Authors: Afiqah M. Azahari, Andrea Oliveri and Davide Balzarotti
DFRWS EU 2026
Abstract
The reliability of mobile forensic analysis depends not only on the ability to extract application databases but also on the stability of the structures that organize user data. As Android applications evolve, their databases undergo continual schema modifications, which alter established acquisition workflows.
In this paper, we present the first longitudinal study of schema drift in Android mobile applications, examining 320 versions of 20 popular Android apps released between 2022 and 2025. By systematically extracting and analyzing their databases, we reveal how structural changes, ranging from incremental column additions to the removal of entire tables, shape the evidential landscape. We further assess the resilience of SQL-based forensic queries across versions, showing how even minor schema drift can invalidate extractions or may miss newly introduced artifacts. Our results demonstrate that communication and social media apps exhibit the most volatile schema evolution, while navigation, browser, and note-taking apps remain comparatively stable. These findings reveal a critical yet overlooked threat to evidential completeness, motivating the development of adaptive, drift-aware forensic tools that can anticipate and accommodate ongoing application evolution.