Quick look at Motorola Droid sqlite3 databases

I was taking a look at the /data/data/ directory on the Droid and here are some interesting items:

Contact database

• /data/data/com.android.providers.contacts/database/contacts2.db (thank goodness it’s not contacts1.db)
  • Combines data from Google, Exchange, Facebook and more
  • table status_updates has date/time and status update from contacts in your Contact list and Facebook
  • table raw_contacts has info about source of contact and other items
  • Is a fairly normalized database *until* you look at table data which has columns data1 – data15!
  • Call logs are stored in Calls table

Motorola and passwords

• Kudos to Motorola for being one of the few companies that do not seem to store passwords in plain text.  Example is /data/data/com.motorola.calendar/databases/motosync.db which has account info but Exchange password in not in plain text (maybe just a by product of the ActiveSync protocol?)

Geolocation

• Table /data/data/com.android.browser/app_geolocation/CachedPosition.db does just what you think it does (if the user gives permission).  Provides latitude, longitude, altitude, accuracy, altitudeAccuracy, heading, speed and time stamp (gotcha).  the altitude, speed and heading were not populated.
  • I was going to post the longitude/latitude but then I checked it and, wow, was it accurate.  So, you’ll just have to wonder where I (i mean my phone) was last night at 1260500133.
  • Oddly enough, the time stamp has 3 extra digits form the standard Unix Epoch…have to figure out why.
  • Only 1 records was allocated in the database so apparently it only holds on the the last one.  I’ll have to check the database for deleted records.

Exchange attachments

• Attachments from Exchange seem to be stored internally vs. the SD Card.  Found mine at /data/data/com.android.email/databases/1.db_att as numbered files.  I had 3, a PDF, vCard and a .wav file.

Who else is tracking you…besides Google?

• I’m now seeing a database in several applications (not to pick on the apps because they are really good but they are NewsRob and Twidroid) called google_analytics.db.  The database contains what I suspect it the application providers Google Analytics ID.  I don’t know how I feel about this…Google gets enough about me but I wonder what they or the app provider are tracking…maybe it’s all generic.  Below are the columns in the database so you can see the information stored is pretty detailed:
  • CREATE TABLE events ( ‘event_id’ INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, ‘user_id’ INTEGER NOT NULL, ‘account_id’ CHAR(256) NOT NULL, ‘random_val’ INTEGER NOT NULL, ‘timestamp_first’ INTEGER NOT NULL, ‘timestamp_previous’ INTEGER NOT NULL, ‘timestamp_current’ INTEGER NOT NULL, ‘visits’ INTEGER NOT NULL, ‘category’ CHAR(256) NOT NULL, ‘action’ CHAR(256) NOT NULL, ‘label’ CHAR(256),  ‘value’ INTEGER, ‘screen_width’ INTEGER, ‘screen_height’ INTEGER);

Bone-head security award goes to /data/data/com.android.email/databases/EmailProvider.db

• OK, now I’m really ANNOYED.  So, /data/data/com.android.email/databases/EmailProvider.db has your Exchange password in plain text.  Nice.  Lots of other email content in there (and that’s fine),  But. really, plain text guys?

User Dictionary

• User dictionary stored at /data/data/com.android.providers.userdictionary/databases/user_dict.db and could be useful in some investigation.

Device/User settings

• Lots of user/devices settings in /data/data/com.android.providers.settings/databases/settings.db

If you made it this far, thanks for bearing with my brain stream.  I didn’t have much time to spend on this right now so I just grabbed a few interesting ones.  We’re developing techniques to do more structure analysis on the data, applications, etc. so stay tuned.  You can sign up for updates on our Android Forensics page.  Also, we offer training so drop us a line if interested.