Authors: Xiaodong Lin, Ph.D. (Wilfrid Laurier University), Ting Chen, Tong Zhu, Kun Yang, Fengguo Wei
DFRWS USA 2018
It is not uncommon that mobile phones are involved in criminal activities, e.g., the surreptitious collection of the credit card information. Forensic analysis of mobile applications plays a crucial part in order to gather evidence against criminals. However, traditional forensic approaches, which are based on the manual investigation, are not scalable to a large number of mobile applications. On the other hand, dynamic analysis is hard to automate due to the burden of setting up the proper runtime environment to accommodate OS differences and dependent libraries and activate all feasible program paths. We propose a fully automated tool, Fordroid for the forensic analysis of mobile applications on Android. Fordroid conducts inter-component static analysis on Android APKs and builds control flow and data dependency graphs. Furthermore, Fordroid identifies what and where information written in local storage with taint analysis. Data is located by traversing the graphs. This addresses several technique challenges, which include inter-component string propagation, string operations (e.g., append) and API invocations. Also, Fordroid identifies how the information is stored by parsing SQL commands, i.e., the structure of database tables. Finally, we selected 100 random Android applications consisting of 2841 components from four categories for evaluation. Analysis of all apps took 64 h. Fordroid discovered 469 paths in 36 applications that wrote sensitive information (e.g., GPS) to local storage. Furthermore, Fordroid successfully located where the information was written for 458 (98%) paths and identified the structure of all (22) database tables.