Enabling the forensic study of application-level encrypted data in Android via a Frida-based decryption framework

The forensic study of mobile apps that use application-level encryption requires the decryption of the data they generate. Such a decryption requires the knowledge of the encryption algorithm and key. Determining them requires, however, a quite complex analysis that is time-consuming, error prone, and often beyond the reach of many forensic examiners. In this paper, we tackle this problem by devising a framework able to automate the decryption of these data when third-party encryption libraries or platforms are used. Our framework is based on the use of dynamic instrumentation of app’s binary code by means of hooking, which enables it to export the plaintext of data after they have been decrypted by the app, as well as the corresponding encryption key and parameters. This framework has been conceived to be used only with test devices used for forensic study purposes, and not with devices that need to be forensically analyzed. We describe the architecture of the framework as well as the implementation of its components and of the hooks supporting three prominent and popular encryption libraries, namely SQLCipher, Realm and Jetpack Security. Also, we validate our framework by comparing its decryption results against those published in the literature for Wickr Me, Signal, Threema, and Element.