After reading Cory’s post about Rooted Android device + Accounts.db = passwords stored in clear text, it got me thinking. What else could I find. There are multiple databases in the Android OS, ranging from chat history to password storage. Lets see what they give up.
Here is what I used for the research.
1. Samsung Galaxy S (Vibrant) on the T-mobile network. This device has been “rooted”, using the method documented here on XDA.
2. A copy of Root Explorer. This allows you to browse the entire Android File system from your device. Requires root, but also gives you access to everything a traditional “root” account would. It also has a handy little SQLite DB viewer.
3. A copy of ShootMe. Screen shot app.
Both apps above are dependent on step one being complete. A few other notes, I have two additional updates, non stock rom apps on this device.
1. Altered startup/shutdown animations.
2. The tether app, from the international Galaxy S (9000).
Both apps require root, and are not standard APK’s. Therefore they must be flashed using clockwork or the bootloader.
I also used the Android SDK and screencast to do some of the searching from the comforts of my laptop. [Update]. I switched to VNC for remote admin of this device.
Part 1
Android Filesystem and the /data folder
I didn’t set out to create a multipart post, but the deeper down the rabbit hole I went, it became apparent that there was a lot of ground to cover. In Part 1, I am going to lay out the filesystem and the files that live in the largest directory. The /data dir.
Here is what the Android filesystem directory structure looks like. I am using busybox via the Android Terminal emulator app.
# ls -al
drwxr-xr-x 21 0 0 0 Sep 23 06:57 .
drwxr-xr-x 21 0 0 0 Sep 23 06:57 ..
drwxr-xr-x 2 0 0 0 Jun 22 11:03 .info
drwxrwx— 1 1000 2001 0 Sep 23 06:58 cache
dr-x—— 2 0 0 0 Sep 23 06:57 config
drwxrwx–x 1 1000 1000 0 Sep 23 06:57 data
drwxrwx–x 1 1000 1000 0 Sep 23 06:57 data_tmo
drwxrwx–x 1 1000 1000 0 Sep 23 06:57 dbdata
-rwxr-xr-x 1 0 0 117 Jun 22 10:44 default.prop
drwxr-xr-x 10 0 0 13540 Sep 23 06:57 dev
drwxrwx–x 1 1001 1001 0 Sep 23 06:57 efs
lrwxrwxrwx 1 0 0 10 Jun 22 11:03 etc -> system/etc
-rwxr-xr-x 1 0 0 2237 Jun 22 10:44 fota.rc
lrwxrwxrwx 1 0 0 9 Jun 22 11:03 init -> sbin/init
-rwxr-xr-x 1 0 0 24482 Jun 22 10:58 init.rc
-rwxr-xr-x 1 0 0 444 Jun 22 10:44 init.smdkc110.rc
-rwxr-xr-x 1 0 0 335 Jun 22 10:44 init.smdkc110.sh
drwxr-xr-x 3 0 0 0 Jun 22 11:03 lib
-rwxr-xr-x 1 0 0 727 Jun 22 10:44 lpm.rc
drwxr-xr-x 3 0 0 0 Jun 22 11:03 mnt
dr-xr-xr-x 112 0 0 0 Jan 1 1970 proc
-rwxr-xr-x 1 0 0 1143 Jun 22 10:44 recovery.rc
drwxr-xr-x 3 0 0 0 Jun 22 11:03 res
drwxr-xr-x 3 0 0 0 Jun 22 11:03 sbin
drwxrwxr-x 55 1000 1015 32768 Sep 23 07:00 sdcard
drwxrwxrwt 2 0 0 40 Sep 23 15:32 sqlite_stmt_journals
drwxr-xr-x 12 0 0 0 Jan 1 1970 sys
drwxr-xr-x 1 0 0 0 Sep 23 06:57 system
-rwxr-xr-x 1 0 0 154 Jun 22 10:44 system.prop
drwxr-xr-x 3 0 0 0 Jun 22 11:03 tmp
drwxrwx–x 2 1000 1000 0 Sep 23 06:57 userdata
A quick search for databases on the root gave me more hits than I could parse through. I decided to search in each directory for a more simplified view.
There were still so many just in the data directory, that I have removed entries like the XKCD, Onion and similar apps. Cached .db’s are also not included. I wanted to keep this to what seemed “juicy”. Maybe in another post, I can review those to see what applications are giving up.
$ export PATH=/data/local/bin:$PATH
$su
# find /data -name *.db
/data/data/com.android.providers.userdictionary/databases/user_dict.db
/data/data/com.google.android.talk/databases/suggestions.db
/data/data/com.google.android.providers.settings/databases/googlesettings.db
/data/data/com.layar/databases/layar.db
/data/data/com.android.providers.security/databases/policies.db
/data/data/com.android.providers.telephony/nwk_info.db
/data/data/com.android.providers.telephony/optable.db
/data/data/com.google.android.providers.subscribedfeeds/databases/subscribedfeeds.db
/data/data/com.sec.android.providers.downloads/databases/sisodownloads.db
/data/data/com.google.android.youtube/databases/history.db
/data/data/com.android.email/databases/EmailProvider.db
/data/data/com.android.email/databases/EmailProviderBody.db
/data/data/com.android.email/databases/webview.db
/data/data/com.android.htmlviewer/databases/webview.db
/data/data/com.android.globalsearch/databases/shortcuts-log.db
/data/data/com.android.providers.drm/databases/drm.db
/data/data/com.google.android.voicesearch/databases/webview.db
/data/data/com.android.bluetooth/databases/btopp.db
/data/data/com.sec.android.app.callsetting/databases/rejectmessage.db
/data/data/com.sec.android.app.callsetting/databases/autoreject.db
/data/data/com.twitter.android/databases/twitter.db
/data/data/com.facebook.katana/databases/fb.db
/data/data/com.google.android.apps.googlevoice/databases/model.db
/data/data/com.google.android.apps.googlevoice/databases/shadowmappings.db
/data/data/com.google.android.apps.googlevoice/databases/server_settings.db
/data/data/com.dropbox.android/databases/db.db
/data/data/com.tweetdeck.app/databases/webview.db
/data/data/org.connectbot/databases/webview.db
/data/data/com.ebay.mobile/databases/webview.db
/data/system/accounts.db
Awesome. Time to head over to Root explorer and see what the data says. I will post all finding in the google docs spreadsheet embedded below.
In part 2, I hope to cover the remaining databases and what lies within. Hopefully we wont find anything worse that we already have.
The guys over at viaForensics have a pretty nice application to talk to some of the databases. However, it is no longer available to the public. I am going to *attempt* to leverage Googles App Inventor to automate much of this process, or maybe spit out an .apk to see what can be extracted from both rooted and non rooted devices.