Introduction
I just finished giving my talk at StarEast about testing on a rooted device, and it went wonderfully. The room wasn’t packed, but the people who were there were the correct people…and that is what I really care about. We covered a good overview of for each device, discussed multiple tools, and also talked a lot about data. We went through a live demo of how to access data on a rooted device, where the data is, and how it is stored. I had a few requests about the steps that I took, so I want to go through those with you today.
For the shared storage, internal storage, and sqlite databases, all of this data is stored in the /data/data/[APP PACKAGE]/ folder. Depending on the type of data you are trying to access, you may need a rooted device.
Shared Storage
There is a shared storage location on android devices, where all application data to be shared is stored. This data is stored in primitive data in key-value pairs. To access this data, navigate to the folder mentioned above, and look for the shared_prefs. These files are going to be in xml files, and a simple cat command will allow viewing of the file. For example:
cd /data/data/org.owasp.goatdroid.fourgoats/ ls cat shared_prefs/proxy_info.xml
Internal Storage
Each program has a private location for storing data as well. This is private data on the device memory. The application data is in a private sandbox, and is deleted when the application is uninstalled. This will live in the same folder as identified above, but may be nested in a different area. Any file or folder structure can be placed here. For example:
cd /data/data/ru.andrey.notepad/ ls cd files ls cat tos
External Storage
All of the external storage lives on the sd card. Like most linux based systems, the sd card is mounted under the /mnt folder. All data in this folder is open for all other applications to access. There is no security on external media. To access this data, follow the example below:
cd /mnt/sdcard/ ls cd Notepad ls cd ../NotepadBackup ls
SQLite Access
The last place to find data on the device is in the SQLite database. This is structured data in a private database. To access this data, sqlite3 commands can be used on the device itself. These databases exist in the same location indicated above, but in their own database folder. Because I don’t usually know the structure of the database, I prefer to use generic commands to access the device. It’s a great way to determine if the database is encrypted or not. Some examples of these commands are below:
cd /data/data/org.owasp.goatdroid.fourgoats sqlite3 databases/userinfo.db .dump .quit cd /data/data/ru.andrey.notepad/ sqlite3 databases/notepaddapp.db .dump .quit
