What Google Knows About You

and Your Devices

AND HOW WE CAN GET IT

Google Account Acquisition

Extracting evidence from users Google Account: challenges, approaches and tools

Vladimir Katalov
ElcomSoft Ltd.
www.elcomsoft.com
 Who We Are

Privately held company, established in 1990

100% inhouse development
Microsoft Certified Partner
Intel Software Partner (Premier Elite)
Trusted NVIDIA developer
Over 300 partners/resellers on all continents
Six US patents (incl. GPU acceleration)
Corporate, government, military & forensic
customers
Over 300,000 installations worldwide
Our Customers
 Research Motivation

Curiosity
Privacy
The right to know
Government surveillance
Forensics
Backup and recovery
 Top 10 fears of 2015

Source:
http://www.livescience.com/52535-american-fear-survey-2015.html
 What This Presentation is NOT About

Hacking
Accessing someone else account
Compromising Google
Criminal activities
Profit

Most information used for this research is publ

 Its About Android (but not just
And How We Can Get It
Android)
59.1% US market Incredible amount of information collected
share Truly useful services
72.6 % EU5 market
share Watches users every step (literally)
79.1% worldwide market
205 million Android devices sold in Q4 2015
share alone (source: IDC)
Over 2 billion in active use (estimate)
Google services available on other platforms
Tracking continues on computers and non-
Android devices
146 million Gmail users, 900 million accounts
504 million active Google+ accounts
The Numbers Are Misleading

Not Every
Android
Smartphone is a
Google Device
China is the
biggest market
30% of all
smartphones
sold in China
Google services
completely
banned
Mobile vs Cloud Forensics

Google mail
900 million users (May2015)
Monthly unique users: 90 million (2014)
Percentage of Americans using Gmail: 24% (2013)
Gmail app downloads from Google Play: 1 billion (2014)
Percentage of Gmail users working on mobile device: 75% (2015

Google Chrome
Google Chrome users: 1 billion (2015)
Percentage of web browser usage: 35% (2013)

Android
Apple iCloud
Number of Android devices: 1.4 billion (September 2015)
Introduced in Oct 2011 with iOS 5
Android share: over 80%
Optional upgrade to iCloud Drive since iOS 8
Average daily Android activations: 1.5 million
5 GB free storage, up to 1 TB paid storage
About 25,000 unique device models
Extremely convenient: over 500 million users
 What Apple Knows About You?

Quite a lot:
https://www.apple.com/privacy/government-information-requests/

Device registration iCloud

Customer service records Subscriber information
iTunes Mail logs
Apple retail store transactions Email contents
Apple online store purchases Photo streams
Find My iPhone Documents
Other device information Contacts
MAC address Calendars
UDID Bookmarks
App-specific data
All files stored on iCloud Drive
Device backups
What Google Knows About You
Whats Inside an iCloud Backup?

Contacts and Contact Favorites

Messages (including iMessages)
Call history
Application data
Device settings
Camera roll (photos and videos)
Purchases (music, movies, TV, apps, books)
Mail accounts
Network settings (saved Wi-Fi hotspots, VPN settings etc) + iCloud Drive
Paired Bluetooth devices
Offline web application cache/database More application data
Safari bookmarks, cookies, history, offline data Passbook data
Users dictionaries
Geolocation history and places
Documents
Passwords (encrypted with device key) 1Password database
... and much more WhatsApp own backup
 Over-the-Air Acquisition: iCloud and iCloud Drive

We have:

Apple ID and password, or

PC or Mac synced with iCloud (binary authentication token)

Acquisition steps:

Use Apple ID and password to download the backup

Extract binary authentication tokens, use to download backup or data

Notes:

Two-factor authentication may be an issue

- Using binary authentication token bypasses 2FA
Keychain is encrypted with hardware key
- Can be decrypted if securityd key is extracted from the device
Full data set acquisition speed is slow
- Can quickly download & analyze selected information, full data set later
Account owner may receive a notification email in 10 minutes after download is started (iCloud
backup only)
 Famous iCloud Hacks
Dmitry Medvedev (Russian Prime Minister) Twitter account hacked
(August 2014)
http://www.theguardian.com/world/2014/aug/14/dmitry-medvedev-russian-
pm-twitter-account-hacked

Celebrity photo hack (September 2014)

http://en.wikipedia.org/wiki/2014_celebrity_photo_hack

Leaked Emails Reveal What Vladimir Putin Tells World Leaders at

Private Meals (May 2015)
http://globalvoicesonline.org/2015/05/08/russia-leaked-emails-reveal-what-
vladimir-putin-tells-world-leaders-at-private-meals/

Apple response
Notification emails (do not appear now)
2FA to protect iCloud backups
iOS 9: ATS (App Transport Security), pinned certificates, new
storage location and data format, updated encryption, mandatory
2FA (?)
Solution: Two-Step Verification?

If enabled, 2FA is enforced for iCloud backups

- but not for files sideloaded to iCloud Drive
- and not for iCloud-compatible app data
Overcoming 2FA is easy
- if the second authentication factor is available

Bypassing 2FA is possible

- if binary authentication token is extracted from users PC/Mac
Authentication tokens are used for convenience
Saved on a Mac or PC used to access iCloud
Allow users to avoid entering for Apple ID and password every time
Technically, an authentication token is stored in a file on the users computer
(see figure)
Locating the file and extracting the token allows bypassing login/password authentication
and 2FA
What authentication tokens are NOT
Authentication tokens do not contain a password to the users Apple account
They dont contain a hash of the password either
They cannot be used to brute-force the original plain-text password
 Android: a Highly Fragmented Platform
What Is Android?

Over 25,000 device models

By more than 1000 manufacturers
Running 7 major versions of the OS
On 23 API levels
Built on a wide range of hardware
platforms (ARMv7, ARMv8, Intel x86,
MIPS)
Customized by OEMs
Custom ROMs and kernels
 Android to the Rescue? Not So Sure
users data
all connected devices
devices/browsers that requested access
applications that requested access
Google Ads settings (age, interests etc.)
contacts
calendars
notes
mail
albums (photos/pictures/videos)
Hangouts conversations
comprehensive location history

Google Fit data (sport activity tracking) Top 10 Smartphone Apps

Chrome (source: comScore report, June 2015)
History
synced passwords and autofill data Facebook Google Maps
bookmarks YouTube Pandora Radio
search history Facebook Messenger Gmail
Google Search Instagram
YouTube [search] history
Google Play Yahoo Stocks
a lot of statistical information
Who Else Can Collect Data?
Mobile service providers massively engage in tracking
activities
US carriers are the biggest offenders
Carrier IQ
https://en.wikipedia.org/wiki/Carrier_IQ
Zombie Cookies
Data sold to third-parties (e.g. recent Verizon-AOL deal)
https://
www.propublica.org/article/verizons-zombie-cookie-gets-ne
w-life
 Google: Transparency Report
Legal Process

https://www.google.com/transparencyreport/userdatare
quests/legalprocess
/

What kinds of data do you disclose for different

products?

To answer that, let's look at four services from which

government agencies in the U.S. commonly request
information: Gmail, YouTube, Google Voice and
Blogger. Here are examples of the types of data we
may be compelled to disclose, depending on the ECPA
legal process, the scope of the request, and what is
requested and available. If we believe a request is
overly broad, we will seek to narrow it.

Gmail

Subscriber registration information (e.g., name,

account creation information, associated email
addresses, phone number)

Sign-in IP addresses and associated time stamps

Email content
Google Sign-On
Google Security Settings
Recent security events and used devices, connected apps, saved
passwords
 Google Takeout

Leaves traces
Not all data is exported
Limited flexibility
Inconvenient format
Google Dashboard: Account Activity
Google Dashboard: profile, connected devices & apps
Google Dashboard: Mail
Google Chrome Sync
 Google Chrome: search & browsing history

https://history.google.com/history/

Total searches
Searches by day
Top search clicks
Map search history
Voice search history
Info on devices
Location history

What is saved:

Searches in all Google services

Browser or mobile application
Actions for search results (opened or not)
Actions on Ads (clicks/purchases)
IP address
Browser information

Google Takeout does NOT work with history

 Android Device Backups

Google Calendar settings

Wi-Fi networks & password
Home screen wallpapers
Gmail settings
Apps installed through Google Play
Display settings
Language & Input settings
Date & Time
3rd party app settings & data
 Device Backups: Third-Party App Data in Android 6.0

Auto Backup for Apps

Things changed
since Android 6.0
Preview!
Requires API level 23
(Android 6.0)
Requires developer
participation
Google Apps are NOT
using Auto Backup
for Apps
(backup via Google
Services instead)

tp://arstechnica.com/gadgets/2015/10/android-6-0s-auto-backup-for-apps-perfect-data-backup-for-the-1
 Device Backups: Android 6.0

Support for API level 23 still

very uncommon
Only 3 of Top 100 apps
(third-party) are using the
new backup feature
Future growth guaranteed
Backed by historical data:
API level 22 (Android 5.1)
published 7 months ago
Supported by 46% of the Top
100 apps (but only 7.9%
handsets)
API level 21 (Android 5.0)
published 1 year ago
Supported by 78% of the Top
100 apps
tp://arstechnica.com/gadgets/2015/10/android-6-0s-auto-backup-for-apps-perfect-data-backup-for-the-1
 Google Photos (aka PicasaWeb, aka Google+ Photos)

Albums/events
Comments
Geo tags
Subscriptions
View counters
People
 Android Device Backups: Downloading

ackupTransport (com.android.internal.backup in GoogleBackupTransport.apk)

source code provided; works with https://android.googleapis.com/backup

thentication: https://android.clients.google.com/auth
Download backup: https://android.clients.google.com/back
Get refresh token (input: email, password)
Get authentication token (input: refresh token) Input: android_id, package to restore (download), Auth
Output (array of strings):
pm (general info on applications)
t info on backups available: https://android.googleapis.com/backup
android (wallpaper: xml + picture)
Input: android_id, authentication token) com.android.nfc
Output (array) com.android.providers.settings (including Wi-Fi password
Android_id com.android.vending
Backup creation date/time com.google.android.talk
Date/time of device registration on account com.google.android.googlequicksearchbox
Device name or model com.google.android.calendar
SDK version com.google.android.inputmethod.latin
Last activity date/time com.google.android.gm

Android M

Get system backup (@pm@):

https://android.clients.google.com/googlefood/backup
Get backups on particular apps: returns package name, download URL (on
Google Drive)
Authenticate on Google Drive: https://android.clients.google.com/auth

New auto-backups for application data; stored on Google Drive as .tar

archives
 Google Hangouts

//accounts.google.com/ServiceLogin?hl=en-US&Email={email}
okie: GAPS=1:iv-YjJtilF-coJ0RpCZhlmMBj97IRA:RKppYacKUG4PUMNX
okie: GALX=mItW3iafLoo;Path=/;Secure

//accounts.google.com/ServiceLoginAuth HTTP/1.1
e: GoogleAccountsLocale_session=en; GAPS=[]; GALX=[]&Email={email}&Passwd={password}
okie: NID=[...] SetCookie: SID=[...] Set-Cookie: LSID=[...]
okie: HSID=[...] Set-Cookie: SSID=[...] Set-Cookie: APISID=[...] Set-Cookie: SAPISID=[...]

ttps://talkgadget.google.com/u/0/talkgadget/_/chat?{parameters}
e: NID=[...]; HSID=[...]; SSID=[...]; SID=[...]; APISID=[...]; SAPISID=[...]
okie: S=talkgadget=VlFAZCxwB-G_h53WWt_g6Q

conversation (dialog):

//clients6.google.com/chat/v1/conversations/getconversation?alt=protojson&key=API_KEY
: NID=[...];
[...]; SSID=[...]; SID=[...];
Dialog data (id, inviteTime, activatedTime)
=[...]; [...]
Participants' data (id, name, avatarUrl)
ization:SAPISIDHASH {hash}
Events (Message, AddUser, RemoveUser, SentPhoto, VideoCall, Location
IDHASH: SHA-1(timestamp+SAPISID+URL)
Date/time
Info on video call: date/time (start+end)
Text
Locations (address, mapUrl, latitude, longtitude)
Picture (photoUrl, width, height, album_name)
 Obtaining Google Chrome history

POST https://history.google.com/history/?jspb=1&max=1435697999999999 HTTP/1.1

max=1435697999999999 (in milliseconds since 01.01.1970)

Headers:
Accept: */*
Accept-Language: ru,en-US;q=0.8,en;q=0.6
Connection: keep-alive
Host: history.google.com
Cookie: cookie (obtained after auth-n, includes auth. token)

To get results in English, add to the Cookie:

PREF=ID=1111111111111111:FF=0:LD=en;

YouTube watch history

https://history.google.com/history/youtube/watch?jspb=1&max=1394034083520660

Or
Use YouTube API
https://developers.google.com/youtube/v3/docs/

YouTube search history

https://history.google.com/history/youtube/search?jspb=1&max=1422545631282456
 Google Drive

Authenticate:
https://www.googleapis.com/auth/drive
Get file list:
GET https://www.googleapis.com/drive/v2/files?key={YOUR_API_KEY} (pretend to be Chromium)
Returns:
Download URL
ID Detailed list request:
Parent ID GET https://www.googleapis.com/drive/v2/files?
If Shared with me maxResults={MAX_RESULT}&pageToken={PAGE_TOKEN}&fields={FIELDS}&ke
Owner
y={YOUR_API_KEY}
Access rights {PAGE_TOKEN} page token
File name
{MAX_RESULT} number of files in response
File size
Description {FIELDS} fields to return
Properties
To get info on particular file, set its ID in the request, provide parameters:
https://developers.google.com/drive/v2/reference/files/get

Get file meta data:

GET https://www.googleapis.com/drive/v2/files/fileID?key={YOUR_API_KEY}

Download file:
GET https://www.googleapis.com/drive/v2/files/fileID?alt=media

Search by file owner:

https://www.googleapis.com/drive/v2/files?q=not+'{your_email_address}'+in+
owners
https://www.googleapis.com/drive/v2/files?q='{your_email_address}'+in+owner
s
 Google Photos

Picasa Web Albums Data API

(use Oauth2 to get token)
https://developers.google.com/picasa-web/docs/2.0/developers_guide_protocol

Get albums list:

GET https://picasaweb.google.com/data/feed/api/user/{userId}
(userId = default to get own photos; Authorization: token)

Get own album(s):

GET https://picasaweb.google.com/data/feed/api/user/{USER_ID}/albumid/{ALBUM_ID}?kind=photo& [..]
(returns full properties of every album)

Get circles:
POST https://clients6.google.com/ rpc/plusi?key=[..]
(returns circles, friends: email, contactId, obfuscatedGaiaId, displayName)

GET https://picasaweb.google.com/data/feed/api/user/{USER_ID}/albumid/{ALBUM_ID}?kind=comment&[..]
Returns:
gphoto:id (own id)
gphoto:photoid
authorId
published
updated
title
content
 Google Chrome: passwords

message PasswordSpecificsData {
optional int32 scheme = 1;
optional string signon_realm = 2;
optional string origin = 3; Obtaining master encryption keys
optional string action = 4;
optional string username_element =Chrome
5; sync
optional string username_value = 6; https://clients4.google.com/chrome-sync/command/?client=Chromium&client_id=[...]
optional string password_element = (body:protobuf
7; with GetUpdatesMessage(need_encryption_key=true)
optional string password_value = 8; response: GetUpdatesResponse with entries & encryption key
optional bool ssl_valid = 9;
optional bool preferred = 10; Get master encryption keys
optional int64 date_created = 11; Key=pbkdf2_sha1(base64(encryption_key)+"saltsalt",1003)
optional bool blacklisted = 12; MacKey=pbkdf2_sha1(base64(encryption_key)+"saltsalt",1004)
optional int32 type = 13;
optional int32 times_used = 14;
} The keys can be additionally encrypted using the passphrase (on the client si

message PasswordSpecifics {
optional EncryptedData encrypted = 1;
optional PasswordSpecificsData client_only_encrypted_data = 2;
}
 Google Dashboard: stats we can get

Account Profile info Gmail

email Google+ name number of mail threads
number of Google API clients (sites and apps) profile URL last thread subject
account time: personal, work, both number of phone numbers number of messages in inbox
Activities in last 28 days number of "+1" last incoming message subject
browsers and OSs that had access number of sent mails
locations Search history (query+date) last sent mail subject
new apps and sites last Web search
last image search
Android last news search
manufacturer, model last video search
first authorization date/time last maps search
last activity date/time last books search
apps that backups their data (name, date, size)
activities for last 28 days
top 10 searches
YouTube percentage of searches by category (web, image etc)
number of videos and playlists loaded activity (by day)
user name
sex Google Sync. (non-Android devices)
last video rating (+video name and date) number of bookmarks
activities for last 28 days last sync date
number of views, by day number of passwords
total views number of Chrome extensions
searches other
likes and dislikes
Google Authentication the easy way (Oauth 2.0)
 Authentication: w/o browser
Calendar
https://www.googleapis.com/auth/calendar.readonly
get loginCookies
Contacts
https://accounts.google.com/ServiceLogin?hl=en-US&Email=<login>
https://www.googleapis.com/auth/contacts.readonly
Set-Cookie: GAPS=1:Y5AaGrgj-_VQrcWkpM6f75T6H8A:B2wnWWUI2DKLUWCd
Set-Cookie: GALX=EmxneFPdphD;Path=/;Secure
User info
https://www.googleapis.com/auth/userinfo.profile
get client_id
POST https://accounts.google.com/ServiceLoginAuth
Chrome data
Cookie: GALX=[]
https://www.googleapis.com/auth/chromesync
Set-Cookie: NID=[...]
Set-Cookie: SID=[...]
Photos

https://picasaweb.google.com/data/
get refresh_token (by client_id, then by client_secret oauth_code)
Google drive
https://accounts.google.com/o/oauth2/programmatic_auth?authuser=0
https://www.googleapis.com/auth/drive
Set-Cookie: oauth_code=4/5xOmk7KEXG70-3cYAju66pp8sx1U4FyCIRWI_J1zQ
https://accounts.google.com/o/oauth2/token
{
"access_token" : "ya29.yAHuL5lPQW63Yn90hVETqe95ueyM8SpoqhyqPmy-hTywd4chkANfQTt0VNeTBMQhrkw",
"refresh_token" : "1/slXyWGQPs1IVI7t-VC3_VKWSWUYJONt1Ue8tRG-pc"
}

get access_token
https://accounts.google.com/o/oauth2/token HTTP/1.1
client_id=[...]&client_secret=[...]&grant_type=refresh_token&refresh_token=[...]&scope=[]
 Google Takeout

Marketing:
Your account, your data. Export a copy.
Create an archive with your data from Google
products.
Reality:
Google Takeout exports data in a number of
different formats
Not all information is available
In fact, many types of data are not accessible via
Takeout
User receives a notification email
Google Takeout vs. Elcomsoft Cloud eXplorer
Service EC Takeo Service EC Takeo
X ut X ut
User info + + Location history + +
Messages + + Google Books - +
Contacts + + Google Drive + +
Notes (Google + + Email (Gmail) + +
Keep)
Reminders - - Android Cloud +
Backups
Web history + - Google Wallet - +
Chrome + + Google Play - -
Music/Video/Apps
Media (Google + + Google Tasks - +
Photo)
Calendars + + Google Bookmarks - +
Google settings + - Google Fit - +
Authentication & data acquisition

Data Authenticati Acquisition Notes

on
User info Google API Google API (as
Chromium)
Contacts/calend Google API Google API (as
ars Chromium)
Chrome sync Google API Google API (as Data returned as protobuf. Extracted:
Chromium) passwords, bookmarks, typed URLs, autofill,
Chrome preferences, search engines, managed
users.
Passphrase might be needed.
Keep (notes) Custom web- Undocumented API Do not know how to get audio notes (no API)
based
Location history Cookie-based Single HTTP req. Return: single KML-file
No traces left
Dashboard Cookie-based protoJson Cookies need to be refreshed every 30 minutes
or so
No traces left
Photos Google API or Undocumented Google+ (web based) authentication is
custom web- JSONRPC (contact preferred as far as it allows to get user list.
based list), then Google API Also, documented API does not return photo
to get album list, then *originals*, but only given (fixed) sizes, but
undocumented API to workaround exists (photos are stiull modified)
get URLs
Hangouts Custom web- protoJson No traces left
based
 How Hackers Get Passwords

Phishing
Brute-force attacks
e.g. iBrutr
(https://github.com/Pr0x13/iBrutr)
Reverse brute-force attacks
Password reset/recovery
Key loggers
Fake AP
Network sniffing
Social engineering
Passwords re-use
 How LE Get Passwords

Same way as hackers

Surveillance
From suspects PC or Mac
Direct access to cloud storage
Just ask
https://en.m.wikipedia.org/wiki/Rubber-hose_cryptanalysis
 How to Protect Yourself?

Do not use clouds*

Get rid or disable Google Mobile Services
Do not keep sensitive information on smartphone*
Use 3rd party encryption apps**
Dont use devices sold by US
carriers***
Avoid phishing
Think of physical security
Use a strong password
Change the password regularly
Pay attention to notification emails
Enable two-step verification
(*) Not actually possible
(**) Bad advise
(***) Get rid of the contract and lose carrier subsidies
How to Delete Data?
Service Delete Delete Delete Service Delete Delete Delete
via API via via via API via via
service setting service setting
s s

User info + + + Calendar + + -

s
Message + + - Google - - +
s Settings delete
(Hangou account

ts)
Contacts + + - Location ? + +
history
Notes + + - Google ? + -
(Keep) Books
Web + + + Google + + +
history Drive
Chrome + + + Gmail + + +
Media + + - Android - + +
(Google Cloud
Photo) Backups
 Final Thoughts (mixed)

There's no privacy in the digital world

Security is a process, not software or technology
There's no silver bullet
Cloud means gov accessible
Most technologies are dual-use
Everybody should take care
Vendors won't protect you
What Google Knows About You
ElcomSoft Co. Ltd.

Nullcon 2016
Vladimir Katalov, ElcomSoft Co. Ltd.

http://www.elcomsoft.com
http://blog.crackpassword.com

Facebook: ElcomSoft
Twitter: @elcomsoft