Enabling the forensic study of application-level encrypted data in Android via a Frida-based decryption framework

Abstract

The forensic study of mobile apps that use application-level encryption requires the decryption of the data they generate. Such a decryption requires the knowledge of the encryption algorithm and key. Determining them requires, however, a quite complex analysis that is time-consuming, error prone, and often beyond the reach of many forensic examiners. In this paper, we tackle this problem by devising a framework able to automate, to a large extent, the automatic decryption of these data. Our framework is based on the use of dynamic instrumentation of app’s binary code by means of hooking, which enables it to export the plaintext of data after they have been decrypted by the app, as well as the corresponding encryption key and parameters. This framework has been conceived to be used only with test devices used for forensic study purposes, and not with devices that need to be forensically analyzed. We describe the architecture of the framework, the implementation of its components and of the hooks supporting three prominent and popular encryption libraries, namely SQLCipher, Realm and Jetpack Security. Also, we validate our framework by comparing its decryption results against those published in the literature for Wickr Me, Signal,Threema, and Element.

Publication
In 18th International Conference on Availability, Reliability and Security (ARES), Benevento, Italy, August 29 - September 1, 2023