Tag Archives: android passcode bypass

Android Forensics

The article tries to cover various Android forensic techniques which can be helpful in a variety of situations. The techniques or discussions below can be either logical or physical however we will try to stick mostly to logical techniques. By word ‘logical’ I intend to say the technique would mostly involve accessing the file system etc. This article also assumes that the reader has basic knowledge about android programming and other concepts related to android. Primary steps involved in the Android forensics are passcode bypass and data extraction. Let’s proceed to learn more.

Bypassing the Android passcode:

Firstly it’s important to note that every technique comes with some limitation or the other. You will need to figure out which technique would help you depending on the circumstances. Circumventing the passcode may not be always possible. We will take a few scenarios and see how you can take advantage in each case.

There are currently 3 main types of pass codes supported by android devices – Pattern lock, PIN and alphanumeric code.

1. Smudge Attack:

This is not specific to any android device but used generally by forensic analysts where they can deduce the password of a touch screen mobile. The attack depends on the fact that smudges are left behind by the user’s fingers due to repeated swiping across same locations. The pattern lock or any pass code is something that the user will have to swipe every time that he wants to use his mobile. So we can infer that the smudges would be heaviest across the same locations and hence under proper lighting and high resolution pictures we can deduce the code. So during examining any device, forensic analysts usually take care to avoid hand contact with the screen so as to check for the smudge attack.

smudge attack

2.  If USB – debugging is enabled:

If USB debugging in android is enabled, then bypassing the lock code can be done in matter of seconds. Imagine an attacker wants to get access to his friend’s files and applications on his android mobile, you can first ask his handset for some false reason (ex to make a call) and turn on the USB debugging under Settings -> Developer Options ->USB debugging and hand over the mobile back to him. So later on any some convenient time, when you get access to the device you can exploit it using any of the following ways. Now adb (android debugging bridge) is primarily a command line tool that communicates with the device. ADB comes along with the android platform tools. To explain in simple terms, this is what happens when you deal with adb:

  • An adb daemon runs as a background process on each android device.
  • When you install android SDK on your machine, a client is run. The client can be invoked from shell by giving an adb command.
  • A server is also run in the background to communicate between the client and adb daemon running on the android device.

You can use any of the below methods to take advantage of the USB debugging to bypass the screen lock:

Using UnlockAndroid.apk:

Before going ahead with this process you can download the Unlockandroid.apk file from the below location.


1. Connect the device to the machine where Android SDK (including platform tools etc) is installed.
Open command prompt and type cd C:\android-sdk-windows\platform-tools>adb.exe devices.
The device must be identified by the adb if everything is going fine.
Now copy the above UnlockAndroid.apk file into C:\android-sdk-windows\platform-tools directory.
In command prompt type, C:\android-sdk-windows\platform-tools>adb.exe install UnlockAndroid.apk and observe that the application gets installed on the device.
Now to start the application just type: C:\android-sdk-windows\platform-tools>adb.exe shell am start -n com.rohit.unlock/com.rohit.unlock.MainActivity
7. Observe that the screenlock is bypassed now you can access all the application and folders in the mobile phone. Below is a screenshot of the process.

unlock android apk

Deleting the gesture.key file:

If the android device is using pattern lock and it it’s a rooted device then the below process can be tried which will bypass the screen lock.

1. Connect the device to the machine where Android SDK (including platform tools etc.) is installed.
2. Open command prompt and type cd C:\android-sdk-windows\platform-tools>adb.exe devices.
The device must be identified by the adb if everything is going fine.
Connect to adb shell by typing : adb.exe shell.
The terminal appears giving you access to shell. Now type rm /data/system/gesture.key. This is the file where pattern is stored.
Now after this, restart the phone and you will still observe that the device is asking for the pattern. However you can draw any random pattern and unlock the device.

Below is the screenshot of the process.

gesture key deletion

Updating the sqlite files:

If the phone is rooted, then by updating the sqlite files you can bypass the screen lock. Here are the details.

cd /data/data/
sqlite settings.db
update system set value=0 where name='lock_pattern_autolock';
update system set value=0 where name='lockscreen.lockedoutpermenantly';

Cracking the Android PIN:           

We have seen how to bypass the screen lock and how to completely delete or disable the lock screen. But what if we wanted to know the actual PIN so that you can lock/unlock at any time? In android, the PIN that user enters is stored in /data/system/password.key file. As you might expect, this key is not stored in plain text. It’s first salted using a random string, then the SHA1-hashsum and MD5-hashsum are calculated and concatinated and then the final result is stored. Seems very complicated but not to the modern computing power.

Below is the code for the same.

public byte[] passwordToHash(String password)
if (password == null)
   {      return null;   }
String algo = null;
byte[] hashed = null;
try {
      byte[] saltedPassword = (password + getSalt()).getBytes();
      byte[] sha1 = MessageDigest.getInstance(algo = "SHA-1").digest(saltedPassword);
      byte[] md5 = MessageDigest.getInstance(algo = "MD5").digest(saltedPassword);   hashed = (toHex(sha1) + toHex(md5)).getBytes();
catch (NoSuchAlgorithmException e)
    {        Log.w(TAG, "Failed to encode string because of missing algorithm: " + algo);
return hashed;
}<span style="font-size: 13px; line-height: 19px;"> </span>

Since the hash is salted it’s not possible to use a regular dictionary attack to the get original text. Here are the steps you can follow to try to crack the PIN.

1. Pull out the salt using adb. Salt is stored in the ‘secure’ table from /data/data/
2. Get the password :  sha1+md5: (40+32) (stored at /data/system/password.key)

Ex:  0C4C24508F0D29CF54FFC4DBC5520C3C10496F43313B4D3ADDFF8ACDD5C8DC3CA69CE740

3. Once you have the md5 and the salt you can brute force using the tools available in market (Ex hashcat) to get password.

Data Extraction:

After having seen different ways to bypass the android screen lock, now let’s have a look at how to extract the data from an android phone. You can extract the data of all the files on the system or only those relevant files which you are interested in. But for any form of extraction it’s important that the device is unlocked or USB-debugging is previously enabled. There are 2 types of extractions.

Extracting through ADB: As explained earlier, adb is a protocol that helps you to connect to android device and perform some commands.

Boot Loader Extraction: This can be done when the device is in Boot Loader mode. This takes advantage of the fact that during boot loader mode the android OS will not be running.

Before extracting the data, it is important to know how the data is stored in android device so that we understand where to look for and which data to pull. Android stores the data mainly in the below 4 locations:

  1. Share Preferences: Data is stored in key-value pairs. Shared preference files are stored in application’s ‘data’ directory in the ‘shared_pref’ folder.
  2. Internal Storage: Stores data which is private in device’s internal memory (something like NAND flash).
  3. External Storage: Stores data which is public in device’s external memory which might not contain security mechanisms. This data is available under /sdcard directory.
  4. SQLite: This is a database which holds structural data. This data is available under /data/data/Package/database.

For example if you want to analyse the Facebook android application, here is how you do it. Download and install the Facebook application and sign in to it. Now as soon as you install any application in android, the corresponding application data is stored in /data/data folder. However due to the security restrictions, you cannot access or pull this data unless you have root privileges on the phone. By using adb let us see what the /data/data folder consists of. As shown in the below fig a quick ‘ls’ on the /data/data folder gives the below results.

data data folder

Whether its browser or gallery or contacts, everything is an app in android. They are the applications which come along with the phone. Application like games, social network apps etc. are the applications installed by the user. But the data belonging to any of these applications will be stored in /data/data folder. So the first step is to identify where your application is.

android app location

To see the contents of that application, ‘ls’ into that directory.

android app files

As you can see these are the folders created by the facebook application on your phone. For instance the cache folder may consist of images which are cached and stored for faster retrieval during normal browsing. The main area of focus would be the databases folder where the data related to the user would be stored. Here comes the concept of application security. If the application is secure enough, it would take proper steps not to store any of the sensitive data permanently in the databases folder. Let us see what kind of data Facebook stores the when you are currently logged in. For that you happen you can pull the android folder into your system using the below command.

C:\android-sdk-windows\platform-tools>adb.exe pull /data/data/com.facebook.katana C:\test

The databases folder must be now copied into the ‘test’ folder in your C drive.

copy fb db

In the ‘databases’ folder you see DB file types which are the sqlite files where the data is stored. To view the data present in them, you can use a browser such as Sqlite browser. Download and install SQlite browser. In the Sqlite browser, click on File à Open Database and select any of those DB files.



This shows you the database structure and helps you to browse the data stored in them. Now logout of the application and you might notice that the data present in those tables would be deleted by the application.

So to conclude, in this article we have seen how to bypass the android screen lock under different conditions and how to extract the application data from android phone.


Posted by on May 27, 2013 in Android

1 Comment

Tags: ,