Hard-Coded Data / On-Device
An Android app can be configured in many different places. Typically, these are kept in SQLite Databases, JSON, or XML files. The main configuration file will be the AndroidManifest.xml file which will define all permissions, intents, services, etc.
We have two places to evaluate the application; the installed app on the device and the APK file. It is recommended to look in both places, since the installed app that has been used will have additional data that the APK may not have. The APK analysis is great for learning about the configuration, and reviewing the SMALI and Java/Kotlin code of the app.
Get app Environment Information
Objection will get you the following information:
| Name | Directory |
|---|---|
| cacheDirectory | /data/user/0/com.example.app/cache |
| codeCacheDirectory | /data/user/0/com.example.app/code_cache |
| externalCacheDirectory | /storage/emulated/0/Android/data/com.example.app/cache |
| filesDirectory | /data/user/0/com.example.app/files |
| obbDir | /storage/emulated/0/Android/obb/com.example.app/ |
| packageCodePath | /data/app/~~4166P8pxwPF5-g==/com.example-FzEq8MFJsWzgA==/base.apk |
To get the current environment information:
objection -g 'App Name' run env
While not listed in this output, the "Main App Directory" can be construed from it. In the example above, the Main App Directory would be /data/user/0/com.example.app/.
Search for SQLITE Databases
To search for database files:
cd /data/user/0/com.example.app
find . -type f -exec grep -ali sqlite {} \;
find . -type f -exec grep -ali data {} \;
find . -type f -iname \*.sqlite
find . -type f -iname \*.sqlite3
find . -type f -iname \*.db
To open an SQLite database for review:
sqlite3 filename.db
To list the tables in the database:
> .tables
To review the data in a table:
> select * from tablename;
To exit the database:
> .exit
Search for Other Databases
In some cases, other mobile databases can be used in an app. Some of the more common ones include Realm DB, Couchbase Lite, & SQLCipher.
SQLCipher (zetetic.net/sqlcipher)
SQLCipher is more of an extension of SQLite which uses transparent 256-bit AES encryption to secure the database. They will typically use the same file extensions as a regular SQLite database. If you try to open a SQLite database and it tells you that it is not a database then it is likely encrypted. Try opening the file with sqlcipher client application.
The sqlcipher client application can be installed through Brew.
Realm DB (https://realm.io)
If you encounter a Realm DB in the mobile app, you can use the Realm Browser on macOS to view the database.
To search for Realm databases:
find . -iname \*.realm
./files/GdmAuth.realm
./files/InvestorAppDb.realm
In this case, there are two databases. If you go into the files directory, you will also see some additional files/directories associated with the database. These will have extensions such as .realm.lock, .realm.management, .realm.note.
The easiest way to view the data is to move them to your macOS system and use the Realm Browser application. Note that it is possible to encrypt the database using Realm, so you may have to uncover the key from memory.
Couchbase Lite (couchbase.com)
Couchbase Lite is a NoSQL database for mobile and desktop applications. It uses an "offline" first mechanism, then persists the data over the network at regular intervals. You can discover these database files using the .cblite or .cblite2 file extensions.
find . -iname \*.cblite
find . -iname \*.cblite2
Search for JSON/XML/Text Files
To search for these files:
cd /data/user/0/com.example.app
find . -iname \*.txt
find . -iname \*.xml
find . -iname \*.json
To open the file for review:
cat filename
Search for Certificate Files
While rare, the app may included certificates with the app.
find . -iname \*.cer
find . -iname \*.pem
find . -iname \*.cert
find . -iname \*.crt
find . -iname \*.pub
find . -iname \*.key
find . -iname \*.pfx
find . -iname \*.p12
find . -iname \*.pkcs7