Per-app private sandbox storing each app’s internal data (configs, databases, files, tokens) isolated by package.
/data/data
| Artifact / Path | What it contains | Typical Use Case |
|---|---|---|
/data/data/<pkg>/ | App private directory | Start point for any app investigation |
shared_prefs/*.xml | App preferences, flags, tokens, configs | Find URLs, tokens, feature flags |
databases/*.db | SQLite DBs (messages, logs, cache) | Extract chats, logs, exfil data |
files/ | App-created files | Payloads, configs, dropped files |
cache/ | Temporary cached data | Recover deleted / transient data |
code_cache/ | Compiled/intermediate code | Rare but useful for dynamic behavior |
lib/ | Native libraries (.so) | Reverse C2 / crypto in IDA |
no_backup/ | Data excluded from backups | Malware persistence configs |
app_webview/ | WebView storage (cookies, localStorage) | Tokens, session hijacking |
app_webview/Cookies | SQLite cookie DB | Reuse sessions (like your Proton case) |
app_webview/Local Storage/ | Web local storage | API responses, identifiers |
databases/webview.db | WebView DB | History, cached data |
shared_prefs/*firebase* | Firebase configs/tokens | Identify cloud endpoints |
shared_prefs/*auth* | Auth/session data | API replay / account access |
shared_prefs/*config* | App configuration | May include hidden endpoints |
files/*.json / *.dat | Custom config files | Decode C2 / settings |
files/Download/ | Downloaded content | Secondary malware |
files/logs/ | App logs | Timeline reconstruction |
databases/*.wal / *.shm | SQLite write-ahead logs | Recover deleted/unsaved data |