An introductory forensic study
The augmented reality game everyone is talking about. It’s taking the streets by storm, and with over 9.5 million active users playing it every day; this is by far one of the most popular apps of all time. However, is this monster mobile attraction breaching the privacy of gamers playing it? With more and more reports of privacy issues being violated, we here at IntaForensics take a sneak peek at what information is actually stored within the app the view of our expert forensic analyst.
For the purpose of the test, we examined two mobile phones, one using the iOS operating system and one using the Android operating system. An Apple iPhone 5 and Samsung Galaxy S6 Edge was analysed in this study, both phones were taken from gamers who had frequently used the app for the past three weeks.
The iPhone 5 was examined first. An XRY logical extraction was undertaken of the device and the following files were identified:
- Two document files – com.nianticlabs.pokemongo.plist and com.nianticlabs.pokemongo.pushstore files
- Three database files – AssociationMap_v1_0.sqlite, UpsightDefaults_v1_0.sqlite, DefaultDataStore_v1_0.sqlite
- 59 Blob files – a series of encrypted or encoded files which were stored at /private/var/mobile/
Containers/Data/Application/
com.nianticlabs.pokemongo/
Documents/bundles
It was quickly identified when opening the plist file, using a free plist viewer, com.nianticlabs.pokemongo.plist – that user information is stored in plain text for everyone to see:
Device information, Version of the phone, Device ID, Network Information and more worryingly the username of the Pokemon Go user was immediately present. From a forensic viewpoint, this information was obtained from a simple extraction. If it was to get into the wrong hands, this could cause serious hacking and privacy issues to the gamer using the application.
Analysing the database files I was able to see within the DefaultDataStore_v1_0.sqlite database hits for user timestamps, Poke coins and Avatar items, however these findings remain inconclusive as there was clearly more to it but more research is required. Similarly, there are a lot of tables within this database with the name upsight.logdata which after a quick Google search, revealed that developers use this database to track user behaviour and improve engagement. We are still investigating this as being able to establish exactly what user behaviour is stored, will help use to understand how much privacy issues are violated if any.
Taking a look at the bundle files stored at “/private/var/mobile/Containers/
Data/Application/
com.nianticlabs.pokemongo/
Documents/bundles” we believe can contain the most useful information but frustratingly are not viewable in a human readable format. Despite several attempts to try and read the data using a variety of forensic tools and techniques, the data appears encrypted or encoded like so:
Having said this, we have established that each of this bundle files hold a timestamp which match the times the gamer was using the application. Without a doubt much more research is require is this area, but for the forensic investigator, these time stamps could hold vital information in a case relying on understanding an individual’s behaviour at a particular time.
Being quite confident that these bundle files were created when the user was playing the application i.e. user generated data, we decided to invest in another apple test device and carry out a logical extraction from when the app is first installed. Hopefully, by doing this we will be able to identify those files which are system related and those that are user related. Our assumption was correct; the following screen shot displays the same database files and documents files , however when we look at the path from where the bundle files are stored , there are none present. Similarly, the database files mentioned above are also present however when opened very minimal data can be seen, therefore my earlier assumptions appear to be more correct, we can’t wait to delve deeper into this.
The extraction was then analysed using UFED physical analyser in hope that location information could be obtained as this forensic tool, from experience, deals with location history better than other forensic software. Unfortunately, this tool did not provide any additional information.
Android Analysis:
For the android analysis, a physical image of a Samsung Galaxy S6 edge handset was performed and the following findings were recognised:
Unlike the iOS device, the folder structure for the Pokémon go app is completely different, there are five folders.
Within the cache folder, a file was identified called “gtc”; the file was quickly identified as a SQlite database although not extracted as one. When examining this database file, the cached tables within, contained further timestamps, which when decoded using MFT Stampede the time given was Fri, 15 Jul 2016 04:34:05 which is the time the app was likely in use.
Like the Apple device analysed above we can clearly see the account registered email address, located within shared_prefs folder, in the file com.nianticlabs.pokemongo.PREFS XML file.
In the same folder we find another file com.crittercism.5644ec0f8d4d8c0a00d08
1f1.usermetadata which contains the username.
Similarly, within a another file in the same folder, we can see the hashed device ID , Session Usage timestamps and when the app was installed. Although within Android, this user related information is stored in different files, there are all quite easy to view and again if obtained by the wrong person, could make the user of the app prone to privacy issues.
Furthermore, the “file” folder contains a subfolder called “com.crittercism” which had some interesting files within.
If we look at the files within these folders we can establish a pattern that is used by the application. The “current_bcs” folder contains the files.
If we open each file in a chronological order using Notepad , we get a collection of events that have occurred:
- [“session_start”,”2016-07-20T21:51:14.260 0000″]
- [“Sent RPC(2) GET_PLAYER”,”2016-07-20T21:51:14.446 0000″]
- [“Sent RPC(3) GET_PLAYER”,”2016-07-20T21:51:14.448 0000″]
- [“Sent RPC(4) GET_PLAYER”,”2016-07-20T21:51:15.429 0000″]
- [“Sent RPC(5) GET_PLAYER”,”2016-07-20T21:51:17.448 0000″]
- [“Sent RPC(6) GET_PLAYER”,”2016-07-20T21:51:21.455 0000″]
- [“RootState(Clone) transitioned to child state LoginState
(Niantic.Holoholo.Login.LoginState)”,
“2016-07-20T21:52:14.141 0000”] - [“LoginState transitioned to child state LoginChoiceState
(Niantic.Holoholo.Login.LoginChoiceState)”,
“2016-07-20T21:52:15.270 0000”] - [“Sent RPC(17) DOWNLOAD_REMOTE_CONFIG
_VERSION”,
“2016-07-20T21:52:46.691 0000”] - [“Sent RPC(18) GET_ASSET_DIGEST”,
“2016-07-20T21:52:47.416 0000”] - [“App Load”,7,3600,null,{},”2016-07-20T21:49:22.121
0000″,”2016-07-20T21:51:14.251 0000″,0]
As there a so many files, it was hard to note each command is this report, but piecing together the commands found along with the timestamps which appear to have an offset of about 5 hours we can predict that the following events have occurred:
- Application loads
- Session starts
- Pokémon encounters
- Pokémon Captures
- Pokémon additions
- Application errors
- Caught Pokémon
We can see from this little glimpse, that the exact actions carried out by the user is stored by the second. For the computer forensic investigator, this would be of particularly use as it will be able to potentially indicate exactly where a user has been and at what time. If we were to say somebody was committing a crime at a particular time however the app date and time did not match this, then this data could assist tremendously to a case. For both the iOS extractions and Android Extractions Encase was also used to carry out a keyword search for locations as this is an area which neither test devices gave alot of information about, unfortunately this also failed to give us any leads to any useful information and remains open for further analysis.
As research rapidly progresses, we aim to look further into those BLOB files we discovered earlier as we believe these contain lots of useful user related information. We aim to look further into location History, possibly through the analysis of google maps and RAM (Random Access Memory) to see if geo-locations are stored here if the phone isn’t turned off.
IntaForensics hopes that this study gives a sneak peek of the Forensics behind the Pokémon Go App. How, what and where data is stored, the benefits to the forensic investigator, the potential privacy risks involved, and opens up a whole new adventure to explore in the very near future.
If you have a case involving mobile forensics, call IntaForensics today on 0247 771 7780 or email info@intaforensics.com.