Automated Forensic Analysis of Mobile Applications on Android Devices
Since mobile apps have penetrated the deepest nooks and corners of our lives, they are increasingly posing security threats of various types for both individuals and business enterprises. Smartphones are now widely used by criminals, people with underworld connections, terrorists and individuals engaged in arson and destruction in public places. This is why, for the administration, establishments and security agencies monitoring smartphone activities and analyzing certain apps have become extremely crucial.
Smartphone apps process a lot of sensitive user data and a vast majority of this information is stored locally in the device. This is why forensic analysis of app data remains so important. But digital forensic analysis of mobile data is not an easy job and it involves a lot of complications. Since the process also involves crucial aspects like safeguarding the privacy of information, there should be several precautions taken and safeguard measures followed.
The Android mobile OS platform represents the most diversified device platform with many mobile devices carrying built-in features, device-level security measures, storage capacities and processing power. This is why when it comes to the forensic analysis of mobile apps on Android devices we need to take extra care of the complexities.
The Method of Android Forensic Analysis
Since we need to get to the depth of the analysis through in-depth research, we need to begin with the core layers of the apps. The core layers are respectively device logs, network traffic, file system and the device memory. Now, we need to carry out analysis for each of these layers. The evidence-based information from the analysis of these layers will give a full picture about the state of things concerning security vulnerabilities and threat perception.
As for the composition of the forensic laboratory to carry out this research, two constituents are respectively a MacBook Pro with Android SDK toolkit, a Virtual Machine with Ubuntu 14.04, Nexus 5 running Android 5.1.1 at the root and a WiFi pineapple OS for accessing the web from the smartphone device. Now let's begin our discussion one by one.
Android comes loaded with an extensive range of log analysis tools that allow analyzing a variety of logs. The information can be anything including media events. The information analysis can be used to detect threats received through the SMS and MMS. For example, an SMS coming with malware while the message is getting deleted from the app can be detected through this analysis.
Network Traffic Analysis
One of the most crucial parts of the forensic analysis is the analysis of network traffic. Through the analysis of network traffic the threats emerging from the traffic can be analyzed and detected. In any enterprise environment, the firewalls or the proxies are largely able to do this. Remote network traffic analysis is also carried out by many security experts and forensic analysis endeavors.
To ensure monitoring network traffic on a continuous basis, setting up a great network infrastructure is extremely crucial. For example, for carrying out the analysis we have set up an infrastructure based on Android Pineapple for monitoring the traffic. Within this setup the traffic is monitored through two principal tools, respectively as Wireshark and Burp Suite. The second tool is used in an Android device to carry out SSL inspection.
Memory analysis of the Android devices is done by some great tools such as Linux Memory Extractor or LiME. The best thing about this tool is that it can be cross-compiled for Android. There are also other effective memory analytics tools such as Volatility. This is a great tool to analyze the deleted dumps of memory. This tool requires creating a custom profile for the Android kernel running on target Android smartphones.
Apart from the tools and approaches mentioned above, there are other approaches for carrying out memory analysis as well. Android itself provides a “monitor” tool. The only limitation of this tool is that it allows analyzing the memory separately in each specific case instead of analyzing the whole memory at one go.
How is The Forensic Analysis Done? Exemplifying With an Actual Malware
For verifying and evaluating the method of analysis, it is important to do the analysis by applying actual malware on the smartphone. The APK needs to be pushed in the kernel of the device system and create a volatility profile on the basis of the customised kernel.
In this respect you need to take the setup with importance as well. You need to have a clear understanding of how to configure the WiFi setting of the Android Pineapple for MacOS X. All the remaining commands need to be carried out for the purpose of redirecting the HTTP/HTTPS traffic from Android Pineapple to the proxy of the Burp Suite tool.
At the very next step, it is important to install and run the APK and run it with the appropriate command. At last, you need to run the newly installed malware application on the Android device. While running the application, you need to monitor the logs, detect abnormalities in the network traffic and capture threats in the memory dump.
Tracking the Logs Through Logcat
Logcat is used in forensic analysis for the express purpose of amassing evidence from all the messages that are received and sent. This is detected by using the radio logs. The idea behind this is to detect malware threats lurking in the SMS/MMS. Such threats often remain undetected with the use of common malware detection tools and hence, forensic analysis plays such an important role.
Forensic analysis of Android apps can be done through the manual process as well. But manual digital analysis is often more time and resource consuming and they are less efficient when scaling the scope of analysis when a large number of apps is necessary. This is why automated forensic analysis is popular in most enterprise environments. Since a great number of Android apps are known for information leakage, forensic analysis has become extremely crucial as a security measure.
Atman Rathod is the Co-founder at CMARIX TechnoLabs Pvt. Ltd., a leading web and mobile app development company with 13+ years of experience. He loves to write about technology, startups, entrepreneurship and business. His creative abilities, academic track record and leadership skills make him one of the key industry influencers as well.
Linkedin - https://www.linkedin.com/in/rathodatman/
Twitter - https://twitter.com/RathodAtman