How-to subvert Android backups to export sandboxed app files
During Android security reviews one of the most annoying and troublesome things I come across is getting the data onto my assessment machine for thorough analysis. It’s the copying of sandboxed application files that’s a real bugbear.
In an effort to reduce my pain I use the following method.
App sandboxing 101
As a little refresher, every installed application on Android is given a directory in which to store its internal files. This directory is restricted by file permissions so it is only accessible by the application and the root user. This is known as the application’s sandbox.
The sandbox is stored under /data/data/appname. Where “appname” is the fully qualified application name that it is built with.
Here’s an example from a device running Marshmallow:
root@hammerhead:/data/data/ptp.unacceptablebehaviour # ls -l
drwxrwx–x u0_a105 u0_a105 2016-03-22 11:37 app_webview
drwxrwx–x u0_a105 u0_a105 2016-03-22 12:11 cache
drwxrwx–x u0_a105 u0_a105 2016-03-22 12:11 code_cache
drwxrwx–x u0_a105 u0_a105 2016-03-22 12:11 shared_prefs
In Android every app is given a unique user (in this case u0_a105) and group. With Unix file permissions the only users that can access the sandbox are:
- Members of the u0_a105 group
So, how can I get the files I want back to my assessment laptop for analysis if I’m not any of the above? This is where backup comes in.
The allowBackup parameter
The app manages backups through the android:allowBackup parameter of the <application> tag in the AndroidManifest.xml. The default setting allows backups.
Backups are useful as you don’t need to be root to do a backup. This means that you can extract cleartext secrets directly from an app’s sandbox without rooting your device, all you need is adb and access to the device.
To make a backup, you can use the adb backup command (the -d is just to specify the physical device):
Now unlock your device and confirm the backup operation.
You will then have to unlock your phone and confirm for the backup to go ahead.
By default it will save a file called backup.ab in the directory adb was run from. The format is a slightly modified tar file with a 24 byte header:
Where line 1 is the magic string (i.e. it identifies the file type), line 2 is the version number, line 3 is a compression flag (1 is compressed) and line 4 is the encryption algorithm. In the case where it is encrypted there are extra fields, but we don’t need that.
Extracting that data
After these fields is the data in .tar format. If the file is compressed we need to decompress it. I do this through python as I’m lazy (I really need to script this). This is all for a compressed and unencrypted file:
>>> with open(“backup.ab”,”rb”) as f:
>>> with open(“backup.tar”,”wb”) as o:
This should remove the header and write it decompressed to backup.tar which you can then open up in your favourite tar file reader, such as 7-zip:
If you don’t fancy rolling your own reader in python then you can use the android-backup-extractor (https://github.com/nelenkov/android-backup-extractor) utility to do this for you: