Over the last few weeks, the Mobile Application Forensics team has been working on researching and analyzing Open Whisper’s Signal on the iPhone and Android device. We split into two teams to divide and conquer the application on two different mobile operating systems. The Android team tackled a Nexus 5x and the iOS team dug into an iPad Air. Our goal for the Signal app is to see what information can be recovered off each device. To do this, we setup three phases of data generation to create data for the application.
We began the first phase of the datagen process by adding 10 contacts to both the Nexus 5x and the iPad Air. Only one contact on each device was associated with a real number from the other device; these were used before to generate conversation data between the devices.
For the second phase of datagen, we downloaded Signal on both devices, created Signal accounts, made Signal the default messaging application on the Nexus 5x, imported the phase one messages to Signal on the Nexus 5x, and sent another series of messages using signal on the two devices. To set up the android device, we gave the Nexus 5x a T-Mobile SIM card for texting. After the devices were set up, we sent a series of SMS messages from the Nexus 5x to the iPad, and responded from the iPad with several MMS messages. On the iPad, we downloaded an application called TextNow which imported the iPad’s contacts. Using TextNow, we created a free cell phone number to use so we could communicate with the Nexus 5x. When the iPad responded, the messages were converted to SMS from MMS.
For now, that completed our datagen. Next week we will work on the third and final phase. The third phase is going to be data generation outside of the LCDI. Just like the phase before, we will send SMS messages between the devices, but from different locations like Church Street, a popular area in Burlington. Signal requests the location permission and may save locations of some sort within the app data.
Once data generation is complete, we will be moving on into the analysis phase where we will be looking at digital artifacts created by Signal. For example, within the messaging database, exploring how the text messages are obfuscated. Our next blog post will contain our findings.