Kik is a messaging app with over 100,000,000 downloads from the Play Store.
Package name: kik.android
Files of interest:
- /cache/
- chatPicsBig/
- contentpics/
- profPics/
- /files/staging/thumbs
- /shared_prefs/KikPreferences.xml
- /sdcard/Kik/
- /databases/kikDatabase.db
The chatPicsBig and contentpics directories in /cache contain images that were sent and received within the application. The files in contentpics contain what appears to be Kik metadata embedded before the image; the JPG has to be carved out of these files. In our testing, all of the files in contentpics were also stored in chatPicsBig, though this may change with more extensive app usage. The user's profile picture is found in /the /profPics directory.
Data storage method 8: Basic steganography; a file is stored within a larger file.
The /files/staging/thumbs directory contains thumbnails of images sent and received with the application; our testing found the same images in this location as the /cache directories, but again it is possible this would vary with more extensive application usage.
The KikPreferences.xml file in /shared_prefs shows the user's username and email address used with the application. Interestingly, it also contains an unsalted SHA1 hash of the user's password.
The /sdcard/Kik directory contains full-sized images that were sent and received in the application. The filenames can be correlated with kikDatabase.db messagesTable to identify which message contained the image.
The kikDatabase.db database contains all of the messaging data from the application:
|
Table |
Description |
|
KIKContentTable |
This table contains metadata about sent and received images. Each message is assigned a unique content_id value that corresponds to the filenames in the sdcard/Kik directory. The preview and icon values for each image correspond to the filenames found at /files/staging/thumbs. Each image also contains a file-url value; this is a public URL that can be accessed to view the file. |
|
KIKcontactsTable |
This table shows user_name and display_name for each contact. The in_roster value appears to be set for contacts the user has specifically added (if it is set to 1); contacts with an in_roster value of 0 appear to be added automatically. The jid column is a unique value for each contact. |
|
messagesTable |
This table contains all data for messages sent and received with the app. The body column shows the text data sent in a message. The partner_jid value can be correlated back to the jid column in KIKcontactTable to identify the remote user. The was_me column is used to indicate the direction of the message (0 = sent, 1 = received). The read_state column shows whether the message has been read (500 = read and 400 = unread). The timestamp, yet again, is in Linux epoch format. The content_id column is populated with message attachments, and can be correlated to KIKContentTable for more information. |