Android Security: Attacks and Defenses
To perform forensics on Android devices, it is important to understand the Android system. We need to
understand how, where, and what type of data is stored on the device to perform the actual extraction of
Rooting Android Devices
Android, by default, comes with a restricted set of permissions for its user. These restrictions have been carefully designed to prevent malicious applications (and users) from
circumventing controls provided by the Android security model. They are also sometimes used to prevent a particular functionality from being accessed or changed (e.g.,
tethering or installing proxy, and so forth). Rooting an Android device can be useful
when we need to analyze a device. When we log on to a shell (through adb shell), the
UID of the user is “shell.” We can’t really access directories such as /data, as we don’t
have sufficient permission. Thus, we need to elevate our privileges to super user. The
process of getting these is called rooting. Typically, a vulnerability in the system when
exploited successfully allows us to become a super user. One can download corresponding <version>Break. apk files from the Web and root a device. In the following, we walk
a user through rooting the Android Froyo 2. 2.
1. Determine the version of the Android OS running on your device. This can be
found by going to “Settings” -> “About Phone.” This should give you the Android and
kernel version details.
2. Connecting through the adb shell and executing the “ID” command should show
you as a “shell” user (UID = 2000 [shell]).
3. Download Gingerbreak.apk (given you are running Android Froyo 2. 2. 2, Honeycomb, Gingerbread).
4. Enable USB Debugging.
5. Install Gingerbreak on the phone by executing the following command “adb install gingerbreak.apk.”
6. Open the Gingerbreak application on the phone. This will install the super user application.
7. Now, connect to the device using the command line (adb) and execute the su command. You should
now be rooted on the device and be able to browse to directories such as /data/data.
By Abhishek Dubey and
It is sometimes useful to create an image of the Android device and analyze it using various tools available
on your workstation. This is especially true in the case of an investigation where the original file system
needs to be preserved for evidence/future reference. We may also not want to work directly off the device
but, rather, a copy of it for investigation/analysis. Below are instructions for imaging an Android device:
1. Download mkfs.yaffs2 and copy it onto the SD card connected to your device, through the following
command: adb push mkfs.yaffs2 /mnt/sdcard/tmp
2. Open adb shell and change to root user (su). Change the permission of /mnt/sdcard/tmp/yaffs2 file to
755 chmod 755 /mnt/sdcard/tmp/mkfs.yaffs2
3. Create an image of the Android device by executing the command that follows. This will create data.
img, which will contain the image of the Android device /mnt/sdcard/tmp/mkfs.yaffs2 data.img.
4. Pull data onto your workstation by using the “pull” command from adb shell adb pull /mnt/sdcard/
Now that you have the device image on your workstation, you can use tools such as yaffey to analyze the
image, browse through different directories, review files, and so forth. Yaffey is available at the following