Android Ice Cream Sandwich Browser Cookies (and other artefacts)

The Android browser traditionally had data structures that were distinctly Android; but as Alex Caithness explains, there are signs of convergence with another of Google’s pet projects…

I should probably start by explaining that Android has a delightful habit of naming its operating systems after desserts. The upside of this is that it’s quirky; the downside is that cake consumption in the lab increases by a significant factor.

Hence the name “Ice Cream Sandwich”.

Across previous versions of Android, the cookie storage format has remained unchanged: they have been neatly stored in the browser’s “databases” folder in the “cookies” table of the “webview.db” SQLite database; this appears to have changed in version 4.0 of Android AKA Ice Cream Sandwich (ICS).

Firstly, what is peculiar is that the “webview.db” file still contains the legacy “cookies” table, however in testing this was never populated. Instead, a new database named “webviewCookiesChromium.db” is used to store cookie data.

The name of the file gives us a big clue to the nature of the file – we’re seeing a convergence between the Android browser and Chromium (the browser upon which Google Chrome is built). Investigating the database confirms this; the schema and structure of data in this new database is identical to that of Chrome’s.

The great news for Dunk! users is that they can go right ahead and use the Google Chrome decoder on this file to parse and extract the cookies held.

There is also a second cookies database present in ICS named “webviewCookiesChromiumPrivate.db”. This database contains cookies transmitted while an “Incognito Tab” (the private browsing feature) is being used. The structure is identical to the other database; however, when the incognito tab is closed the file is truncated to 0 bytes.*

Further evidence of this convergence towards Chrome comes from the cache structure which, like the cookies, has moved to the same structure as is found in Chrome. For more details, take a look at http://www.chromium.org/developers/design-documents/network-stack/disk-cache.

*Although further research is required we anticipate that epilog will be able to recover these records from a raw dump of the flash chip!

Alex Caithness

R&D Team

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s