WeChat analysis

WeChat is a messaging app with over 100,000,000 downloads in the Play Store.

Package name: com.tencent.mm

Note that some of these paths contain an asterisk (*). This is used to indicate a unique string that will differ for each account. Our device had 7f804fdbf79ba9e34e5359fc5df7f1eb in place of the asterisk.

Files of interest:

  • /files/host/*.getdns2
  • /shared_prefs/
    • com.tencent.mm_preferences.xml
    • system_config_prefs.xml
  • /sdcard/tencent/MicroMsg/
    • diskcache/
    • WeChat/
  • /sdcard/tencent/MicroMsg/*/
    • image2/
    • video/
    • voice2/
  • /MicroMsg/
    • CompatibleInfo.cfg
    • */EnMicroMsg.db

The *.getdns2 files found in /files/host can be opened as text files or in a hex editor. There is a section called [clientip] that shows the IP address from which the user connected, as well as the time of the connection in Linux epoch format. Our device contained three of these files to show three different connections, though increased application usage may generate more than three of these files.

The com.tencent.mm_preferences.xml file in /shared_prefs records the device's phone number in the login_user_name field. The system_config_prefs.xml file contains the path to the user's profile picture on the device, as well as a default_uin value that will be needed later.

The SD card contains a wealth of WeChat data. The /tencent/MicroMsg/diskcache directory contained an image that was never used with the application; we think it was put there when attaching a different image, as WeChat loads a view of many images from the device's gallery. The /WeChat directory within /sdcard/tencent/MicroMsg contained images sent from the device.

The /video, /voice, and /voice2 folders within /sdcard/tencent/MicroMsg/* contain exactly what they say: video and voice files sent using the app.

WeChat is fairly unique in that it does not utilize a /databases directory within the app's directory structure; MicroMsg is its equivalent. CompatibleInfo.cfg contains the device's IMEI, which will be useful later.

The * directory within /MicroMsg contains the EnMicroMsg.db database. There's only one problem: the database is encrypted using SQLCipher! SQLCipher is an open source extension for SQLite that encrypts the entire database. Luckily, like other apps that use encryption, the key to decrypting the file is on the device.

Data storage method 9: SQLCipher, full database encryption

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.244.250