Friday, May 22, 2020

App Nandbox Messenger on Android

With this post I will give an overview on the app "Nandbox messenger" for Android.
Information on the app is available from https://nandbox.com/en/messenger/

I've used Android 6 and Nandbox 1.6.485 for my analysis.

To use the messenger you need to register via mail or phone number. Only one is possible.

Path

The path of the application data is:

/data/data/com.nandbox.nandbox


Used Account

The used account can be found in the following file (sqlite-database):

database/courgette
Table: Profile

The earliest entry is the account used in the app.

You can get the username, MSISDN (for this app this is either the mail address or the phone number), the time the account was created (time in unix epoch ms UTC).
Also you can find the ACCOUNT_ID. This is the primary key in the table and is used as identifier for e.g. messages.

Additionally to the way above you can get the used MSISDN from another file:

shared_prefs/RegisterLevels

It is a XML-file. The key "msisdn" holds the value.


Contacts

The contacts can also be found in the main database:

database/courgette
Table: Profile

All entries except the earliest one.


Messages

All messages are stored in the main database:

database/courgette
Table: Message

Timestamps are in Unix Epoch (ms) UTC.
In the table you can also find the path to the media files sent/received (Column LOCAL_PATH)


Media Files

Images

The sent/received images are stored at:

/data/media/0/nandbox/nandbox_Image

The name is unique and can be mapped to the message in the database "courgette".

Additionally the images are stored in the cache folder:

/data/data/com.nandbox.nandbox/cache/Image


Here the images have the name [LID]_base64.jpg. LID is the id of the message in the database "courgette"

Audio Files

Audio Files are called Voice Notes in this App. They are stored at:

/data/data/com.nandbox.nandbox/cache/Voice_Note

The files have unique names and are m4a files. The names can be mapped to the messages in the database "courgette".


What happens when deleting messages?

Additionally I've tested what happens if a user deletes the message. One of the features of this app is the recall of messages even on the device of the communication partner.

I tested both sides. What happens on the side of the user who deletes and what happens on the device of the communication partner.

Local device

When deleting a message on the own device, the message is removed from the database. One can see that a message is missing because a LID is missing. I've not tested the recovery of the entry via carving.
If there was a media file in the message this file would be deleted in the file systems media folder. For an image this was

/data/media/0/nandbox/nandbox_Image

But the image is still available in the cache folder.

/data/data/com.nandbox.nandbox/cache/Image

Remote Device

On the remote device you will see a message with the text "**message has been recalled**".
This is also the content in the database.
But: for media files the data is still available in the entry of the database. The path to the image/audio file is in there. And the files itself are also still in the filesystem

Finally, when the user on the remote device now deletes the message with the content "**message has been recalled**" the entry is deleted in the database. But a media file would not be removed from the file system.

Conclusion

Nandbox in hte used version doesn't use any encryption which makes the analysis simple. And the cache is a goldmine for media files sent or received.

I have not tested the group feature and also not tested the multiple profile feature. So a bit more testing can be done.

Hope you had a fun and informative read.



Thursday, May 21, 2020

App SKOUT on Android

What is it about?


HEy everyone, this post is about the app "SKOUT" on Android. It is a really short post just the basics I found while doing a quick analysis related to a case. And because my last post is a long while ago I decided to quickly share my results.

Part of the results in here were extracted from the published Android 10 image by @josh_hickman1. Kudos to him for his great work! (Source: https://thebinaryhick.blog/2020/02/15/android-10-image-now-available/)

SKOUT is a Social Network and the app offers features like chatting, meeting via video chat and broadcasting. More info can be found https://www.skout.com/ or https://play.google.com/store/apps/details?id=com.skout.android

Used App Version: 6.17.0
Used Android Version: 10

Where can the information be found?

Android path:

/data/data/com.skout.android

Used Account:

Here you can find the userid and the username:
shared_prefs/USERIDPREFS.xml

And here you can find the used mail address and the used password in clear text. (Yeah, really - clear text):
shared_prefs/LOGIN_PREFS.xml


Contacts:

The contacts can be found in the following database:

databases/skoutDatabase
Table: skoutUserTable

The timestamp stored for the last message of a user is in epoch milliseconds UTC.


Messages:

The messages can be found in the following database:

databases/skoutDatabase
Table: SkoutMessagesTable


The timestamps stored for the messages are in epoch milliseconds UTC.

Media Files:

I was not able to find the media files sent/received on the device. Some images are in the cache folder
cache/.cache/c1

But I was not able to map any of them to a message.

Additional Files/Info:

You can find the last logged location in the following file:

shared_prefs/LOCATION_PREFS.xml