112
android Malware and analysis
Application Storage and Data Locations
Applications and their data les are usually stored in one of two loca-
tions, internal and external storage. Installing applications to the SD
card can be controlled with the “-s” in the ADB install command.
Otherwise when an application is installed it will be placed in the
/data/app/directory named after the application’s package name. In
the meantime, another set of directories is created under/data/data for
the application to store its data. By way of example, if you install an
application called util with the package name com.android.utility the
APK will be com.android.utility.util-1.apk and its data will be stored
in/data/data/com.android.utility.util directory. What is stored there
can vary from application to application but les and databases are
usually the most noteworthy for analysis. e following are the most
common subdirectories you will nd under the application.
• lib—Static libraries used by the application
• cache—File cache to speed up performance
• les—Custom data storage
• databases—SQLite databases
If you locate a les directory it usually means the application required a
more complex data structure and would be a good place to mine for data.
By default this directory and its les are available to you in the emulator
where you can see them. However, on a physical device the /data/data/
directory, which this is a part of, is locked unless you have root access.
If that is the case, you will need to access and copy the les through the
ADB pull process.
Getting Samples O Devices
Much like putting samples on the device there are two ways to get sam-
ples o the device. e rst way is with application backup software.
App Backup from the play store is an excellent resource to do this.
When executed it polls the applications on the device and backs it up to
an SD card. You can then retrieve them with the ADB pull command
or if it is removable media take it out and mount on another system.
e second way is to use the ADB to connect and pull the appli-
cation o. To do this you will need the location of the APK le.