Inspired by the various CTFs (Capture the Flag) and the podcast "Digital Forensics Now" by Heather Charpentier and Alexis "Brigs" Brignoni, I decided to investigate an app on an Android device. I wanted to analyze an app that I use regularly. The choice fell on the classifieds portal "kleinanzeigen.de", formerly "eBay Kleinanzeigen", which is popular in Germany.
The app is mainly used in Germany as a local trading platform. A website is also offered. The Android app is available in the Google PlayStore and also at apkpure.com.
The app is mainly used in Germany as a local trading platform. A website is also offered. The Android app is available in the Google PlayStore and also at apkpure.com.
Data backups used for analysis
1.) Full-File-Backup from a Samsung Galaxy A 22 5G (SM-A226B/DSN) with Android 13
com.ebay.kleinanzeigen App-version 15.23.0 from 2024-03-08
com.ebay.kleinanzeigen App-version 15.26.0 from 2024-03-28
com.ebay.kleinanzeigen App-version 15.27.0 from 2024-04-04
2.) Full-File-Backup from a Samsung M30s (SM-M307FN/DS) with Android 11
com.ebay.kleinanzeigen App-version 15.16.0 from 2023-12-17
Folder structure found in the data backups
The following folders were examined in detail in the analysis
• \data\data\com.ebay.kleinanzeigen\*
• \data\media\0\Android\data\com.ebay.kleinanzeigen\*
• \data\user_de\0\com.ebay.kleinanzeigen\*
The following files with interesting content were identified here.
• \data\data\com.ebay.kleinanzeigen\shared_prefs\com.ebay.kleinanzeigen_preferences.xml
• \data\data\com.ebay.kleinanzeigen\files\NON_RESETTABLE_RECENT_SEARCHES_CACHE
• \data\data\com.ebay.kleinanzeigen\files\RECENT_SEARCHES_CACHE
• \data\data\com.ebay.kleinanzeigen\databases\messageBoxDatabase.db
\data\data\com.ebay.kleinanzeigen\databases\messageBoxDatabase.db-shm
\data\data\com.ebay.kleinanzeigen\databases\messageBoxDatabase.db-wal
The file com.ebay.kleinanzeigen_preferences.xml contains some information about the account used. These data are e.g.
<string name="LAST_EMAIL_USED">email@adress.com</string>
<string name="AUTH_USER_EMAIL">email@adress.com</string>
<string name="USERPROFILE_TRACKING_USER_ACCOUNT_TYPE">private</string>
<string name="AUTH_USER_ID">1000000</string>
<string name="USERPROFILE_LOCATION_LONGITUDE_KEY">13.520000</string>
<string name="USERPROFILE_LOCATION_LATITUDE_KEY">52.4600000</string>
<string name="USERPROFILE_NAME_KEY">Rudi</string>The RECENT_SEARCHES_CACHE and NON_RESETTABLE_RECENT_SEARCHES_CACHE files contain JSON data records for the last searches carried out in the app.
{"searchTerm":"apple time capsule","category":{"id":"0","localizedName":"Alle Kategorien","internalName":"Alle Kategorien","hasFakeSubCategory":false,"idAsInt":0},"termSearchTimestamp":1709883798862},
The database file messageBoxDatabase.db contains the following tables
This is structured as follows:
Every contact made in the app for an ad can be clearly addressed via the "identifier" column. Details about an ad are not stored on the device and are only available via API access when the app is used. The "ad" column contains JSON data for the ad. This includes the unique ad number, the publisher of the ad and the headline of the ad.
{"displayImageUrl":"https://img.kleinanzeigen.de/api/v1/prod-ads/images/0a/0a3e00c3-2578-4ed1-9de9-4da78be08bce?rule\u003d$_12.JPG","displayPrice":"","displayTitle":"Meine Kleinanzeige","identifier":"1234567890","poster":{"identifier":"87654321","imageUrl":"","name":"User Seller"}}
This counterparty information is also stored as a JSON data record in the "counterParty" column. The "identifier" value contains the unique user ID and the displayed user name.
{"identifier":"87654321","imageUrl":"","name":"User Seller"}
The very interesting part of the "conversations" table is the "messages" column. Here too, the data is available as JSON. Each new message is added to the value already saved.
{"attachments":[{"mimeType":"image/jpeg","url":"https://api.ebay-kleinanzeigen.de/api/users/1089969/conversation-attachments?messageId\u003d3ded2722-ae46-11ee-8f31-0ff44f34ecac\u0026filename\u003dek-yams-6276062e7f7845c1b6dea7544ebde9ad-977E3451-E4A3-445E-9A23-0A3A8516863E.jpg"}],"identifier":"3ded2722-ae46-11ee-8f31-0ff44f34ecac","sender":"COUNTER_PARTY","sortByDate":"Mon, 08 Jan 2024 17:52:00.704 GMT+01:00","state":"DELIVERED","text":"Viel Spaß damit"}The time of the message can be seen in the "sortByDate" object. The text of the message is saved in "text". Attachments (e.g. images) can also be added to the messages in the app. According to my analysis, these are not saved on the device, but are downloaded via API access when the messages are retrieved in the app. The path and the mime type are stored in the "attachments" object. In the "sender" object, the device owner can be linked with "ME" and the other party with "COUNTER_PARTY". The status of the message is stored in the "state" object. This data can be used to reconstruct the message history. Another object is "warning" with the sub-objects "links" and "message". A warning with the "message" and the "links" is displayed in the app.
A view on the smartphone can look like this
 |
The evaluation with aLEAPP looks as follows:
Message overview
 |
View in the navigation
I am available for questions and suggestions. 🖐🖐
My Linkedin Profile: https://www.linkedin.com/in/bruno-fischer-5b4a182b1/
Keine Kommentare:
Kommentar veröffentlichen