Android - DJI Fly & The Pesky Problem of Preferences

 If you saw the other post on DJI Fly for iOS (link) I felt like I had to strap in my test Android and see if there was any major differences. To be honest from an app perspective, it's pretty much the same. At least for the good bits. 

Something I noticed when starting the test on Android that was different than on iOS. The device wanted me to trust and allow the application access to the RC. 

Some high level information to start: 

• Not backed up as part of adb backup
• You don't need a full file system to get the good data
• Most information available in /sdcard/ (or /media/0/ if you want to get technical)

The app itself in question is DJI Fly from the Google Play store available here. As with all of my Android app analysis I start with the play store url. Now that I know the bundleID (dji.go.v5) I'm ready to start digging in. 

First, the quick image - aka - the ADB backup. Cue up the :SadTrombone: because it's not here. Whomp whomp. The entire app folder isn't even backed up as part of adb backup and to be honest I'm not surprised. 

So, what can we get without root? Turns out, everything we need! You can get this data from the "shared" information in the adb backup, or just by targeting "adb pull /sdcard/DJI" from the microSD or emulated storage area of your android device. (Again, /media/0/DJI if you want to get technical)

If you read the iOS post, you know that we want to find those fun .txt flight record files and media cache data. Those can be found right here within this directory. Starting with "/sdcard/DJI/dji.go.v5/FlightRecord" we can find all of the stored flight record files.

 Now, I only had 2 flights on my Android but the nice thing I realized is that DJI really believes in syncing data across your platforms. When I first fired up and logged in, the app asked if I wanted to bring my data over from previous devices. I did not because I wanted to keep the test data small and targeted for this device only. 

As with the iOS app, the Flight Record txt files can be exported into any number of tools whether you prefer to work online or offline. 

To find the media that was recorded you can still check for the logs for carved information as previously mentioned or head over to the Cache or DJI Fly folders within the /sdcard/DJI/dji.go.v5/ directory. 

Unfortunately it's time for the bad news. I was curious about the configuration information of the app. For this, I turned back to the /data/data/dji.go.v5 directory and started heading towards shared_prefs. NOTE: This was in the full filesystem image of the device as the app wasn't backed up as part of the Quick image. This is where things took an unexpected turn. The file names were there, and it looked like there was data to be had. 

When selecting the files though, the data was not what one would expect to find. 

I don't know about you guys, but that doesn't look like any XML file I've ever seen. 

Turns out, Android has a security setting that while has been around for awhile, I haven't seen implemented before. Allow me to direct your attention to this: 

https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences and for more information https://developer.android.com/topic/security/data. 

Starting with Android version 6, Android has offered the ability to use the EncryptedSharedPreferences library. This allows the application developers to securely wrap the preference files using AES_256. Each of the preferences are encrypted with a keyset that is then further protected by using a primary key which is part of the Android keystore system. 

I was surprised to realize that this has been around for a while and yet it's the first time I've seen it. However, since it's here, it's something to be aware of for sure for future investigations. 

iOS - App Research: DJI Fly

 Of course you had to know it was coming if you follow me on twitter. As soon as I got a drone you should know that one of two things is inevitable: 

1. I'd almost immediately crash it. 

2. I'm going to pull apart the apps to fly it. 

Well, so far so good on #1, but it's time for #2!

I'm starting off with the DJIFly application on iOS: https://apps.apple.com/us/app/dji-fly/id1479649251

I recently picked up a Mavic Mini to play around with because my colleagues and friends keep telling me to "get a hobby" and "get away from the desk." Fair. So I bought a drone that forces me outside to play with it. (Plus I was already told I'm not allowed to chase the dog around the house, sadly)

Test environment: iPhone on iOS 13.6 running the latest version of DJI Fly. I'll be honest, I skipped the quick image on this one and didn't make a iTunes-style backup. I went straight to the full file system acquisition on this one. I have some more app research coming up for some other iOS apps so when I get around to that I'll be sure to take a quick image and compare. The good news is that basically you don't even NEED a quick image OR a full filesystem image. See the last note at the bottom for why. 

Let's dig in!

Preference/User Info: 

I feel like I always start here. Mostly because it's usually an incredibly valuable source of information. So to begin, I'm going to look at the com.dji.golite.plist file found within the [APPGUID]/Library/Preferences/ directory. 

In here there's a key that's going to give us the user's email. Look for DJIACCOUNTMANAGER_LASTUSEREMAIL. 

There's some other information in here such as total distance (measure in meters), total flight time (measured in milliseconds), and the total numbers of flights taken. 

There are also two separate binary plist files embedded into the preference plist that might be of use to you. The first can be found under the key FIND_AIRCRAFT_LAST_LOCATION > LAST_LOCATION

Pulling this plist out and opening it, it's an NSKeyedArchiver style plist that will give you the latitude and longitude. Since mine was last launched at my house, you'll have to trust me and go try and pull yours apart. Note: Longitude is listed first. Something I missed when I wondered how my drone was last seen in Antartica...

In the DJICareData key there's another NSKeyedArchiver style binary plist. Pull it out and you'll find the device and gimbal serial number listed. 

Oh BTW, if you're using Magnet AXIOM take a look in the iOS App Cache artifact for the URL: https://mydjiflight.dji.com/api/v2/flight_log/profile?user_id=

The numeric value at the end matches what I blacked out in the first screenshot. This is the numerical ID for the user account that could be used if you're requesting information direct from DJI. 

Flight Log Info: 

I feel like this is really the part you probably came for but I can't lead with that info right? Here's the good news/bad news. The DJI Fly kept some absolutely AWESOME flight records in the iOS app. The bad news, they're encoded/encrypted. Good news: there's a free tool for that. 

First the files. There are .DAT and .TXT files both of which have good information. Let's start with the TXT files. These can be found in the Documents/FlightRecords/.  To look at these .txt files I'll be using CsvView Introduction found at http://www.datfile.net/CsvView/intro.html

Once you load them in there's an absolutely TON of information such as serial numbers, speed, event logs, and literally a nice little set of all the flight paths on here. I use the GeoPlayer button to review this. Here's a little flight I had with the kids around a local park. 

If you want something a little fancier like seeing like seeing all of the photos and videos and where they were taken as well, there are some other free tools for that. Most rely on using an online service so your milage may vary on the ability to use these. I checked out https://flightlogs.de/convert and thought it was pretty nice. It will generate a KML file for Google Earth. 

Captured Media

Now let's wrap up by looking at the media that was captured. Depending upon your investigation into the app, you may care about the pictures and/or video files that were captured. Well, here's a fun fact, there's a lot of information cached in the app even if you don't download it from your device! 

While thumbnails can be carved from several different places, focus on the Documents/videoCache for Video files and Documents/veMediaLibrary for Pictures. I recommend this directory for pictures because that's where I found the most EXIF data including geolocation, software/model numbers, and serial number (for the gimbal, NOT the drone). 

Oh btw, the log files (even though they can't be natively read) do contain pictures that were taken and can be easily carved out. This could be beneficial if the media files were deleted but the flight log was not. 

One last note about the media. The video files didn't have a lot of EXIF data sadly. :sadTrombone: 

Last Note: 

What if you don't have a full filesystem? No worries! ALMOST all of the fun stuff I showed you above are available straight from the device without even making an image at all! Got iTunes or a macOS device? Just go in to the device and click Files (depending upon if you're using iTunes or macOS Finder [10.15+]) then take a look at this: 

FlightRecords? Check

Logs? Check

veMediaLibrary? Check

videoCache? Check

Until next time folks! [When I most likely just rip apart the same exact app for Android to see if there's anything majorly different]