Most commercial iOS forensics and data acquisition tools will effectively do the job in general, but in cases of data leaks presented, we need to look between the lines to extract all related logs and API communication that occurred inside the mobile system. Thus, in this chapter we will investigate the most recent updated tools and use more and more tools to have better evidence about our case.
In this chapter, we investigated the possibility of detecting data leaks out of mobile applications into the Facebook platform, by using various mobile forensics tools and reverse engineering methodology. With mobile forensics tools, we were able to investigate various important Facebook and other Android applications that might have contributed to privacy leaks, especially the data of the content providers’ artifacts, and we were able to extract the Facebook Android application package (APK). And with reverse engineering methodology, we were able to decompile the Facebook (Dalvik code) into its original Java source code and identify various entry and exit points of data from and into Facebook.
Legal Issues Regarding the Local Electronic Crimes Law and Mobile Forensics
Mobile Forensics and Reverse Engineering
Details of the Reporting Agency and Tools Used in the Examination
Description of Steps Taken During the Examination
Details of Findings or Issues Identified
Evidence Recovered During the Examination, Including Chat Messages
Images Captured During the Examination
Examination and Analysis Information
Local Electronic Crimes Law and Mobile Forensics
We are living in a world in which mobile devices and their users are proliferating, where a massive amount of personal private data is being accessed by mobile applications and with the majority to the social media applications, like phone GPS, SMS, IMEI, our phone contact list, and more. The data transmitted and residing on mobile phones becomes a potential treasure trove to the malicious technology users who can sell data to advertising companies, analytics companies, competitors’ companies, and even for political and intelligence agencies. Balancing between mobile privacy and mobile functionality has become a very hot area and emerging focus for research (Keng, Wee, Jiang, and Balan, 2013)
In alignment with the fact that smartphones’ capabilities and processing efficiencies are the same as personal computers, smartphones became exposed to the same and greater risks and vulnerabilities as personal computers. Data stored in smartphones like videos, images, documents, emails, and short messages might be remotely accessed if the mobile or smartphone device is connected to the Internet. This reality poses huge challenges for security professionals in securing mobile and smartphone devices, as well as detecting and investigating any issues over such devices. Mobile forensics is a process of collecting digital evidence where information is retrieved and acquired from the storage of mobile phones. It all depends on digital evidence extraction from mobile phone internal memory when there is the ability to access data.
Mobile phones and mobile technologies have witnessed rapid and fast development recently. There are a huge number of applications that can run on a mobile and smartphone platform, and more are developed each day. Taking into account the variety of vendors of the smartphone, mobile applications, and networking protocols, the forensic analysis tasks on mobile phones are the biggest challenge. Many software tools are available to acquire, retrieve, and analyze extracted data from smartphones. Every tool has many advantages and disadvantages. These tools are extremely important for smartphones forensics to extract and analyze digital evidence that might be used in a legal case.
The importance and sensitivity of this chapter come from the core problem that it aims to investigate in depth. The core problem is with the massive volume of data leaks from mobile devices and various artifacts into the Facebook platform for pure marketing, advertising, orientations, and other malicious purposes. The leaks themselves, especially without proper permissions of the device’s users, are considered a breach of individuals’ privacy, as well as a significant violation of many data privacy regulations and laws all over the world (GDPR, HIPAA, etc.) (Wongwiwatchai, Pongkham, and Sripanidkulchai, 2020a). This chapter will help lawmakers and law enforcement agencies to trace and investigate similar data leak issues and improve the preservation of individuals’ privacy. The purpose of this practical case study and all generated reports throughout the investigation of mobile devices is to investigate the possibility of detecting data leaks from mobile devices into third-party applications installed on the same device by using various mobile forensics tools.
Admissibility of the Digital Evidence: The summary of the Palestinian Electronic Crimes Law provisions governing legal admissibility of the evidence is:
“Any evidence resulting from any information technology means, information system, information network, website or electronic data may not be excluded because of the nature of the evidence.” Article No. 37. (“Presidential Decree,” 2018)
Legal Authority to Forensic Examination Request: The summary of the Palestinian Electronic Crimes Law provisions governing legal authority of the examination request is:
“The office of the public prosecutor or the person appointed by the judicial inspectors may inspect people, places and anything else related to information technology relevant to the crime.” Article No. 32 (1 – 5). (“Presidential Decree,” 2018)
Seizure and Acquisition of the Evidence: The summary of the Palestinian Electronic Crimes Law provisions governing legal seizure and acquisition of the evidence is:
“The prosecutor has the permission to seize and retain the entire information system and to make use of any IT tools that would help to uncover the truth.” Article No. 33 (1 – 6). (“Presidential Decree,” 2018)
Mobile Forensics and Reverse Engineering
In this section, we will discuss prior and related work in three major areas: private data leaks over mobile applications, Facebook as an advertising platform, and reverse engineering of Android applications. in addition, we will discuss sensitive information transmissions in mobile applications.
Android Mobile Forensics and Private Data Leaks
We have noticed many research studies investigating the causes of private data leaks over mobile working toward conducting leak-cause analysis of data. The researchers correlate the actual leaks to the user actions. The data leaking attitude of an application stays in stable status with respect to time; a similar data leaking attitude is expected to be observed repeatedly if an extra and adequate amount of application logs is analyzed (Ávila, Khoury, Khoury, and Petrillo, 2021). Thus, we are able to extract and understand log patterns and reveal the actual causes of data leaking behavior. Several researchers have carried out significant studies on mobile forensics of private data leaks; the research of Keng, J. C. J. observed a high-volume ratio of leaky applications. “Out of the 226 applications studied, 121 applications are not leaking private data (nonleaking apps). Among the 105 apps (46.5%) leaking privacy data, 64 apps (28.3%) were found to leak private data due to user actions on application widgets. We notice that an application can leak data in various ways: (1) User-Triggered Leaks (identified by association rules), (2) Start-Up or One-Time Leaks, and (3) Periodic Leaks” (Keng et al., 2013). In the first step, the researchers instrumented the mobile system to log and collect user traces with “Taint- Droid” as their tools for detecting data leaks. In the second step, the researchers conducted extensive testing of selected samples of mobile applications to collect the logs and trace the leaks. Finally, the researchers performed various analyses to produce and detect the causal relations among the user actions and data leaks. Other corresponding research on detecting and mitigating privacy leaks over iOS mobile platforms was conducted by Agarwal, Y. and Hall; the researchers observed a high volume of inappropriate application access to user data. “We observe that 48.4% of the total applications access the identifier, 13.2% access location, 6.2% access contacts and 1.6% access the music library. Next, we find that a large number of users actively make privacy decisions: 44,260 users make 10-100 decisions while 16,729 users make 100-363 decisions” (Agarwal and Hall, 2012).
Facebook as Mobile Application Advertising Platform
Commercial advertising over online platforms is the basic source of funds for mobile application developers, as well as playing a vital role in the growth of the international economy. This situation comes along with major individuals’ privacy and data protection concerns. Advertisers keep working very hard toward acquiring extensive corresponding information about their audience to have the ability to present them with advertisements appropriate for their interests. In other words, this might be called “behavioral advertising.” And due to the current technological innovations on the online world and social media platforms such as Facebook and Instagram, it becomes very possible to create profiles of Internet users and depend on such profiles for designing powerful tools to control preferences to commercial companies that offer online behavioral advertising services.
Several researchers have carried out significant studies on the fact that Facebook is using personal private data for advertising and marketing purposes. Special research conducted by Marcello M. Mariani investigated how the Italian regional destination management organizations (DMOs) strategically employed the Facebook platform to promote and market their destinations, as well as improving the current metrics for capturing user engagement. The investigations were carried out based on a big data analysis approach through extracting the data from the regional DMOs’ Facebook pages, in addition to semistructured face-to-face interviews conducted with DMO regional managers. The findings of the study indicated that “the way Facebook is tactically and strategically employed varies significantly across Italian regional DMOs. Visual content (namely photos) and moderately long posts have a statistically significant positive impact on DMOs’ Facebook engagement, whereas high post frequency, and early daily timing (in the morning) of posts have a negative impact on engagement. Last but not least, the study shows that most of the regional DMOs (except for Trentino, Tuscany, and Sicily) deploy Facebook with a top-down approach, allowing for little spontaneous user generated content (UGC)” (Mariani, Di Felice, and Mura, 2016).
Reverse Engineering of Android Applications
The main goal for analyzing source code and reverse engineering for Android applications is to provide inclusive understanding of the inner functionality of applications running over mobile Android platform (Wongwiwatchai, Pongkham, and Sripanidkulchai, 2020b), and to reveal additional information on how data are being transferred and moved through application components and objects into and out of applications (Tiwari, 2020). The investigations on different methodologies and tools for reverse engineering of Android applications carried out by Zhang, Baggili, and Breitinger concluded that there are several methods that can be used to decompile the precompiled Java code (Dalvik bytecode) into Java source code readable by application reviewers and developers, due to the fact that all applications running over the Android platform are programmed in Java language. One of the most well-known tools is dex2jar, that tool can convert Dalvik bytecode into Java source code (.jar, .class) (Zhang, Baggili, and Breitinger, 2017).
Sensitive Information Transmissions in Mobile Applications
While mobile apps often need to transmit sensitive information out to support various functionalities, they may also abuse the privilege by leaking the data to unauthorized third parties. This makes us question if the given transmission is required to fulfill the app functionality (Fu et al., 2020). “To date, various methods have been proposed to detect and isolate the third-party libraries that may incur privacy threats. However, they either rely on the namespace or the program structure. thus, suffering from the evasion attacks such as obfuscation and call graph manipulation, or counting on the deep cooperation of developers, which ignores a great deal of intentional data leakage driven by under-the-table income. More importantly, all of them are designed to handle the misbehavior from isolated ad libraries, and they do not apply to malicious transmissions embedded in the core app logic” (Fu et al., 2020).
The investigator team was able to “automatically detect privacy-sharing transmissions and determine their purposes by utilizing the fact that mobile users rely on a visible app interface to perceive the functionality of the app in a certain context. The characterizations of nonfunctional network traffic are then summarized to provide network-level protection. Researchers were not only reducing the false alarms caused by traditional taint analysis but also captured the sensitive transmissions missed by the widely used taint analysis system Taint Droid. Evaluation using 2125 sharing flows collected from more than a thousand running instances, shows that our approach achieves about 94% accuracy in detecting nonfunctional transmissions” (Fu et al., 2020).
Data Acquisition Comparison: iOS Devices Image and iOS Backups
Acquire Data from an iOS Device
Logical acquisition captures a part of the data that is accessible to the mobile user; in other words, what is available in an iTunes backup. This implies that we are not able to retrieve any of the deleted files, but this can be done instead using SQLite databases that can navigate the unallocated space so that we will be able to recover the majority of the deleted records, including but not limited to SMS, chats, Internet history, and so on. Logical acquisition is considered the simplest way to acquire data for the unlocked devices, since this method uses the built-in backup mechanism. The majority of tools and data acquisition methods designed for logical acquisition of iOS devices will not succeed and will fail if the device screen is locked. Even if a physical image were captured, there is little to no need for conducting a logical acquisition. Indeed, not all data can be parsed in a physical image, which is why we have access to a logical image, which generates readable data; this will assist you effectively in mining deep into the physical image looking for artifacts that are able to support your forensic investigation. Logical acquisition is considered the fastest, the easiest, and the cheapest way to get access to the data stored over the iOS device. There are a variety of tools, ranging from commercial paid to free, that can capture mobile devices’ logical images. Most of such tools require that acquiring devices are unlocked, or should have the ability to access the plist files through the host investigation’s machine.
File system acquisition: We are not able to extract the encryption keys needed to decrypt the device’s physical image, so conducting the physical acquisition is useless. However, there is file system acquisition to rescue us. Unfortunately, in most cases, it requires the iOS device to be jailbroken.
Acquire Data from an iOS Backup
The physical acquisitions and extraction of the iOS devices offer the majority of the data in an investigation process; it will be found as a rich area of information within iOS backups has been extracted. iOS mobile device holders have many alternatives to backing up the data available on their devices. Mobile holders choose to back up data to the PCs, using iTunes applications, or over the Apple cloud storage SaaS known as iCloud.
Every time an iPhone is synced with a PC or to iCloud, it generates a backup file by copying the user-selected files to extract from the device. Users can choose and select what they need to include in the backup files, although some backup files may be more significant and related to the case than others. Besides, the user of mobile can do backup to be extracted on both PC and iCloud; this implies that the data extracted from each area may not be similar to the other one. This case most likely happens due to the size constraints of iClouds.
Comparison between the iOS Device Image and Backup Image Data Extraction Methods
Comparison Criteria | Acquire from an iOS Device | Acquire data From iOS Backups |
---|---|---|
Acquisition types | Physical acquisition (full) Logical acquisition (user data) File system acquisition (+ Stru.) Acquisition via jailbreaking | iTunes backups iCloud backups |
Acquisition tools | Magnet AXIOM FINALMobile Libimobiledevice Belkasoft acquisition tool | iTunes backups iBackup Viewer iExplorer UFED physical analyzer |
Capture capabilities | Recovers deleted files using SQLite databases and tools | Recovers deleted files using extracted backup |
Acquiring device status | Will not work for the newest locked device | Will work for locked devices |
Performance | Fast, easy, cheap (logical) | Fast, easy, cheap |
Constraints | New devices need to be jailbroken (file system acq.) No prior work needed | No need to be jailbroken Works on newest devices Previously synced with the device |
Mobile user role | Cannot control what is contained in a logical image | Determines what contained in the backup |
Data location | Mobile device | iCloud backups Computers |
Volume of information | Full device information | User information stored in backup |
Data Acquisition Comparison: Android Devices Image and ADB Backups
Understanding Android Data Extraction Techniques
The Manual Data Extraction: This method of data extraction required the investigators to utilize a normal MD interface to access the content presented in the device memory. The investigator will walk through the device manually by accessing different applications’ menus to view and observe any information details like the call logs, the text messages, and the instant message chats. The contents of every interested screen needs to be captured by taking a snapshot of pictures, and then it might be presented as legal digital evidence. The main obstacle to utilizing this examination type is that we are only able to investigate files that are accessible through the Android system (in User Interface mode).
Data Acquisition Comparison: Manual, Logical, and Physical Data Extraction
Comparison Criteria | Manual Extraction | Logical Extraction | Physical Extraction |
---|---|---|---|
Extracted data | Access only the content presented in the device memory for the user | Access user data and file system | Full access to data |
Acquisition tools | MD interface | FINALMobile Magnet AXIOM Oxygen Forensic Detective | Joint Test Action Group (JTAG) The chip-off technique DD command (ADB) Various forensic tools |
Capture capabilities | Only capture what can be observed by mobile users manually | Captures the user and application data and the file system | Captures every single bit in the device memory |
Accuracy | Not accurate, and subject to human omissions | Accurate if conducted under well-prepared environment | Very accurate if conducted under well-prepared environment |
Device permission | Regular Android user permission | Regular Android user permission (more data for rooted devices) | Only available for rooted devices |
Deleted file recovery | Not possible | Not possible | Possible in certain circumstances |
Security constraints | Need to know pass code | Need to know pass code (possible bypass) | Need to know pass code (possible bypass) |
Technical level | Very high level | High level | Low level (machine level) |
Time constraints | Time-consuming (slowest) | Good extraction time (the quickest) | Good extraction time |
Database direct access | Not allowed | Allowed | Allowed |
Detailed Description of Steps Taken During Examination
- 1.
Tested Device Information: Samsung Galaxy A10 (SM-A105F/DS): with Android Version 10.0 installed.
- 2.
Tested Applications: Facebook application, built-in and other third-party applications installed on the device.
- 3.
Testing Environment: A bit–by–bit image (physical image) for the device memory and file system has been acquired to be analyzed using various forensics platforms and appropriate tools: logical data extraction and the file system acquisition.
- 4.Digital Forensics and Data Acquisition Tools for Both Device Rooting and Data Extraction:
Android Studio IDE 201.7199119. Platform tools including Android Debug Bridge (ADB).
Odin3 v3.12.3. (Samsung’s official firmware flashing software) tool.
FINALMobile forensics 2020.04.20 tool.
Magnet AXIOM forensics tool.
Oxygen Forensic Detective 12.0.0.151 tool.
- 5.Reverse Engineering Tools Used to Decompile Dalvik Code into Java code:
Dex2jar 2.0. tools (Android application decompiler).
GD-GUI-1.6.6. tools (Java programming language decompiler).
Data Acquisition and Extraction
Facebook Information File Investigations (Account Artifacts)
Analysis of Facebook Source Code with Reverse Engineering
Case Analysis and Major Findings
Second, we manually explored, reviewed, and analyzed the majority of Facebook application Java source code classes after decompiling the (Dalvik code files) located within the Facebook Application Package File (APK) . The analysis process focused on finding the entry points of data to the Facebook application from one side, and to the exit points of data from the other. We reviewed 12 class files and we were able to investigate various classes responsible for sharing and transferring data from and into Facebook applications. These included such points as Fileprovider.class, Phone Id, Location Information, and Bookmark Information. Figures 6-14 to 6-16 present data points of exchanges written in such Java classes.
Evaluating iOS Forensic Tools (Mobile Devices and Data Acquisition)
Evaluating iOS and Android Forensic Tools
Functionality | Magnet AXIOM | FINALMobile Forensics | ||
---|---|---|---|---|
iOS | Android | iOS | Android | |
Logical imaging | Supported (no, root) | Supported (no, root) | Supported (no, root) | Supported (no, root) |
Physical image | Need jailbreak | Need root | Need jailbreak | Need root |
SQLite support | Supported | Supported | Supported | Supported |
Hash-comparison | ✓ | ✓ | ✓ | ✓ |
Retrieves deleted files | Included through SQLite databases | Included through SQLite databases | ✓ | ✓ |
Imaging | Included (acquirer) | ✓ | ✓ | ✓ |
Mounting of container files | ✓ | Not included | ✓ | Not included |
File system support | ✓ | ✓ | ✓ | ✓ |
Email analysis | Not included | ✓ | Not included | ✓ |
Internet traces (browser, messenger) | Included (limited) | Included (limited) | ✓ | ✓ |
Viewing of pictures | Included (thumbnails) | Included (full view) | Included (full view) | Included (full view) |
Native view of file contents | ✓ | ✓ | ✓ | ✓ |
Bookmarking/tagging | ✓ | ✓ | ✓ | ✓ |
Reporting | ✓ | ✓ | ✓ | ✓ |
Support for investigator analysis | ✓ | ✓ | ✓ | ✓ |
Categorization | ✓ | ✓ | ✓ | ✓ |
Filter | ✓ | ✓ | ✓ | ✓ |
As a result, we conclude that most commercial iOS and Android forensic and data acquisition tools will effectively do the job in general, since the majority of mobile forensics tools can work on both types of devices and extract the data. But in cases of data leaks like those presented in this research, we need to look between the lines to extract all related logs and API communication that occurred inside the Android system. Thus, we need to investigate the most recently updated tools and use more and more tools to have better evidence about our case. The final result of the research will be presented in later chapters.
Summary
In this chapter, we deployed two methods inherited from prior related research with significant tuning for each one. First, we employed digital forensics tools as log and monitoring tools to trace applications activities, in addition to the reverse engineering methodologies to trace and reveal information flow through Android applications. Second, we critically analyzed the user information data acquired from Facebook records. Our method is based on a practical experiment conducted on testing mobile devices and forensics workstations. The experiment will test all possible logs and trace the user’s activity using mobile forensics tools to look for any data leak instances, as well as analysis for Facebook records. To test our methodology and research approach, as well as to verify the data leaks into the Facebook platform, our experiment was divided into four phases: data acquisition and extraction, Facebook information and log file investigations, analysis of Facebook source code with reverse engineering, and case analysis.
As shown from our experiment results, we conclude that Facebook is collecting, storing, and processing various types of mobile user private information with or without the prior and explicit permission of users. We support such conclusions through critical analysis of various Facebook and mobile device artifacts, as well as analyzing Facebook application Java source code classes. Future researchers should look in more detail at the process of reverse engineering for detecting data leaks to reveal more pieces of Java code responsible for collecting and leaking mobile users’ private data into Facebook applications.
We recommend adopting an enforcing mechanism for detecting data leaks over mobile applications that allows users to easily be able to detect the leaking applications over their devices as well as allowing law enforcement agencies and legal entities to be able to monitor any privacy violations. A mechanism should be based on the developments of mobile applications that look into the most important artifacts presented on mobile applications as well as checking all data traffic for the application’s exit and entry point of data.
References
- [1].
Agarwal, Y., & Hall, M. (2012). Protect My Privacy: Detecting and Mitigating Privacy Leaks on iOS Devices Using Crowdsourcing Categories and Subject Descriptors, Proceeding of the 11th Annual International Conference on Mobile Systems, Applications, and Services, 6(September), 97–109.
- [2].
Ávila, R., Khoury, R., Khoury, R., & Petrillo, F. (2021). Use of Security Logs for Data Leak Detection: A Systematic Literature Review. Security and Communication Networks, 2021(4). https://doi.org/10.1155/2021/6615899
- [3].
Fu, H., Hu, P., Zheng, Z., Das, A. K., Pathak, P. H., Gu, T., & Zhu, S. (2020). Towards Automatic Detection of Nonfunctional Sensitive Transmissions in Mobile Applications, IEEE Transactions on Mobile Computing, 20(10), 3066–3080. https://doi.org/10.1109/TMC.2020.2992253
- [4].
Keng, J. C. J., Wee, T. K., Jiang, L., & Balan, R. K. (2013). The Case for Mobile Forensics of Private Data Leaks: Towards Large-Scale User-Oriented Privacy Protection. Proceedings of the 4th Asia-Pacific Workshop on Systems, APSys 2013. https://doi.org/10.1145/2500727.2500733
- [5].
Mariani, M. M., Di Felice, M., & Mura, M. (2016). Facebook as a Destination Marketing Tool: Evidence from Italian Regional Destination Management Organizations. Tourism Management, 54, 321–343. https://doi.org/10.1016/j.tourman.2015.12.008
- [6].
Presidential Decree. (2018).
- [7].
Tamma, R., Skulkin, O., Mahalik, H., & Bommisetty, S. (2020). Practical Mobile Forensics (Fourth Ed.). Copyright © 2020 Packt Publishing.
- [8].
Tiwari, P. K. (2020). Study and Assessment of Reverse Engineering Tool, (May), 297–300.
- [9].
Wongwiwatchai, N., Pongkham, P., & Sripanidkulchai, K. (2020a). Comprehensive Detection of Vulnerable Personal Information Leaks in Android Applications. IEEE INFOCOM 2020 - IEEE Conference on Computer Communications Workshops, INFOCOM WKSHPS 2020, 121–126. https://doi.org/10.1109/INFOCOMWKSHPS50562.2020.9163043
- [10].
Wongwiwatchai, N., Pongkham, P., & Sripanidkulchai, K. (2020b). Detecting Personally Identifiable Information Transmission in Android Applications Using Light-weight Static Analysis. Computers and Security, 99. https://doi.org/10.1016/j.cose.2020.102011
- [11].
Zhang, X., Baggili, I., & Breitinger, F. (2017). Breaking into the Vault: Privacy, Security and Forensic Analysis of Android Vault Applications. Computers and Security, 70, 516–531. https://doi.org/10.1016/j.cose.2017.07.011