All Application Storage is Not the Same Not Just Across OS Versions, But Across Mobile Operating Systems
First, let me begin by explaining why there has been such a long delay in new posts to my blog. I started 2020 by having both of my knees replaced. Then in Feb. I lost my youngest brother (52) to Covid-19. Then, in April my father was diagnosed with cancer and given three months to live. My father passed away on July 7. In the midst of all of this, I did manage to obtain my Masters in Digital Forensic Science from Champlain College in May.
This post is about two mobile applications ProtonMail and Threema Secure Messaging. I tested both of these applications on a Samsung Galaxy S6 rooted using OneClickRoot, and running Android v. 7, and on an Apple iPhone 7, running iOS 13.3.1. I extracted a full file system dump from the Samsung Galaxy S6 using Magnet Acquire v. 184.108.40.20697. I created a backup of the iPhone 7 on a 2019 MacBook Pro and used iBackup View v. 4.1600 to view the backup files. I also utilized DB Browser for SQLite v. 3.32.2 on Windows 10 and the Mac version on the 2019 MacBook Pro. I will be jailbreaking the iPhone 7 soon and will post any additional information I obtain. I used Autopsy v. 4.14.0 to view the Android 7 full file system file.
I downloaded ProtonMail v. 1.13.10 to the Samsung Galaxy S6 device. Next, I used a Google Play credit card to purchase and download the Threema Secure Messaging v. 4.4, price of $2.99. See screenshot below.
Then, I downloaded ProtonMail v. 1.12.3(4568) app, and Threema v. 4.6.1 onto the iPhone 7 using Apple App Store. The Threema app price was $2.99. See screenshot of iPhone 7 screen below.
I then began populating test data on both devices using these two applications. First, I sent email messages between iOS user account (firstname.lastname@example.org) and the Android user account (email@example.com). I selected to use 4096 bit encryption for the iOS user account, and the 2048 bit encryption for the Android user account. See screenshots below.
I then collected a full image file from the Samsung Galaxy S6 using Magnet Acquire v. 2.30.22097. This was done on an MSI Stealth, 16GB RAM, I7 CPU, running Windows 10 v. 1909, Build 18363.1082. Once the image was complete, I used Autopsy v. 4.14.0 to conduct my analysis.
In the following folder data/ch.protonmail.android/databases 25 databases. One of these database files is Yi50aG9tcHNvbjU1-MessagesDatabase.db. See image below.
I selected to extract the Yi50aG9tcHNvbjU1-MessagesDatabase.db to the Export folder. I utilized the SQLite viewer within Autopsy. I could also view in plaintext the Subject of the emails in the “Subject” column. Also, in plaintext are the “Sender_SenderName” column, and “Sender_SenderSerialized” column. See images below.
|In-Reply-To: <ZqeojIfJFbDuv5OcPpyf40KntDDH0zn3JXH77lQaDvPOeG98a7bhSg_gYAMHeWHGdF3hLcAsxP2XGfvLDhlNoTKj7nfOd6CvJgGB-ASi7WAfirstname.lastname@example.org> References: <ZqeojIfJFbDuv5OcPpyf40KntDDH0zn3JXH77lQaDvPOeG98a7bhSg_gYAMHeWHGdF3hLcAsxP2XGfvLDhlNoTKj7nfOd6CvJgGB-ASi7WAemail@example.com> X-Pm-Origin: internal X-Pm-Content-Encryption: end-to-end Subject: Re: TEST message To: Brian <firstname.lastname@example.org> From: Lorie <email@example.com> Date: Sat, 05 Sep 2020 14:40:36 +0000 Mime-Version: 1.0 Content-Type: text/html Message-Id: <SEu8uKSwGkp2qVgJTIvUubd_0eOEliLZqjDQ8-z6RbU-R0rjrxm_EEK3qR7kpttlBtq1Dy0zMGZCSZZpi1PtasYHkHmhTQ6V_XY6osD9nhAfirstname.lastname@example.org> X-Pm-Spamscore: 0 Received: from mail.protonmail.ch by mail.protonmail.ch; Sat, 05 Sep 2020 10:40:47 -0400 X-Original-To: email@example.com Return-Path: <firstname.lastname@example.org> Delivered-To: email@example.com|
Also notable is the “Unread” column, “Header” column, “MIMEType” column, and “AccessTime” column. The “Body” column is encrypted. See images below. In the image containing the “ToList” this data is Base64 encoded.
This is the data from “ToList”, first row. Using From Base64 in CyberChef here is the plaintext.
According to protonmail.com/blog the following is stored locally;
- “ Encrypted messages (opened since last logon) and attachments (viewed since last logon) along with metadata
- Public and private keys for encrypting and decrypting messages
- Access tokens for communication with the ProtonMail API
- User account details” (protonmail.com, 2020)
Surprisingly the blog mentions that some of the above data is kept in a secure (encrypted) key-value pairs or is stored in a database. Most of the data is “encrypted at rest” (protonmail.com, 2020).
To read more visit https://protonmail.com/blog/android-client-security-model/
Next, I went in search of the encryption keys. This took a little time as they were not where I first expected them to be. Yet, I did locate the keys in data/misc/keystore/user_0. See images below. This was done using Autopsy v. 4.14.0.
I am still working on the decryption part of this research.
Ok, so I thought I would have my Elcomsoft iOS Forensic Toolkit sooner. However, that did not happen, and I just obtained my full file system dump of my iPhone 7, running iOS 13.3.1.
Therefore, stay tuned as I analyze that dump to see if there are any ProtonMail artifacts there. I can tell you that as far as iOS I could not locate any artifacts for ProtonMail in the iTunes backup.
In my next post I will finish with ProtonMail on iOS. Then I will start the blog post on Threema Secure Messaging.
I would like to thank @forensicmike for checking and validating my work. Mike Williamson you are awesome!!!!