Blog: Android

How-to subvert Android backups to export sandboxed app files

David Lodge 14 Apr 2016

appback

During Android security reviews one of the most annoying and troublesome things I come across is getting the data onto my assessment machine for thorough analysis. It’s the copying of sandboxed application files that’s a real bugbear.

In an effort to reduce my pain I use the following method.

App sandboxing 101

As a little refresher, every installed application on Android is given a directory in which to store its internal files. This directory is restricted by file permissions so it is only accessible by the application and the root user. This is known as the application’s sandbox.

The sandbox is stored under /data/data/appname. Where “appname” is the fully qualified application name that it is built with.

Here’s an example from a device running Marshmallow:

root@hammerhead:/data/data # cd ptp.unacceptablebehaviour
root@hammerhead:/data/data/ptp.unacceptablebehaviour # ls -l
drwxrwx–x u0_a105  u0_a105           2016-03-22 11:37 app_webview
drwxrwx–x u0_a105  u0_a105           2016-03-22 12:11 cache
drwxrwx–x u0_a105  u0_a105           2016-03-22 12:11 code_cache
drwxrwx–x u0_a105  u0_a105           2016-03-22 12:11 shared_prefs

In Android every app is given a unique user (in this case u0_a105) and group. With Unix file permissions the only users that can access the sandbox are:

  • root
  • u0_a105
  • Members of the u0_a105 group

So, how can I get the files I want back to my assessment laptop for analysis if I’m not any of the above? This is where backup comes in.

The allowBackup parameter

The app manages backups through the android:allowBackup parameter of the <application> tag in the AndroidManifest.xml. The default setting allows backups.

Backups are useful as you don’t need to be root to do a backup. ​This means that you can extract cleartext secrets directly from an app’s sandbox without rooting your device, all you need is adb and access to the device.

To make a backup, you can use the adb backup command (the -d is just to specify the physical device):

C:\Users\dave\Desktop>adb -d backup com.ptp.unacceptablebehaviour

Now unlock your device and confirm the backup operation.

You will then have to unlock your phone and confirm for the backup to go ahead.

appback1

By default it will save a file called backup.ab in the directory adb was run from. The format is a slightly modified tar file with a 24 byte header:

ANDROID BACKUP
3
1
none

​Where line 1 is the magic string (i.e. it identifies the file type), line 2 is the version number, line 3 is a compression flag (1 is compressed) and line 4 is the encryption algorithm. In the case where it is encrypted there are extra fields, but we don’t need that.

Extracting that data

After these fields is the data in .tar format. If the file is compressed we need to decompress it. I do this through python as I’m lazy (I really need to script this). This is all for a compressed and unencrypted file:

>>> import zlib
>>> with open(“backup.ab”,”rb”) as f:
…  data=f.read()…
>>> zipped=data[24:]
>>> raw=zlib.decompress(zipped)
>>> with open(“backup.tar”,”wb”) as o:
…  o.write(raw)
…​
>>> exit()

This should remove the header and write it decompressed to backup.tar which you can then open up in your favourite tar file reader, such as 7-zip:

appback2

If you don’t fancy rolling your own reader in python then you can use the android-backup-extractor (https://github.com/nelenkov/android-backup-extractor) utility to do this for you:

c:\users\dave\desktop> java –jar abe.jar unpack backup.ab backup.tar