TY - GEN
T1 - Enabling the forensic study of application-level encrypted data in Android via a Frida-based decryption framework
AU - Anglano, Cosimo
AU - Canonico, Massimo
AU - Cepollina, Andrea
AU - Freggiaro, Davide
AU - Gallo, Alderico
AU - Guazzone, Marco
N1 - Publisher Copyright:
© 2023 ACM.
PY - 2023/8/29
Y1 - 2023/8/29
N2 - The forensic study of mobile apps that use application-level encryption requires the decryption of the data they generate. Such a decryption requires the knowledge of the encryption algorithm and key. Determining them requires, however, a quite complex analysis that is time-consuming, error prone, and often beyond the reach of many forensic examiners. In this paper, we tackle this problem by devising a framework able to automate the decryption of these data when third-party encryption libraries or platforms are used. Our framework is based on the use of dynamic instrumentation of app's binary code by means of hooking, which enables it to export the plaintext of data after they have been decrypted by the app, as well as the corresponding encryption key and parameters. This framework has been conceived to be used only with test devices used for forensic study purposes, and not with devices that need to be forensically analyzed. We describe the architecture of the framework as well as the implementation of its components and of the hooks supporting three prominent and popular encryption libraries, namely SQLCipher, Realm and Jetpack Security. Also, we validate our framework by comparing its decryption results against those published in the literature for Wickr Me, Signal, Threema, and Element.
AB - The forensic study of mobile apps that use application-level encryption requires the decryption of the data they generate. Such a decryption requires the knowledge of the encryption algorithm and key. Determining them requires, however, a quite complex analysis that is time-consuming, error prone, and often beyond the reach of many forensic examiners. In this paper, we tackle this problem by devising a framework able to automate the decryption of these data when third-party encryption libraries or platforms are used. Our framework is based on the use of dynamic instrumentation of app's binary code by means of hooking, which enables it to export the plaintext of data after they have been decrypted by the app, as well as the corresponding encryption key and parameters. This framework has been conceived to be used only with test devices used for forensic study purposes, and not with devices that need to be forensically analyzed. We describe the architecture of the framework as well as the implementation of its components and of the hooks supporting three prominent and popular encryption libraries, namely SQLCipher, Realm and Jetpack Security. Also, we validate our framework by comparing its decryption results against those published in the literature for Wickr Me, Signal, Threema, and Element.
UR - http://www.scopus.com/inward/record.url?scp=85169685704&partnerID=8YFLogxK
U2 - 10.1145/3600160.3605029
DO - 10.1145/3600160.3605029
M3 - Conference contribution
AN - SCOPUS:85169685704
T3 - ACM International Conference Proceeding Series
BT - ARES 2023 - 18th International Conference on Availability, Reliability and Security, Proceedings
PB - Association for Computing Machinery
T2 - 18th International Conference on Availability, Reliability and Security, ARES 2023
Y2 - 29 August 2023 through 1 September 2023
ER -