A methodology for the decryption of encrypted smartphone backup data on android platform: A case study on the latest samsung smartphone backup system

Abstract

Backups on smartphones protect user data from the risk of data corruption and loss by storing personal information, media data, application data, and other settings. Although backups were originally designed to maintain and protect user data, these data can be important in criminal investigations requiring the verification of suspect behavior-related information at the time of an incident. However, backup data are often encrypted by each manufacturer using different scheme to protect user privacy. Since the encryption acts as a disturbance to the use of backup data in investigations, it is necessary to decrypt backup data by analyzing the encryption schemes of each manufacturer.In this paper, we propose a widely applicable methodology that efficiently analyzes various encryption backup schemes. Our methodology checks the backup features, identifies the backup data, and their encrypting locations reverses encryption schemes used in the backup and finally decrypts encrypted backup data. As a case study, we apply our methodology to the latest Samsung smartphone backup system consisting of a Samsung SmartSwitch Mobile and a Samsung SmartSwitch PC. We acquired the backup data including the encrypted data generated by the Samsung smartphone backup in plain form, and revealed a technique to recover the Personal Identification Number (PIN) used for encryption through the authenticator included in the backup data. We also identified, through reverse engineering, a hidden feature that could be used to extract more data than was possible using the normal backup. Finally, we developed a decryption tool to verify that the encrypted backup data were correctly decrypted. Although, in this paper, we focused on the Samsung smartphone backup, our methodology could be applied to any smartphone backup system on Android platform. We believe that our work will be very helpful to mobile investigators.