Thursday, 27 August 2020

Android - DJI Fly & The Pesky Problem of Preferences

 If you saw the other post on DJI Fly for iOS (link) I felt like I had to strap in my test Android and see if there was any major differences. To be honest from an app perspective, it's pretty much the same. At least for the good bits. 

Something I noticed when starting the test on Android that was different than on iOS. The device wanted me to trust and allow the application access to the RC. 


Some high level information to start: 

  • Not backed up as part of adb backup
  • You don't need a full file system to get the good data
  • Most information available in /sdcard/ (or /media/0/ if you want to get technical)
The app itself in question is DJI Fly from the Google Play store available here. As with all of my Android app analysis I start with the play store url. Now that I know the bundleID (dji.go.v5) I'm ready to start digging in. 

First, the quick image - aka - the ADB backup. Cue up the :SadTrombone: because it's not here. Whomp whomp. The entire app folder isn't even backed up as part of adb backup and to be honest I'm not surprised. 

So, what can we get without root? Turns out, everything we need! You can get this data from the "shared" information in the adb backup, or just by targeting "adb pull /sdcard/DJI" from the microSD or emulated storage area of your android device. (Again, /media/0/DJI if you want to get technical)

If you read the iOS post, you know that we want to find those fun .txt flight record files and media cache data. Those can be found right here within this directory. Starting with "/sdcard/DJI/dji.go.v5/FlightRecord" we can find all of the stored flight record files.



 Now, I only had 2 flights on my Android but the nice thing I realized is that DJI really believes in syncing data across your platforms. When I first fired up and logged in, the app asked if I wanted to bring my data over from previous devices. I did not because I wanted to keep the test data small and targeted for this device only. 



As with the iOS app, the Flight Record txt files can be exported into any number of tools whether you prefer to work online or offline. 


To find the media that was recorded you can still check for the logs for carved information as previously mentioned or head over to the Cache or DJI Fly folders within the /sdcard/DJI/dji.go.v5/ directory. 



Unfortunately it's time for the bad news. I was curious about the configuration information of the app. For this, I turned back to the /data/data/dji.go.v5 directory and started heading towards shared_prefs. NOTE: This was in the full filesystem image of the device as the app wasn't backed up as part of the Quick image. This is where things took an unexpected turn. The file names were there, and it looked like there was data to be had. 


When selecting the files though, the data was not what one would expect to find. 



I don't know about you guys, but that doesn't look like any XML file I've ever seen. 

Turns out, Android has a security setting that while has been around for awhile, I haven't seen implemented before. Allow me to direct your attention to this: 

Starting with Android version 6, Android has offered the ability to use the EncryptedSharedPreferences library. This allows the application developers to securely wrap the preference files using AES_256. Each of the preferences are encrypted with a keyset that is then further protected by using a primary key which is part of the Android keystore system. 

I was surprised to realize that this has been around for a while and yet it's the first time I've seen it. However, since it's here, it's something to be aware of for sure for future investigations. 

No comments:

Post a comment