Review App Session Cookies

On you are logged into the mobile app, a session is established to the back-end server. You can capture this session information with Frida, or check the SQLite database for the app.

SQLite Database

Cookie information for the app communications should be stored in a SQLite database called Cookies. Search the app data directory for the file:

cd /data/data/<package-id>
find . -iname Cookies

Once you find the datbaase, you can use the SQLite utility to view the information.

sqlite3 Cookies

# Once in SQLite it uses the sqlite> prompt
# View the tables in the database
sqlite> .tables
cookies  meta 

# The data will be in the cookies table
sqlite> select * from cookies;

# To get the column names for the cookies table
sqlite> .schema cookies
CREATE TABLE cookies(creation_utc INTEGER NOT NULL,host_key TEXT NOT NULL,top_frame_site_key TEXT NOT NULL,name TEXT NOT NULL,value TEXT NOT NULL,encrypted_value BLOB NOT NULL,path TEXT NOT NULL,expires_utc INTEGER NOT NULL,is_secure INTEGER NOT NULL,is_httponly INTEGER NOT NULL,last_access_utc INTEGER NOT NULL,has_expires INTEGER NOT NULL,is_persistent INTEGER NOT NULL,priority INTEGER NOT NULL,samesite INTEGER NOT NULL,source_scheme INTEGER NOT NULL,source_port INTEGER NOT NULL,last_update_utc INTEGER NOT NULL,source_type INTEGER NOT NULL,has_cross_site_ancestor INTEGER NOT NULL);

Frida

The android-okhttp-connections.js script will show the response headers, including the set-cookie: header or the Authorization: header which you can evaluate:

frida -U -l android-okhttp-connections.js -f com.example.app

Set-Cookie Example:

Found instance: :status: 200
content-type: application/json; charset=utf-8
date: Wed, 11 Jan 2023 21:30:40 GMT
set-cookie: AWSALB=UhrRSZ5/oc/w8vexUs3na5K5HMXlIX0c3kM1HamGLyG616Zhfzp6jYbtvykNWhUkGnwIzpLC7K7hkRVDdX+LMgxWyl+GDeZzHLmwUaLge0sEOUyWoVpZMOKHLpHb; Expires=Wed, 18 Jan 2023 21:30:40 GMT; Path=/
set-cookie: AWSALBCORS=UhrRSZ5/oc/w8vexUs3na5K5HMXlIX0c3kM1HamGLyG616Zhfzp6jYbtvykNWhUkGnwIzpLC7K7hkRVDdX+LMgxWyl+GDeZzHLmwUaLge0sEOUyWoVpZMOKHLpHb; Expires=Wed, 18 Jan 2023 21:30:40 GMT; Path=/; SameSite=None; Secure
last-modified: Wed, 11 Jan 2023 21:30:40 GMT
x-frame-options: SAMEORIGIN
vary: Origin, Accept-Encoding
access-control-allow-credentials: true
set-cookie: app-production=s%3AV-9XGI8kUgChE6hpDDDDDfAfu5ny8aOE.tp8S%2BHZimTq5pNp7M8iIcDIC7bx6FHGhquPYStK8LBc; Domain=servername.net; Path=/; Expires=Thu, 12 Jan 2023 21:30:40 GMT; HttpOnly; Secure
content-encoding: gzip
x-envoy-upstream-service-time: 31
set-cookie: 
set-cookie: fb_sessiontraffic=S_TOUCH=&pathway=ddb3f4f7-1042-4f6f-a749-1edcbe12e7ef&V_DATE=&pc=0; Path=/; Domain=servername.net; Expires=Wed, 11 Jan 2023 21:50:40 GMT
set-cookie: pathway=ddb3f4f7-1042-4f6f-a749-1edcbe12e7ef; Path=/; Domain=servername.net; Expires=Wed, 11 Jan 2023 21:50:40 GMT
set-cookie: visitor=vid=ddb3f4f7-1042-4f6f-a749-1edcbe12e7ef; Path=/; Domain=servername.net; Expires=Wed, 10 Jan 2024 21:30:40 GMT
server: envoy
x-cache: Miss from cloudfront
via: 1.1 e28b02d9b123DDbf45d9d0b6b0d179c.cloudfront.net (CloudFront)
x-amz-cf-pop: ATL59-P1
x-amz-cf-id: QO3oFe3Icn7AAAAApfOq98nM5p_0z5DW6gWeMfSmKYM6JyP9QZNzGw==

Authorization Example:

--------------
 -- Method -- 
     POST
--------------
Authorization: Bearer eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI3ZDM4YmZkMS1hZjBmL...
servername-REQUEST-ID: 29f7777e-446b-4f86-b77b-784f0c03842f
servername-Source-App: com.example.appkit
Content-Type: application/json; charset=UTF-8
Content-Length: 168
Host: reporting.servername.net
Connection: Keep-Alive
Accept-Encoding: gzip
User-Agent: okhttp/4.9.1

Cookie Information​

SQLite Database​

Frida​

Cookie Information

SQLite Database

Frida