Sep 232010
 

After reading Cory’s post about Rooted Android device + Accounts.db = passwords stored in clear text, it got me thinking.  What else could I find. There are multiple databases in the Android OS, ranging from chat history to password storage.  Lets see what they  give up.

Here is what I used for the research.

1. Samsung Galaxy S (Vibrant) on the T-mobile network. This device has been “rooted”, using the method documented here on XDA.

2. A copy of Root Explorer. This allows you to browse the entire Android File system from your device.  Requires root, but also gives you access to everything a traditional “root” account would. It also has a handy little SQLite DB viewer.

3. A copy of ShootMe. Screen shot app.

Both apps above are dependent on step one being complete. A few other notes, I have two additional updates, non stock rom apps  on this device.

1. Altered startup/shutdown animations.

2. The tether app, from the international Galaxy S (9000).

Both apps require root, and are not standard APK’s.  Therefore they must be flashed using clockwork or the bootloader.

I also used the Android SDK and screencast to do some of the searching from the comforts of my laptop. [Update]. I switched to VNC for remote admin of this device.

Part 1

Android Filesystem and the /data folder

I didn’t set out to create a multipart post, but the deeper down the rabbit hole I went, it became apparent that there was a lot of ground to cover.  In Part 1, I am going to lay out the filesystem and the files that live in the largest directory. The /data dir.

Here is what the Android filesystem directory structure looks like. I am using busybox via the Android Terminal emulator app.

# ls -al
drwxr-xr-x   21 0        0                0 Sep 23 06:57 .
drwxr-xr-x   21 0        0                0 Sep 23 06:57 ..
drwxr-xr-x    2 0        0                0 Jun 22 11:03 .info
drwxrwx—    1 1000     2001             0 Sep 23 06:58 cache
dr-x——    2 0        0                0 Sep 23 06:57 config
drwxrwx–x    1 1000     1000             0 Sep 23 06:57 data
drwxrwx–x    1 1000     1000             0 Sep 23 06:57 data_tmo
drwxrwx–x    1 1000     1000             0 Sep 23 06:57 dbdata
-rwxr-xr-x    1 0        0              117 Jun 22 10:44 default.prop
drwxr-xr-x   10 0        0            13540 Sep 23 06:57 dev
drwxrwx–x    1 1001     1001             0 Sep 23 06:57 efs
lrwxrwxrwx    1 0        0               10 Jun 22 11:03 etc -> system/etc
-rwxr-xr-x    1 0        0             2237 Jun 22 10:44 fota.rc
lrwxrwxrwx    1 0        0                9 Jun 22 11:03 init -> sbin/init
-rwxr-xr-x    1 0        0            24482 Jun 22 10:58 init.rc
-rwxr-xr-x    1 0        0              444 Jun 22 10:44 init.smdkc110.rc
-rwxr-xr-x    1 0        0              335 Jun 22 10:44 init.smdkc110.sh
drwxr-xr-x    3 0        0                0 Jun 22 11:03 lib
-rwxr-xr-x    1 0        0              727 Jun 22 10:44 lpm.rc
drwxr-xr-x    3 0        0                0 Jun 22 11:03 mnt
dr-xr-xr-x  112 0        0                0 Jan  1  1970 proc
-rwxr-xr-x    1 0        0             1143 Jun 22 10:44 recovery.rc
drwxr-xr-x    3 0        0                0 Jun 22 11:03 res
drwxr-xr-x    3 0        0                0 Jun 22 11:03 sbin
drwxrwxr-x   55 1000     1015         32768 Sep 23 07:00 sdcard
drwxrwxrwt    2 0        0               40 Sep 23 15:32 sqlite_stmt_journals
drwxr-xr-x   12 0        0                0 Jan  1  1970 sys
drwxr-xr-x    1 0        0                0 Sep 23 06:57 system
-rwxr-xr-x    1 0        0              154 Jun 22 10:44 system.prop
drwxr-xr-x    3 0        0                0 Jun 22 11:03 tmp
drwxrwx–x    2 1000     1000             0 Sep 23 06:57 userdata

A quick search for databases on the root gave me more hits than I could parse through.   I decided to search in each directory for a more simplified view.

There were still so many just in the data directory, that I have removed entries like the XKCD, Onion and similar apps.  Cached .db’s are also not included.  I wanted to keep this to what seemed “juicy”.  Maybe in another post, I can review those to see what applications are giving up.

$ export PATH=/data/local/bin:$PATH
$su
# find /data -name *.db
/data/data/com.android.providers.userdictionary/databases/user_dict.db
/data/data/com.google.android.talk/databases/suggestions.db
/data/data/com.google.android.providers.settings/databases/googlesettings.db
/data/data/com.layar/databases/layar.db
/data/data/com.android.providers.security/databases/policies.db
/data/data/com.android.providers.telephony/nwk_info.db
/data/data/com.android.providers.telephony/optable.db
/data/data/com.google.android.providers.subscribedfeeds/databases/subscribedfeeds.db
/data/data/com.sec.android.providers.downloads/databases/sisodownloads.db
/data/data/com.google.android.youtube/databases/history.db
/data/data/com.android.email/databases/EmailProvider.db
/data/data/com.android.email/databases/EmailProviderBody.db
/data/data/com.android.email/databases/webview.db
/data/data/com.android.htmlviewer/databases/webview.db
/data/data/com.android.globalsearch/databases/shortcuts-log.db
/data/data/com.android.providers.drm/databases/drm.db
/data/data/com.google.android.voicesearch/databases/webview.db
/data/data/com.android.bluetooth/databases/btopp.db
/data/data/com.sec.android.app.callsetting/databases/rejectmessage.db
/data/data/com.sec.android.app.callsetting/databases/autoreject.db
/data/data/com.twitter.android/databases/twitter.db
/data/data/com.facebook.katana/databases/fb.db
/data/data/com.google.android.apps.googlevoice/databases/model.db
/data/data/com.google.android.apps.googlevoice/databases/shadowmappings.db
/data/data/com.google.android.apps.googlevoice/databases/server_settings.db
/data/data/com.dropbox.android/databases/db.db
/data/data/com.tweetdeck.app/databases/webview.db
/data/data/org.connectbot/databases/webview.db
/data/data/com.ebay.mobile/databases/webview.db
/data/system/accounts.db

Awesome.  Time to head over to Root explorer and see what the data says.   I will post all finding in the google docs spreadsheet embedded below.

In part 2, I hope to cover the remaining databases and what lies within.  Hopefully we wont find anything worse that we already have.

The guys over at viaForensics have a pretty nice application to talk to some of the databases. However, it is no longer available to the public. I am going to *attempt* to leverage Googles App Inventor to automate much of this process, or maybe spit out an .apk to see what can be extracted from both rooted and non rooted devices.

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>