As I continue to dig through "Turbo" I realized that I never looked up to see what system application it related to. Using the Google Play Store search I found that it correlates to the Google Pixel Device Health Services.
https://play.google.com/store/apps/details?id=com.google.android.apps.turbo
In part one and part two of this little blog series I looked at battery levels of the phone itself as well as Bluetooth device battery levels and other related information. Those were in the databases folder but we get even more great information from the shared preferences folder found at the following path:
data/data/com.google.android.apps.turbo/shared_prefs/app_usage_stats.xml
Opening the file, we can see some application names listed alongside a bunch of Unix Epoch timestamps.
Figure 1: Sampling of data in the "app_usage_stats.xml"
Since the sample data is pulled directly from
Josh Hickman's Android 11 image, we can check to see what events occurred with each application at those specific times. Doing a quick conversion in CyberChef, it shows the following:
1601765910317 > 10/3/2020 22:58:30.317 UTC
1601765939116 > 10/3/2020 22:58:59.116 UTC
These line up pretty much exactly to what Josh documented for when he used the Telegram application on the same day (minus 4 hours for local timezone offset):
Figure 2: Telegram app usage from Josh Hickman's image creation
Let's look at another application to see what we can correlate. Here is what Google Maps shows in the "app_usage_stats.xml" file
1601764099335 > 10/3/2020 22:28:19.335 UTC
1601768689375 > 10/3/2020 23:44:49.375 UTC
1601768794738 > 10/3/2020 23:46:34.738 UTC
And here are the matching actions taken from Josh's documentation:
Figure 3: Google Maps app usage from Josh Hickman's image creation
They are basically an exact match, give or take a few seconds difference. It would appear that Device Health Services is tracking all application usage for a certain period of time. Knowing a little more about the application, it gives estimates on how long your phone battery will last while it's being used, so it makes sense why application usage plays a big part.
Figure 4: Sample image of Device Health Services Battery usage
At the bottom of the XML file we also get start and end times in Unix Epoch signifying that we are only getting application usage for a certain period of time.
Figure 5: XML start and end times
Converting these are as follows:
Start Time: 9/25/2020 19:41:54.750 UTC
End Time: 10/5/2020 19:42:10.301 UTC
These dates align with the first and last application dates parsed from the XML file as well. As always, you can now parse these application usage names and timestamps using the latest build of
ALEAPP.
Figure 6: ALEAPP output of Device Health Services application usage