Hello! Welcome to my first post 🫣!

Hello GIF

Throughout college, I didn’t get to work on personal projects as much as I wanted to but now that I’ve graduated, I get to dive deeper into the world of digital forensics on my own time. This is a personal project that I started around May 2024 and this blog post serves as an introduction to my series: Android Forensics: APK Downgrades. My main motivation for doing this is making sure I continue to push myself to do the things I enjoy. This topic in particular will also challenge me to learn new things and go outside of my comfort zone. As I continue to make progress on this project, I will be releasing more posts on my website.

This Project

Android Newbie

As someone who has been an iPhone user my whole life, there was a learning curve to understanding Android mobile devices. Some important things to note relevant to this project:

Android Package Kit (APK)

APK is a file format (.apk) used by the Android operating system ‘to bundle and distribute applications’ meaning it contains all necessary components to install and run an application on an Android device. Opening this file gives you instructions to install the app on your phone as well as additional metadata. APK files have a variety of uses beyond what its used for in this project.

Android Debug Bridge (ADB)

Understanding this becomes relevant when I briefly discuss ADB backups. It’s a command line tool meant for backing up and restoring data by taking a snapshot of the Android devices app data, system settings, etc. By doing so, users’ data becomes transferable between different ‘states’ (like an older versus newer version of an app hint hint wink wink).

Bootloaders

A bootloader is an image file that provides instructions for the kernel. These instructions will always run once you power on your device. If the bootloader is locked you are restricted from accessing the kernel and system files that make it possible to perform certain actions like flashing custom binaries.

Rooting

Rooting a device essentially provides you with administrative access to your file system. This means you can perform actions like modifying or uninstalling system apps/files and more. In this project, having an unlocked bootloader is necessary to root the phone.

What does an ADB Backup and APK Downgrade do?

An APK downgrade is the process of installing an older version of an app on top of a newer/existing version that you have running while maintaining the app’s data and settings. By doing this, you are able to extract data such as folders and files from the downgraded application that may be useful in certain scenarios.

In some newer versions of applications, data is not included in a backup. Performing an ADB backup in addition to an APK downgrade will allow the creation of backups that were inaccessible in the ‘current’ version of the application that was being run on the device so that we can now extract valuable data.

For example, let’s take WhatsApp. WhatsApp stores its chat databases in a sandbox. On newer Android devices, this chat database is excluded from ADB backups and so root access is required to access it. So how would you be able to access the WhatsApp data? Since older WhatsApp versions don’t have an encryption functionality/requirement, we can attempt a downgrade and get an unencrypted backup file to extract the chat data we want.

However, even though this is a relatively safe method, there are caveats and downfalls to conducting a downgrade. Downgrades are not supported on newer Android devices and so you are restricted to certain device models and versions when doing this. Additionally, there is potential for data loss, data misinterpretation, damage, and more. Knowing this, you should take precautionary steps like backing up your data in case this happens to you. It’s also important that you revert to the original version after you’re done.

My Plan

Before getting into the nitty-gritty of the project, I did a lot of research to ensure I had the proper background on the topic. Mobile forensics is less mature than computer forensics and there are several nuances that distinguish the two. This was my first time doing something mobile forensics related so I took the following (FREE) Hexordia classes before doing anything else: HEX-110/HEX-111 - Mobile Forensics Fundamentals 1 & 2, HEX-140 - Creating Mobile Test Data, and HEX-150 - Mobile Device Preservation. If this is something you’re interested in, I highly recommended taking a look at these resources!

For this purpose of this project, I will be using an Global Google Pixel 6a Version GX7AS that is unlocked. Having an unlocked bootloader is required for getting root access on an Android devices. Other Android devices can be used for this project however the version and model number of the device plays an important part in making sure it’s compatible with what you’re trying to achieve.

Google Pixel 6a Version

Additionally, from research I’ve done, it seems like APK downgrades are mainly done through the use of a forensics tool such as Belkasoft X due to how complicated it is to do. By having a tool to do this, it becomes useful by saving a forensic investigator time during an investigation. However, in this project, I will be doing the downgrade manually to understand the ins and outs of this process.

Conclusion

The end! I hope you enjoyed this post! The next posts in this series will explore manual APK downgrades and provide a step by step of the process. Please feel free to let me know if anything is inaccurate or missing something. Any feedback/advice is welcome! Until the next one! 🫡

Knowledge is power GIF

Special Acknowledgements 💌

I’d like to give a special thanks to my mentor, Jessica Hyde, for her support and guidance throughout this project. I’d also like to thank Bradley Harker for being at my side to help me develop my website and for always supporting my endeavors.

Android Forensics: APK Downgrades - An Introduction