Friday, 30 August 2019

Android - Locating Location Data: The Tile App

One of the hardest pieces of data in an investigation to find (and one of the most important to use) is location data. Proving where a device has been has always been something I've tried to dig into. This is the first a series of blog posts around locating location data stored in 3rd party applications across both iOS and Android. Today I'll be starting with the Tile application on Android.

What is Tile?
The Tile app is the tracking piece for Tile bluetooth tracking devices. These devices are often found attached to keys, in bags, and even now have been built into devices such as wallets. What they can do is provide someone who is prone to losing their keys (like I am) a way to locate your keys when you've misplaced them. Handy!

With recent updates to the Tile app, they work by not being an "always connected" device to our phones. When you open the Tile app on a device, it will display your tiles associated with your account as well as other phones tied to your account. Your mobile device will ping out when a device is located either by you (or someone else in Tile's mesh network of users) it will update its location on the map. If it's close enough to you, you can ping the device and see a ring that helps you get closer to it as well as play a sound from the device.

Interestingly enough, the app also tracks other devices that may be signed into the account as well. I have several phones tied to my tile account for testing as well as family members so we can track each other's keys when we lose them. This also allows me to see where those users are as long as they are constantly using the location services for the device (and if not, it will update when they open the app).

In this first screenshot you can see the devices that are listed and tied to my account.


If I click the center icon on the bottom I can see where my devices are on a map: 

Now, what data is the app storing? By navigating on an Android device to /data/data/com.thetileapp.tile/ I started to see some cool stuff. Starting with the /shared_prefs/com.thetileapp.tile_preferences.xml file. Didn't have anything, boo. But checking other .xml files in here I did find some cool stuff. The TilePrefs.xml file revealed how many tile devices are in my account, my current email associated with my account (helpful when asking for a search warrant WHICH you WILL want to do) and the uuid of my device. The ScanningTrackerSharedPrefs.xml file here also showed me a host of MAC Addresses I've come in contact with (probably other tile devices). 


Next I headed over to /databases/ to see what was in there. Oh look, a SQLite database, my favorite!

In the tileAndroidDb.db I found some interesting stuff. Let's start with the table: discovered_tiles_table
Only 3 devices in this list are part of my 7 devices. Phone devices uuid start with p! and there are two other tiles in here I'm currently traveling with (6dbc.. and 6b0b...). Other devices are other tile devices that I have come into contact with. The downside of this database is that it's not permanent. I did two sets of test and pulled data twice. Data I pulled earlier yesterday was not available in this database later today which means that this database is constantly in flux. To find the device's this user owns, you can check the app and open the details for each device: 

Or you could just go to the user_tile_table of that same database and get information like when the device was last seen, it's last location (latitude and longitude), if it's lost or dead, timestamps of when it was seen and disconnected, and its name and type. 



My favorite table by far is the location_history_table (and most frustrating). This one seems to constantly be in flux and doesn't store information for more than about a day or so (depends on how much data is being reported as well). 
There's lots of latitude and longitude data here, timestamps, and UUIDs for the tile devices that were discovered. This includes MY devices and OTHER devices that I just happened across during my travels.

Well the databases were helpful but I wish there was more location data. So I kept digging around and found some log files. In the /files/rotated_analytics/ folder there are a bunch of .gz files that contain log files. These log files are named with a Unix numeric (millisecond) date. Inside each .gz is a text log with JSON entries that is keeping a WHOLE lot of reporting data including date/times, device identifiers, when you connected to a tile device, and what SSID you were even broadcasting from. You also get latitude and longitude data here too! I'll be tossing these logs to my friend Alexis who I'm sure will be cooking up a tool to help us rip through them and map them out.



In this entry you can see I connected to a device "Backpack" while the application was actually in the background not actively being used and I was broadcasting from a "MicroTek" SSID.

In this entry you can see I was disconnecting from another device that I don't own, thus helping this user in the Tile mesh network hopefully track their device in the future.

Lots of location data! Since Tile works within a bluetooth range, you now can use these location points to see where my Pixel device was traveling.

Further research: These log files are storing a TON of information. Once I can get them parsed out a little cleaner I'll see what else I can rip through. I'm not done with that database yet either. I want to pin down on exactly how long or how many records I can get it to keep. And of course, iOS has a Tile app too. It's actually what made me start looking into Tile in the first place, I just had better access to share the Android side of it first. Expect a Tile post for iOS coming very soon as another one in my "Locating Location Data" series.

Oh, and if you're an AXIOM user, keep an eye out on the Artifact Exchange where I'll be uploading custom artifacts for the Tile database so we can get that nice location data plotted into World Map View very soon.

Earlier I also mentioned that you might want to get a search warrant ready. If you're doing an investigation into a device and see the user has Tile, you may want to use the user's ID (which is in those xml files and the database) and the device ID (again, database) to ask them for any stored location data. One of the devices (a phone) on my account hasn't been active on the app in months and is still showing me at least the last known location on that date and time so they're probably keeping a plethora of information. Just a thought.


No comments:

Post a Comment