Android

From Kicksecure
Revision as of 10:35, 1 April 2025 by Patrick (talk | contribs) (Created page with "{{Header}} On most Android phones, internal storage canot reasonably easily be removed and mounted elsewhere for the purpose of data recovery or hunting malware / rootkits. This is a hardware limitation. Internal storage is a chip and soldered. Removal is an operation which most repair shops are incapable of performing. Even if removed, it's not easy to find a device which can read the device without booting from it. Perhaps it could be booted from in another device, b...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


On most Android phones, internal storage canot reasonably easily be removed and mounted elsewhere for the purpose of data recovery or hunting malware / rootkits.

This is a hardware limitation. Internal storage is a chip and soldered. Removal is an operation which most repair shops are incapable of performing. Even if removed, it's not easy to find a device which can read the device without booting from it. Perhaps it could be booted from in another device, but that would be beside the point. If the operating system is unbootable due to software issues, it will also be unbootable elsewhere. If malware analysis is the goal, then no code from the suspected infected storage device should ever be executed.

Even worse if full disk encryption was used as per next table entry. TODO

References:

Hence, not "reasonably easily" possible.

Quote How to fully backup non-rooted devices?archive.org iconarchive.today icon:

For 4.0+ devices there is a solution called "adb backup".

Note: This only works for apps that do not disallow backup! Apps that disallow backup are simply ignored when creating a backup using this way.

Information from Copy full disk image from Android to computerarchive.org iconarchive.today icon does not work for non-rooted / non-rootable devices.

Taking a non-rooted Android device with GrapheneOS, contributed by a user. 

$ adb devices
List of devices attached
xxxxxxxxxxx    device

$ adb root
adbd cannot run as root in production builds

$ adb shell
walleye:/ $ ls
ls: ./init.zygote64_32.rc: Permission denied
ls: ./init.rc: Permission denied
ls: ./init.usb.rc: Permission denied
ls: ./ueventd.rc: Permission denied
ls: ./init.zygote32.rc: Permission denied
ls: ./init: Permission denied
ls: ./cache: Permission denied
ls: ./init.environ.rc: Permission denied
ls: ./persist: Permission denied
ls: ./postinstall: Permission denied
ls: ./init.usb.configfs.rc: Permission denied
ls: ./metadata: Permission denied
acct apex bin bugreports charger config d data debug_ramdisk default.prop dev dsp etc firmware lost+found mnt odm oem proc product product_services res sbin sdcard storage sys system vendor
1|walleye:/ $ sudo ls
/system/bin/sh: sudo: inaccessible or not found
127|walleye:/ $ su
/system/bin/sh: su: inaccessible or not found
127|walleye:/ $

walleye:/dev/block $ ls -lah
total 0
drwxr-xr-x  6 root   root       2.4K 1970-07-03 11:40 .
drwxr-xr-x 18 root   root       3.9K 2020-05-26 15:41 ..
lrwxrwxrwx  1 root   root         37 1970-07-03 11:40 bootdevice -> /dev/block/platform/soc/1da4000.ufshc
drwxr-xr-x  2 root   root       1.6K 1970-07-03 11:40 by-name
brw-------  1 root   root   252,   0 1970-07-03 11:40 dm-0
brw-------  1 root   root   252,   1 1970-07-03 11:40 dm-1
brw-------  1 root   root     7,   0 1970-07-03 11:40 loop0
brw-------  1 root   root     7,   8 1970-07-03 11:40 loop1
brw-------  1 root   root     7,  80 1970-07-03 11:40 loop10
brw-------  1 root   root     7,  88 1970-07-03 11:40 loop11
brw-------  1 root   root     7,  96 1970-07-03 11:40 loop12
brw-------  1 root   root     7, 104 1970-07-03 11:40 loop13
brw-------  1 root   root     7, 112 1970-07-03 11:40 loop14
brw-------  1 root   root     7, 120 1970-07-03 11:40 loop15
brw-------  1 root   root     7,  16 1970-07-03 11:40 loop2
brw-------  1 root   root     7,  24 1970-07-03 11:40 loop3
brw-------  1 root   root     7,  32 1970-07-03 11:40 loop4
brw-------  1 root   root     7,  40 1970-07-03 11:40 loop5
brw-------  1 root   root     7,  48 1970-07-03 11:40 loop6
brw-------  1 root   root     7,  56 1970-07-03 11:40 loop7
brw-------  1 root   root     7,  64 1970-07-03 11:40 loop8
brw-------  1 root   root     7,  72 1970-07-03 11:40 loop9
drwxr-xr-x  2 root   root         80 1970-07-03 11:40 mapper
drwxr-xr-x  3 root   root         60 1970-07-03 11:40 platform
brw-------  1 root   root     1,   0 1970-07-03 11:40 ram0
brw-------  1 root   root     1,   1 1970-07-03 11:40 ram1
brw-------  1 root   root     1,  10 1970-07-03 11:40 ram10
brw-------  1 root   root     1,  11 1970-07-03 11:40 ram11
brw-------  1 root   root     1,  12 1970-07-03 11:40 ram12
brw-------  1 root   root     1,  13 1970-07-03 11:40 ram13
brw-------  1 root   root     1,  14 1970-07-03 11:40 ram14
brw-------  1 root   root     1,  15 1970-07-03 11:40 ram15
brw-------  1 root   root     1,   2 1970-07-03 11:40 ram2
brw-------  1 root   root     1,   3 1970-07-03 11:40 ram3
brw-------  1 root   root     1,   4 1970-07-03 11:40 ram4
brw-------  1 root   root     1,   5 1970-07-03 11:40 ram5
brw-------  1 root   root     1,   6 1970-07-03 11:40 ram6
brw-------  1 root   root     1,   7 1970-07-03 11:40 ram7
brw-------  1 root   root     1,   8 1970-07-03 11:40 ram8
brw-------  1 root   root     1,   9 1970-07-03 11:40 ram9
brw-------  1 root   root     8,   0 1970-07-03 11:40 sda
brw-------  1 root   root     8,   1 1970-07-03 11:40 sda1
brw-------  1 root   root     8,  10 1970-07-03 11:40 sda10
brw-------  1 root   root     8,  11 1970-07-03 11:40 sda11
brw-------  1 root   root     8,  12 1970-07-03 11:40 sda12
brw-------  1 root   root     8,  13 1970-07-03 11:40 sda13
brw-------  1 root   root     8,  14 1970-07-03 11:40 sda14
brw-------  1 root   root     8,  15 1970-07-03 11:40 sda15
brw-------  1 root   root   259,   0 1970-07-03 11:40 sda16
brw-------  1 root   root   259,   1 1970-07-03 11:40 sda17
brw-------  1 root   root   259,   2 1970-07-03 11:40 sda18
brw-------  1 root   root   259,   3 1970-07-03 11:40 sda19
brw-------  1 root   root     8,   2 1970-07-03 11:40 sda2
brw-------  1 root   root   259,   4 1970-07-03 11:40 sda20
brw-------  1 root   root   259,   5 1970-07-03 11:40 sda21
brw-------  1 root   root   259,   6 1970-07-03 11:40 sda22
brw-------  1 root   root   259,   7 1970-07-03 11:40 sda23
brw-------  1 root   root   259,   8 1970-07-03 11:40 sda24
brw-------  1 root   root   259,   9 1970-07-03 11:40 sda25
brw-------  1 root   root   259,  10 1970-07-03 11:40 sda26
brw-------  1 root   root   259,  11 1970-07-03 11:40 sda27
brw-------  1 root   root   259,  12 1970-07-03 11:40 sda28
brw-------  1 root   root   259,  13 1970-07-03 11:40 sda29
brw-------  1 root   root     8,   3 1970-07-03 11:40 sda3
brw-------  1 root   root   259,  14 1970-07-03 11:40 sda30
brw-------  1 root   root   259,  15 1970-07-03 11:40 sda31
brw-------  1 root   root   259,  16 1970-07-03 11:40 sda32
brw-------  1 root   root   259,  17 1970-07-03 11:40 sda33
brw-------  1 root   root   259,  18 1970-07-03 11:40 sda34
brw-------  1 root   root   259,  19 1970-07-03 11:40 sda35
brw-------  1 root   root   259,  20 1970-07-03 11:40 sda36
brw-------  1 root   root   259,  21 1970-07-03 11:40 sda37
brw-------  1 root   root   259,  22 1970-07-03 11:40 sda38
brw-------  1 root   root   259,  23 1970-07-03 11:40 sda39
brw-------  1 root   root     8,   4 1970-07-03 11:40 sda4
brw-------  1 root   root   259,  24 1970-07-03 11:40 sda40
brw-------  1 root   root   259,  25 1970-07-03 11:40 sda41
brw-------  1 root   root   259,  26 1970-07-03 11:40 sda42
brw-------  1 root   root   259,  27 1970-07-03 11:40 sda43
brw-------  1 root   root   259,  28 1970-07-03 11:40 sda44
brw-------  1 root   root   259,  29 1970-07-03 11:40 sda45
brw-------  1 root   root     8,   5 1970-07-03 11:40 sda5
brw-------  1 root   root     8,   6 1970-07-03 11:40 sda6
brw-------  1 root   root     8,   7 1970-07-03 11:40 sda7
brw-------  1 root   root     8,   8 1970-07-03 11:40 sda8
brw-------  1 root   root     8,   9 1970-07-03 11:40 sda9
brw-------  1 root   root     8,  16 1970-07-03 11:40 sdb
brw-------  1 root   root     8,  17 1970-07-03 11:40 sdb1
brw-------  1 root   root     8,  32 1970-07-03 11:40 sdc
brw-------  1 root   root     8,  33 1970-07-03 11:40 sdc1
brw-------  1 root   root     8,  48 1970-07-03 11:40 sdd
brw-------  1 root   root     8,  49 2020-05-26 15:41 sdd1
brw-------  1 root   root     8,  58 1970-07-03 11:40 sdd10
brw-------  1 root   root     8,  59 1970-07-03 11:40 sdd11
brw-------  1 root   root     8,  60 1970-07-03 11:40 sdd12
brw-------  1 root   root     8,  61 1970-07-03 11:40 sdd13
brw-------  1 root   root     8,  62 1970-07-03 11:40 sdd14
brw-------  1 root   root     8,  63 2020-05-26 15:42 sdd15
brw-------  1 root   root   259,  30 2020-05-26 15:41 sdd16
brw-------  1 root   root   259,  31 2020-05-26 15:41 sdd17
brw-------  1 root   root   259,  32 1970-07-03 11:40 sdd18
brw-------  1 root   root     8,  50 1970-07-03 11:40 sdd2
brw-------  1 root   root     8,  51 1970-07-03 11:40 sdd3
brw-rw----  1 system system   8,  52 2020-05-26 15:48 sdd4
brw-------  1 root   root     8,  53 1970-07-03 11:40 sdd5
brw-------  1 root   root     8,  54 1970-07-03 11:40 sdd6
brw-------  1 root   root     8,  55 1970-07-03 11:40 sdd7
brw-------  1 root   root     8,  56 1970-07-03 11:40 sdd8
brw-------  1 root   root     8,  57 1970-07-03 11:40 sdd9
brw-------  1 root   root     8,  64 1970-07-03 11:40 sde
brw-------  1 root   root     8,  65 1970-07-03 11:40 sde1
brw-------  1 root   root     8,  66 1970-07-03 11:40 sde2
brw-------  1 root   root     8,  67 1970-07-03 11:40 sde3
brw-------  1 root   root     8,  68 1970-07-03 11:40 sde4
brw-------  1 root   root     8,  69 1970-07-03 11:40 sde5
brw-------  1 root   root     8,  80 1970-07-03 11:40 sdf
brw-------  1 root   root     8,  81 1970-07-03 11:40 sdf1
brw-------  1 root   root     8,  82 1970-07-03 11:40 sdf2
brw-------  1 root   root     8,  83 1970-07-03 11:40 sdf3
brw-------  1 root   root     8,  84 1970-07-03 11:40 sdf4
brw-------  1 root   root     8,  85 1970-07-03 11:40 sdf5
drwx------  2 root   root         40 1970-07-03 11:40 vold
brw-------  1 root   root   253,   0 2020-05-26 15:41 zram0

$ adb shell
walleye:/ $ mount
/dev/root on / type ext4 (ro,seclabel,nodev,relatime)
tmpfs on /dev type tmpfs (rw,seclabel,nosuid,relatime,size=1851548k,nr_inodes=462887,mode=755)
devpts on /dev/pts type devpts (rw,seclabel,nosuid,noexec,relatime,mode=600)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime,gid=3009,hidepid=2)
sysfs on /sys type sysfs (rw,seclabel,nosuid,nodev,noexec,relatime)
selinuxfs on /sys/fs/selinux type selinuxfs (rw,relatime)
tmpfs on /mnt type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,size=1851548k,nr_inodes=462887,mode=755,gid=1000)
tmpfs on /apex type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,size=1851548k,nr_inodes=462887,mode=755)
/dev/block/sdd3 on /persist type ext4 (rw,seclabel,nosuid,nodev,noatime,data=ordered)
/dev/block/dm-1 on /vendor type ext4 (ro,seclabel,relatime)
none on /dev/cpuctl type cgroup (rw,nosuid,nodev,noexec,relatime,cpu)
none on /acct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct)
none on /dev/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset,noprefix,release_agent=/sbin/cpuset_release_agent)
none on /dev/stune type cgroup (rw,nosuid,nodev,noexec,relatime,schedtune)
/dev/root on /apex/com.android.tzdata@290000000 type ext4 (ro,seclabel,relatime)
/dev/root on /apex/com.android.tzdata type ext4 (ro,seclabel,relatime)
/dev/root on /apex/com.android.runtime@1 type ext4 (ro,seclabel,relatime)
/dev/root on /apex/com.android.runtime type ext4 (ro,seclabel,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,seclabel,relatime)
none on /config type configfs (rw,nosuid,nodev,noexec,relatime)
tracefs on /sys/kernel/debug/tracing type tracefs (rw,seclabel,relatime)
/dev/block/sde4 on /metadata type ext4 (rw,sync,seclabel,nosuid,nodev,noatime,discard,data=ordered)
/dev/block/sda28 on /firmware type vfat (ro,context=u:object_r:firmware_file:s0,relatime,uid=1000,gid=1000,fmask=0337,dmask=0227,codepage=437,iocharset=iso8859-1,shortname=lower,errors=remount-ro)
tmpfs on /storage type tmpfs (rw,seclabel,nosuid,nodev,noexec,relatime,size=1851548k,nr_inodes=462887,mode=755,gid=1000)
/dev/block/sda45 on /data type ext4 (rw,seclabel,nosuid,nodev,noatime,noauto_da_alloc,resgid=1065,errors=panic,stripe=4096,data=ordered)
/dev/root on /apex/com.android.conscrypt@290000000 type ext4 (ro,seclabel,nodev,relatime)
/dev/root on /apex/com.android.conscrypt type ext4 (ro,seclabel,nodev,relatime)
/dev/root on /apex/com.android.media@290000000 type ext4 (ro,seclabel,nodev,relatime)
/dev/root on /apex/com.android.media type ext4 (ro,seclabel,nodev,relatime)
/dev/root on /apex/com.android.media.swcodec@290000000 type ext4 (ro,seclabel,nodev,relatime)
/dev/root on /apex/com.android.media.swcodec type ext4 (ro,seclabel,nodev,relatime)
/dev/root on /apex/com.android.resolv@290000000 type ext4 (ro,seclabel,nodev,relatime)
/dev/root on /apex/com.android.resolv type ext4 (ro,seclabel,nodev,relatime)
adb on /dev/usb-ffs/adb type functionfs (rw,relatime)
mtp on /dev/usb-ffs/mtp type functionfs (rw,relatime)
ptp on /dev/usb-ffs/ptp type functionfs (rw,relatime)
/data/media on /mnt/runtime/default/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=1015,multiuser,mask=6,derive_gid,default_normal)
/data/media on /storage/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=1015,multiuser,mask=6,derive_gid,default_normal)
/data/media on /mnt/runtime/read/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=23,derive_gid,default_normal)
/data/media on /mnt/runtime/write/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=7,derive_gid,default_normal)
/data/media on /mnt/runtime/full/emulated type sdcardfs (rw,nosuid,nodev,noexec,noatime,fsuid=1023,fsgid=1023,gid=9997,multiuser,mask=7,derive_gid,default_normal)
pstore on /sys/fs/pstore type pstore (rw,seclabel,relatime)
Notification image
Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

Retrieved from "https://www.kicksecure.com/w/index.php?title=Android&oldid=93179"