Google is pushing Android to make it a truly secure mobile OS. Mandatory encryption and secure boot make physical acquisition of new Android devices a dead end.

While securing physical devices against all types of attacks, Google continues moving stuff into the cloud. Interestingly, these activities no longer coincide with Android releases; Google can add cloud features later in the production cycle by updating Google Services on the user’s Android device. One such updated added the ability to sync call logs between Android devices by uploading data into the user’s Google Drive account. We researched the protocol and added the ability to extract synced call logs to Elcomsoft Cloud Explorer 1.20. This cloud acquisition could be the only way to extract call logs since all Android devices since Android 6.0 are shipped with full-disk encryption out of the box.

Google Service Updates: Google’s Answer to Missing Android Updates

The ability to extract call logs from the cloud appears a minor update. However, the thing is much more complex than it might seem. Unlike other major features, call log sync is not tied to any major version of Android other than using the cloud backup mechanism introduced in Android 6.0 as a back end. Instead, this feature showed up some time after Android 6.0 update started rolling out.

It’s no secret that many Android manufacturers skimp on Android updates, delaying or never delivering them to all but flagship devices. Even paying a lot of money for a flagship phone does not guarantee timely Android updates – or any updates at all. Some devices (e.g. SONY Xperia Z3) will never see Android 7.0 despite being just a couple years old.

Considering the current state of Android, Google can do little about it. What they can do, however, is further fragmenting the system by making certain components downloadable (and updatable) via Google Play Store. Chrome browser, Gmail, Calculator, Android Web View, the Play Store itself all receive regular (and timely) updates via Google Play Store.

Google Play Services is a major part of Android that also receives automatic updates via Play Store. It is these services that are responsible for receiving push notifications and syncing stuff with the cloud. One such update that most probably occurred sometime in April 2016 added automated synchronization of call logs to Android 6 devices. The logs are automatically uploaded to Google Drive, and restored after a factory reset. Obviously, Android 7.0 inherited this feature, and can also sync call logs with Google Drive.

Android 7.0: Mandatory Device Encryption, More Cloud Data

With the release of Android 7.0, Google updated Android Compatibility Document with a definite requirement: manufacturers certifying their Android devices for Google services are now required to enforce encryption out of the box. This requirement applies to all devices shipping with Android 7.0, as well as to those devices receiving Android 7. As an OTA update.

In addition to full-disk block-level encryption, Android 7 introduces file-level encryption. The fully encrypted data partition means that traditional acquisition methods become ineffective. Low-level acquisition methods such as JTAG, chip-off and ISP will be ineffective when acquiring phones running the latest version of Android.

While acquiring data from physical devices is getting more difficult, experts will start using cloud acquisition. Google collects massive amounts of information from its users, and stores it in the user’s Google Account. The amount of data being collected is increasing with every new version of Android. Android 6.0 introduced cloud backups, allowing apps to backup and restore data automatically into the user’s Google Account. Android 7.0 keeps lots of data in the cloud, including information such as call logs and Wi-Fi passwords, and possibly more (yet to explore).

If the user has Android 6.0 or 7.0 on their handset, Elcomsoft Cloud Explorer 1.20 will extract synced call logs from the user’s Google Account. In addition, Elcomsoft Cloud Explorer 1.20 extracts synced Wi-Fi passwords and SSID (that works for older versions of Android, too).

Elcomsoft Cloud Explorer 1.20 is available for immediate download.