GET request along with the packet parameters and data, as displayed in Figure 10.16. GET is an HTTP method used to request data from a specific resource, like a web server.
FIGURE 10.14 DNS connections captured
FIGURE 10.15 Decrypted TikTok packet (pcap)
FIGURE 10.16 GET request data displayed
You may then click the Response tab to view the webpage or application response packet. Figure 10.17 displays a webpage response. Status code 200 means that it was successfully downloaded.
FIGURE 10.17 Response results
You can choose to export your packets so that they can be analyzed later. You can select to view your packet data in a text file or in a Word document. Figure 10.18 displays the option to export the packet data.
FIGURE 10.18 Data Export feature in Debookee
In Figure 10.19 and Figure 10.20 you can view the location and message data that was transmitted in plaintext while using the popular dating application Tinder. This data was observed while inspecting the entire packet in a text document.
FIGURE 10.19 Location, device, and user information from the Tinder app
FIGURE 10.20 Message from the Tinder App Displayed in Plaintext
The pcaps generated by Debookee can then be exported and analyzed using the Wireshark application. Wireshark can also perform data capture and is recommended for Windows users.
Dating Apps
There were 3.6 million applications (“apps”) on Google Play and 2.1 million iOS applications on Apple’s App Store in 2017, and a mere 8.5% of those apps were cross-platform, meaning that they were available for both iOS and Android. Adults in the United States are using mobile devices in ways that could not be imagined just 15 years ago. According to Pew Research Center’s report on mobile dating, 15% of adults (ages 18 and older), in the United States, have reported that they have used online dating sites or mobile dating apps. Dating site usage has nearly tripled for young adults (18 through 24) in just two years, from 10% to 27%. Therefore, it is important for investigators to understand the evidence available from mobile dating apps. Moreover, the prevalence of social engineering—using data derived from social media accounts—means that dating apps are a cause for concern in terms of organizational risk.
With the recent increase in online match-making connections, in a post-Snowden era where privacy has become a major concern, we might question whether dating applications are utilizing personal data ethically. In March 2018, a security flaw in the Grindr app disclosed user location data, which could have exposed app users to harassment; Grindr is a dating app, primarily used to connect gay men and unfortunately has facilitated numerous attacks against many gay men. Thus, understanding the available evidence from a dating app is extremely important because of the nature of the crimes being committed, the links to social media, the personal information available, and the location and communication capabilities of these apps.
Tinder
As of 2018, Tinder had 57 million users worldwide. Millions of Tinder subscribers pay for a premium service: Tinder Plus or Tinder Gold. Tinder is used in 190 countries and supports 40 languages. Owned by Match Group, Inc., Tinder is a location-based, social media, application for dating. The app connects singles and allows them to “Swipe Right”, if they wish to connect with another individual, or they can “Swipe Left”, if they are not interested. The user can also “Swipe Up” (called a “super like”), which notifies the user that they have been “Super Liked”. The ability to passively block communication with someone, whom a user is not interested in, is what makes Tinder appealing for so many people.
Tinder gives the user the ability to chat with individuals who have both swiped right pseudo-anonymously. A user is not required to divulge his cellphone number, and a user can make his own judgment about how much personal information he wishes to share with another user when matched. Chats within the application are stored chronologically and can be deleted.
Tinder also offers a Web-based version of their service at gotinder.com and tinder.com (see Figure 10.21). The website gives users the ability to use Tinder’s services without a smartphone. The user simply logs in with their credentials . However, location services must be turned on, in the browser application, to use the Web version of the application.
FIGURE 21.10 www.gotinder.com user profile
One of the most popular features of Tinder is the ability for users to synchronize their personal Instagram page with their Tinder profile (see Figure 10.22). This feature allows someone whom they have matched with (both parties swipe right) to have the ability to view the other user’s Instagram profile. This allows a user to visit a Tinder user’s Instagram profile, even if the Instagram account is set to private. Connecting social media accounts in this fashion is referred to as “deep-linking”.
FIGURE 22.10 Tinder app linked to Instagram
A Spotify account can also be synchronized with a Tinder account, using deep-linking. This feature allows the users to share their personal playlists with individuals that they have matched with. A user can apply an “Anthem” to their profile, which can be the user’s favorite song.
Using Robtex (robtex.com), we can quickly map out the domains associated with Tinder, some of which are displayed in Figure 10.23.
FIGURE 10.23 DNS data for gotinder.com (Source: Robtex.com)
Utilizing tools, like Robtex and traceroute, and whatismyipaddress.com, an investigator can determine where app user data is being stored and determining jurisdiction.
An analysis of Tinder’s DNS connections shows that the Tinder app connects a user’s profile with servers managed by Facebook, Leanplum, Appsflyer, DoubleClick, and many other companies. Using Debookee, it was possible to intercept Tinder messages, an example of which can be viewed in Figure 10.24. Figure 10.25 displays sample DNS connections associated with Tinder and captured with Debookee.
FIGURE 10.24 Debookee HTTPS packet capture and decrypted chat message
FIGURE 10.25 DNS sample traffic captured with Debookee
Using BlackLight, a static analysis of the user data, contained in the Tinder SQLite database on an iPhone, reveals that the data is stored in plaintext. Interestingly, a private Instagram account could be viewed during this analysis. Moreover, that (private) Instagram account stored Instagram photos from other users without that user’s consent. User chat sessions, usernames, and Instagram data were all stored in plaintext on the iPhone test device. A URL can be found associated with each profile, which enables the user to access another user’s profile page—even if it is marked private.
An examination of the Tinder SQLite database also revealed the location of other Tinder users in close proximity, as shown in Figure 10.26.
FIGURE 10.26 ZDISTANCEMILES displays the distances to other users
It is also possible to obtain more precise information about users’ locations in the vicinity, as shown in Figure 10.27.
FIGURE 10.27 Location data from the Tinder app
Grindr
While there are many mobile apps that provide corroborating evidence in an investigation, Grindr is an app that has been used to perpetrate some of the most heinous crimes. Therefore, it is an app that warrants special attention for investigators. Stephen Port, from East London, U.K., was called the Grindr Serial Killer after he was charged with murdering four men that he met on Grindr. There are literally hundreds, if not thousands of cases, where Grindr has been used, by criminals, to lure victims and subsequently commit crimes, which include murder, assault, and robbery. The good news is that the Grindr app stores a wealth of information, in plaintext, which may help investigators and prosecutors.
Grindr was launched in 2009 and is the world’s leading social networking application for gay, bisexual, trans and queer people. Grindr, unlike traditional dating apps, like Tinder and Bumble, is designed to find individuals in close proximity to the user. The smallest value for distance that Tinder/Bumble incorporates into their platform is one mile but Grindr will literally go to “zero feet away”, and this is explicitly stated in the “About” section of their webpage. There is no “swipe left” or “dislike” and individuals are listed from closest to farthest away. There are no parameters to meet a certain type of user like with Tinder (age range, gender, etc.). If a user wants to engage with another user, they simply “Tap” that individual’s profile, and they will be notified. The other user is then notified that they have been tapped. At this point, both users can immediately send an unlimited number of messages, which can be texts, images, and “GayMoji” stickers.
Popular dating applications, like Tinder and Bumble, require both users to explicitly indicate their willingness to engage with the other. However, Grindr does not require mutual consent to begin a chat session. There is a safeguard to protect from harassment, where the user can simply delete the “Tap” from a user they do not like, ending the message session. There are different types of “Taps” that give a visual representation of what the individual is looking for. There is a “Hi” icon tap for if the individual just wants to introduce himself or herself, or perhaps just chat. There is a “flame” icon tap for if the individual is interested in dating or sex. And finally, there is a “smiling devil Emoji” icon tap if the individual is looking for a “no strings attached” interaction. If the message is a text, then it will be previewed next to the user’s profile. If it is a photo or video, it will have a small “Camera Icon” instead. A relatively new feature to the Grindr message function is “Read” receipts that will indicate whether the person a user messages has actually opened the message. Figure 10.28 shows the “Flame” tap and “Smiling Devil Tap” emojis.
Grindr has reached more than 196 countries with more than 3.6 million daily active users (2018). On average these users send 228 million messages and 20 million photos each day.
To date, there is no Web interface for Grindr, which supports user chat. However, the user can create a profile at www.grindr.com.
Grindr Evidence
Grindr does support deep-linking to social media services, which includes Facebook, Instagram, and Twitter. A feature of Grindr is the opportunity for a user to sync their personal Instagram page directly to their Grindr profile. This feature allows someone who has tapped on a user’s Grindr profile to directly view the user’s Instagram profile page. Grindr then gives the user the option to quickly switch directly to Instagram. This feature gives the user even more redundancy in deciding if the person they have matched with is someone they would still like to engage with. Both users still must go through the process of requesting to follow and allowing a follow through Instagram if the Instagram account is private. Like Instagram, a Facebook account can also be synced with a Grindr account, and it provides an easy one-click link directly to the Facebook profile on the Facebook app.
FIGURE 10.28 Grindr mobile user chat interface
Grindr appears to connect with a number of IP addresses, as displayed in Figure 10.29. A trace of these IP addresses goes back to San Francisco, California.
FIGURE 10.29 www.grindr.com.cdn.cloudfare.net DNS map (Source: Robtex.com)
Debookee could identify Grindr communication packets from iPhones, while they are being transmitted. The content is TLS/SSL encrypted. However, using the TLS decryption tool, offered by Debookee, it is possible to view a substantial amount of the DNS and HTTPS traffic, as shown in Figure 10.30. Messages are sent through cdns.grindr.com on port 443, using Amazon Web Services Inc. Although Grindr has made security updates to its platform since 2008, the third parties responsible for advertising, like Nexage, still pass sensitive PII, which includes exact location, sex, and age in plaintext, as shown in Figure 10.31. This means that anyone performing a man-in-the-middle attack could see that data.
FIGURE 10.30 Debookee HTTPS packet capture decryption
In a SQLite database, named greventLog.sqlite, you can find multiple latitude/longitude references stored in plaintext, as shown in Figure 10.32. Each message transaction is sent with updated location data. A latitude/longitude converter can then be used to find the address.
Messages in Grindr are unencrypted and are stored in plaintext. After viewing the data, a user has a unique identifier that is displayed in the “from” portion and in the “to” portion, which is a unique ID for the subject’s iPhone, as shown in Figure 10.33. After combing through PersistenceStore.bin, it is possible to see all message data generated between two devices. Incoming messages can also be retrieved in plaintext as shown in Figure 10.33.
FIGURE 10.31 Mopub banner ad including PII: Age, sex, and exact location
FIGURE 10.32 Latitude/longitude data from greventLog.sqlite
FIGURE 10.33 Text messages extracted in plaintext viewed in Hex Tab (BlackLight)
FIGURE 10.34 Text messages in plaintext viewed in Strings tab (BlackLight)
Rideshare Apps
Location information is always important in an investigation because an investigator does not just search for incriminating evidence but also needs to identify where a suspect was. As you will learn, rideshare apps, like Uber, contain extensive geolocation data that is easily accessible.
Uber
Uber is a service that enables drivers to act as flexible contractors and provide transportation services that compete with traditional taxi services. Consumers, using the Uber mobile app, can search for a car service in their area. The benefit to the consumer is that they are visually provided with the mapped location of Uber cars in their vicinity and are provided with an upfront quote for a specific journey (or “ride”). Uber operates in approximately 600 cities worldwide. In the past, Uber has received negative press about its geolocation tracking of users, which raised a number of concerns regarding its privacy policies and potentially invasive data collection practices. In April 2017, the New York Times published a story that documented a meeting, at Apple headquarters, in 2015, between Travis Kalanick, CEO of Uber, and Tim Cook, CEO of Apple. The article alleged that Mr. Cook scolded Mr. Kalanick for identifying and tagging iPhones after the Uber app had been uninstalled or the device had been wiped. Apparently, this type of user identity coding violated the Apple developer terms of service agreement.
An article in the New York Times detailed how Unroll.me, which purported to purge your device’s email inbox of annoying advertising messages, was used to spy on competitors. The article documented how Unroll.me would scan a user’s inbox, identify if there were service receipts, from competing companies like Lyft, and then sell that information to Lyft’s competitor—Uber.
Since the introduction of iOS 5, Apple has been limiting app developer access to the iPhone’s UDID (unique device identifier). A notice from Apple stated, “Starting May 1, the App Store will no longer accept new apps or app updates that access the UDID; please update your apps and servers to associate users with the Vendor or Advertising identifiers introduced in iOS 6.” Apple now prefers that app developers utilize the official Apple advertising platform to track app users. Based on Apple’s advertising and privacy policy, it appears that Apple does collect user data and then subsequently shares it with third parties. Nevertheless, developers can obtain extensive information about an app user through the integration of the UIDevice object. The UIDevice object can be used by an app developer to determine the assigned name of the device, device model and iOS version, orientation (orientation property) of the device, battery charge (batteryState property), and distance of the device to the user (proximity-State property). Moreover, developers can integrate code, during app development, for third-party analytics. These third-party companies include Localytics, mixpanel, UXCam, and Fabric. Companies like Apptopia provide app developers with extensive, nay invasive, analytics on competitor apps.
The use of the user UDID has not always been employed for nefarious purposes. However, the UDID was often utilized to identify if an app user was legitimate and could block a customer’s access if an account was compromised or potentially stolen. Fingerprinting is yet another methodology, used by third parties, to uniquely identify users, based on application configuration. Fingerprinting is best known for identifying online users based on user settings from their browser, which may include user cookies and browser plug-ins. The Electronic Frontier Foundation (EFF) created a project known as Panopticlick (panopticlick.eff.org) to raise awareness about how your browser is used by advertisers, and others, to identify and track you on the Web. The EFF announced that 84% of online users can be uniquely identified by their browser.
According to Uber’s user privacy statement, there are two categories of information collected about users: (a) Information You Provide to Us, which can include name, email, phone number, postal address, profile picture, payment method, and (b) Information We Collect Through Your Use of Our Services, which can include location information, contacts, transactions, usage and preference, device information, call and SMS data, and log information. Of particular interest is the device information (hardware model, operating system and version, software and file names and versions, preferred language, unique device identifier, advertising identifiers, serial number, device motion information, and mobile network information). In terms of location information, Uber is not specific about the extent to which the user’s location is being tracked but states that they “may also collect the precise location of your device when the app is running in the foreground or background.” Uber provides more detailed information about the use of location services on its website under iOS App Permissions.
What is interesting is that during our installation of the Uber app, a dialog box appears and states that “Uber collects your location (i) when the app is open and (ii) from the time of the trip request through five minutes after the trip ends”, as displayed in Figure 10.21.
FIGURE 10.35 Uber dialog box during installation
Uber states in their FAQ that the reasoning behind this data collection is to “improve pickups, drop-offs, customer service, and to enhance safety.” However, users reported seeing the Uber app using location services weeks after the app was used and certainly beyond the stated 5 minutes. Uber responded to these reports blaming Apple’s iOS Maps extension that Uber uses to serve regional maps to their customers.
Perhaps unsurprisingly, Uber has invested heavily in data science to retain its competitive advantage, as evidenced by its aggressive recruitment of data scientists. We also know that Uber extensively uses a telematics pilot program, called Autohawk, to identify the location of its drivers and perform diagnostic testing on the vehicle to ensure passenger safety. In fact, Uber provides geolocation information, provided by its data visualization team, on its website at eng.uber.com/data-viz-intel. Uber integrates both Fabric and Localytics in its mobile app. Fabric provides companies, like Uber, with real-time information about the health of their app. These analytics include application crash analytics. Localytics provide location information.
As of November 2017, allegations abound about Uber’s competitor spy programs. The Waymo v. Uber lawsuit appears to indicate that Uber may have been involved in illegal espionage. A letter, submitted as evidence in this lawsuit and penned by Richard Jacobs, former Uber security executive, details Uber’s illegal practices of hiring actors to collect data and spy on their competitors. In the letter, Jacobs, who at the time had filed suit against Uber in the capacity of “whistleblower”, detailed practices that would lead to the theft of trade secrets related to competitor fares and driver incentives. To settle, Uber paid Jacobs $4.3 million at the time. His allegations have now been made public and have been used in a related case, Waymo v. Uber. In this case, a former employee allegedly sold trade secrets to Uber, prior to the company being acquired by Uber.
Communication Apps
Communication apps, such as WhatsApp, Signal, Viber, and Skype, are arguably more important than traditional cellphone or landline calls for numerous reasons. The first reason is that it is a lot easier to obtain content from these apps than to obtain a Title III Wiretap. Secondly, the content is so much richer than a traditional call or a text message. For example, consumers will share rich content, while reacting to the comments of others. In other words, you can find group chats that can link individuals and see emoticons and other reactions to messages that demonstrate personalization and behavior.
Skype
Law enforcement today understands that cellular communications generally account for a minority of smartphone communications. In fact, criminal gangs will often prefer using mobile communication apps over traditional cellular calls. Therefore, it is essential to have a good understanding of applications like Skype, Viber, enLegion, and WhatsApp.
Skype is a peer-to-peer (P2P) communication application that facilitates free video, voice, and instant messaging (IM) using a Wi-Fi connection. Skype also allows for file transfer to other Skype contacts and fee-based voice calls to landline phones and cellular phones using VoIP. Skype can be used with Mac computers, personal computers, tablets, smartphones, smart televisions, smart Blu-ray players, and game systems that include Xbox One and Sony’s PS Vita PlayStation.
There are close to 300 million active monthly users worldwide. The company was purchased by Microsoft Corporation in 2011 for $8.5 billion.
Skype Location
Location is important in terms of jurisdiction, when conducting an investigation. If the investigation is being conducted in the United States, then having a corporate location in the U.S. is helpful. However, even the presence of a server in the U.S. can enable law enforcement to subpoena that entity.
Skype is headquartered in Luxembourg but also has offices in London (U.K.), Palo Alto (U.S.A.) and Tallinn (Estonia), Prague (Czech Republic), Stockholm (Sweden), Moscow (Russia) and Singapore.
Skype Encryption
Instant messages (IM), between the Skype and chat service in the Cloud, are encrypted using TLS (transport-level security). IM between two Skype users are encrypted using AES (Advanced Encryption Standard). Voice messages are encrypted when sent to the recipient. However, when the voice message is downloaded and listened to, it is stored on the client’s computer in an unencrypted way. Skype calls are also encrypted. When the user logs in, Skype will verify the user’s public key using 1536 or 2048-bit RSA certificates.
Skype Evidence
The SQLite database file associated with Skype is main.db. The following files can be found within this SQLite database:
DbMeta
Contacts
Videos
SMSes
CallMembers
ChatMembers
Alerts
Conversations
Participants
VideoMessages
LegacyMessages
Calls
Accounts
Transfers
Voicemails
Chats
Messages
ContactGroups
AppSchemaVersion
MediaDocuments
MessageAnnotations
Translators
tracker_journal
The Registry key associated with Skype is located here:
HKEY_CURRENT_USER\Software\Skype.
On a Windows PC, the file is located here:
%localappdata%\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\<Skype Name>
On a Mac, the file is located here:
~/Library/Application Support/Skype/YourSkypeName/main.db
Table 10.1 and Table 10.2 display PLists associated with applications that may be of interest to investigators. More information about PLists can be found in Chapter 12, “Mac Forensics”.
Table 10.1 Application PLists
Application |
SQLite File |
PList |
Friends.sqlite |
com.facebook.Facebook.plist |
|
com.linkedin.LinkedIn.plist |
||
Dropbox |
Dropbox.sqlite |
com.getdropbox.Dropbox.plist |
Skype |
main.db |
com.skype.skype.plist |
Amazon |
com.amazon.Amazon.plist |
|
eBay |
com.ebay.iphone.plist |
|
Google Maps |
MapTiles.sqlitedb |
|
Tinder |
Tinder2.sqlite |
|
ChatStorage.sqlite |
net.whatsapp.WhatsApp.plist |
Table 10.2 Apple App .db Files
Apple App |
SQLite File |
Phone |
AddressBook.sqlitedb |
Calendar |
Calendar.sqlitedb |
Phone |
Voicemail.db |
Phone |
Call_history.db |
Messages |
Sms.db |
Safari |
Safari/History.db |
Maps |
Maps/History.plist |
Siri |
ManagedObjects.SQLite |
Summary
Mobile forensics has become extremely important for investigations because of the wealth of evidence available. The mobile apps found on a device are beneficial because of the fact that the data contained in the SQLite database is unencrypted for many mobile applications. Furthermore, deep-linking, which links one application to another application, enables an investigator to pull data from multiple sources while only examining one application. The data available during a static analysis can include contacts, chats, location data pictures, and other important evidence. As discussed, a SQLite database is a relational database that contains a series of tables. A static analysis is not limited to extracting evidence using forensics tools but also includes a review of the application manifest. The application manifest clearly identifies permissions associated with the application, which will help to guide the investigator to look for evidence related to those permissions. A dynamic analysis can assist an investigator in understanding potential third-party evidence, which is based on an app’s connections to DNS servers when executed. Ultimately, these third-party companies can be subpoenaed for further evidence. A dynamic analysis can also determine the location of servers, associated with a mobile application, in terms of helping to identify jurisdiction. In this chapter, we spoke at length about mobile dating apps, which are important because of the extent of personal information available, primarily in the form of social media information. Dating apps are also important because we can also link people together. Grindr is particularly of interest to law enforcement because this dating app has actually been used to perpetrate crimes, especially hate crimes.
Key Terms
Android emulator: An application that simulates or runs the Android operating system in a virtual machine.
Android manifest file: A file that contains the application’s package name, its functionality, permissions, hardware and software requirements for installation.
App ID: A two-part string that identifies a development team (Team ID) and an application (bundle ID).
bundle ID: A uniform-type identifier, which is comprised of alphanumeric characters, that uniquely identifies a specific app.
GET: An HTTP method used to request data from a specific resource, like a web server.
man-in-the-middle (MITM) attack: An attempt to intercept electronic communications between two computing devices with the intent to decipher encrypted messages.
pcap file: A wireless packet that contains user data and network data related to the sender and receiver of that data.
zero-day exploit: A security vulnerability that is a threat on the day that it is discovered because a software patch, to fix the exploit, does not yet exist.
Assessment
Classroom Discussions
1. Based on what you have learned in this chapter, from a security perspective, how can you determine if a mobile application is safe to use?
2. In what ways have mobile applications helped criminals and their criminal activities?
3. Under what circumstances is it legal to use wireless packet capture tools, like Wireshark or Debookee?
Multiple-Choice Questions
1. An .apk file is associated with which of the following systems?
Android
iOS
Wireshark
Windows
2. Which of the following refers to a wireless packet that contains user data and network data related to the sender and receiver of that data?
pcap file
bundle ID
Android manifest file
Fill in the Blanks
1. An Android __________ file contains the application’s package name, its functionality, permissions, hardware and software requirements for installation.
2. An Android __________ is an application that simulates or runs the Android operating system in a virtual machine.
3. A(n) __________ file is a wireless packet that contains user data and network data related to the sender and receiver of that data.
4. A(n) __________ ID is a uniform-type identifier, which is comprised of alphanumeric characters, that uniquely identifies a specific app.
5. A(n) __________ ID is a two-part string that identifies a development team (Team ID) and an application (bundle ID).
6. A(n) __________-day exploit is a security vulnerability that is a threat on the day that it is discovered because a software patch, to fix the exploit, does not yet exist.
7. A man-in-the-__________ attack is an attempt to intercept electronic communications between two computing devices with the intent to decipher encrypted messages.
8. __________ is an HTTP method used to request data from a specific resource, like a web server.
Projects
Write an Essay about a Mobile Application
Select a popular mobile app of your choice, which is not covered in this chapter and then perform a static and dynamic analysis on the app, using the analytics tools discussed in this chapter. Describe the value of the evidence that you find from (a) a digital forensics investigator perspective and (b) an organizational security and privacy viewpoint.