APK Downgrade.

septiembre 26, 2023

Learn how to execute APK Downgrade in Oxygen Forensic® Detective.

Get a Free Trial

The Android ADB backup is one of the methods that is used to acquire evidence from unlocked Android devices. However, with this approach, investigators cannot extract applications of the latest version because their data is not included in the backup by the app provider. As a result, a parsed Android backup will contain very few app artifacts.

Fortunately, there is a solution that is widely used in digital forensics – the APK Downgrade method. It allows the creation of backups that contain app data that was previously inaccessible using the Android ADB backup method. By temporarily downgrading a selection of apps to older versions, investigators have the ability to extract valuable user and app data.

Our APK Downgrade method is compatible with Android OS versions 5 -to 13, and works on all of the supported device models, except Samsung devices with Android OS 12 and 13.

Currently, Oxygen Forensic® Detective supports APK downgrade for 46 applications, including WhatsApp, Facebook, Instagram, Twitter, Tinder, and many others.

Overall, the APK downgrade procedure includes four main steps:

  • Select which apps to downgrade from our list of supported applications
  • Make a copy of the original app APK files and downgrade their copy versions
  • Extract the app data
  • Restore APK files to their original state

Note: This method does not change app user data, so it is safe to use.

How to downgrade APK in Oxygen Forensic® Detective

Let’s take a closer look into exactly how to execute an APK downgrade in Oxygen Forensic® Detective.

Before starting, ensure the Android device is unlocked, fully charged, and in airplane mode. Once that is complete, select the “APK Downgrade” option in the Oxygen Forensic® Device Extractor.

Screenshot of Oxygen Forensic® Device Extractor window in Oxygen Forensic® Detective viewing the APK method in the Methods tab

Click “Extract data from applications” and connect a device. Once the device is detected, the software will scan it for installed apps and check which of them are supported by APK Downgrade:

Screenshot of running APK Downgrade method being ran by the Device Extractor

Oxygen Forensic® Detective provides investigators the option to downgrade and extract data from all supported apps or just specific apps. From the list of available apps, investigators may select all the apps from which they would like data to be extracted.

Screenshot of choosing app that you want to downgrade and extract data from

Once the investigator has selected their apps of interest, the downgrading process begins. The software will save the original versions of the APK files and downgrade the selected app versions.

Note: Do not interact with the device during this time.

Screenshot of step 3 in the APK downgrade method loading as if extracts the selected app

To extract downgraded app data, an Android backup will be created.

Once the extraction is done, the software will automatically restore the original APK files.

Note: When restored, downgraded applications will not remain in the same location on the device Home Screen as they were before the APK downgrade.

Screenshot of step 4 in the APK download method restoring the device by deleting the installed APK files without removing user data and restoring the original APK files

After the restoration is complete, investigators will be able to import and parse downgraded app data into Oxygen Forensic® Detective. At import, investigators will be required to enter the default 1234 password to decode the Android backup.

Screenshot of user entering the default password to decode the Android backup

Once the backup is parsed, investigators will see all the decoded app data.

The APK downgrade is a safe and easy-to-use method that allows investigators to acquire valuable app evidence that wouldn’t normally be accessible using the classic Android ADB backup method.

Interested in this capability? Get a Free Trial.