Photo�Vaults Don't Work

DNSPRINCESS

whoami

• Researcher @ Purdue
• Chief Operating Officer @ CircleCityCon you should go it’s July 1-3, 2022
• Chief Operating Officer @ Practical Cyber
• Team Lead @ a SOC you don’t care about
• Hacker ☺

​

• Probably nervous af…. check-status

You’re looking for an app to hide your stuff

What are Vault Apps?

• Vault apps hide private files and photos on a mobile device
• Typically, these are for p0rn
• They are supposed to keep your legit “taxes” safe

​

• Commonly used by kids to keep information away from parents (Duncan, Karabiyik, 2018)

Before I say they are useless…

• Hiding content from an abusive source
• “technology abuse”

​

• Stop potential photo sharing issues
• Keep pictures of needed documents with you at all times as a backup source

So what do these apps do?

• You give the app access to your gallery
• The app cut and pastes (or moves) your photo
• The distinction is important. Copy and paste will involve your clipboard
• Your photo is removed from the gallery
• There is some obfuscation or “security” that protects the app’s content
• Typically a pin code

Sounds like anti-forensics

• It’s anti-forensics lite
• Intended to hide “interesting data” from others

​

​

• NOT going to work for your illegal “taxes” or shady “business” from push-button forensics

My vault app project

• First started in 2018 with fellow Purdue students Kayla Rux & Sid Chowdhury
• iPhone, 5 apps
• Normal photos
• Taken in-app
• Screenshot
• From camera gallery to app
• Could we find the photos?
• yup

Methodology - who will find it?

1. Swipe through the phone Mom
2. Navigate through device folders Tech-savvy*
3. Push button forensics Some LEO
4. iPhone backup Low-level hacker
5. Bashing it around Typical hacker

Other Researchers & their results

​

• Duncan, M., & Karabiyik, U. (2018). Detection and recovery of anti-forensic (vault) applications on android devices.
• Zhang, X., Baggili, I., & Breitinger, F. (2017). Breaking into the vault: Privacy, security and forensic analysis of Android vault applications. Computers & Security, 70, 516-531.

​

​

What’s your threat model?

• Are you hiding from your mom?
• The cops?
• Someone who knows how to navigate a folder structure

​

• This will determine if a vault app is right for you!

• From here on out, we’re going to assume your threat level is a cop who can’t do much technically using automated tools and physical access to your phone

​

​

• I’m not a lawyer, but don’t turn your powered on phone to a law enforcement officer

Where do the photos come from?

​

• Manual selection; pick your photos to put in the vault
• Stored & save; select the vault app as the download location, use camera
• Automatic & scanning; scans your gallery for photos and moves them for you
• They encrypt your photos so that even if they are discovered, they should be unreadable

​

Manual move

The most common method is manual – you pick the photos

• The photo originates in your gallery, and you move the photos into the app.
• Calculator plus is a very common vault app that hides behind a calculator program until a PIN is typed in

​

• This will defeat “Mom” from seeing your “taxes”

Results from Apps

Data can be reconstructed without logging into the app

• Of the 18 Android photo vault apps below Zhang, Baggili, and Breitinger were able to reconstruct data from all but 2 of the below apps.
• Popular app KeepSafe stored the password in cleartext in com.kii.safe_preferences,xml in the shared.prefs folder.

Free and low-quality apps

• No “encryption”
• PIN for app is stored in plaintext
• Literally just a new folder to store data

Calculator app

• Cleartext password is stored in folder under com.calculator.vault/files/ in an XML file called mpass.
• This is common among vault apps and isn’t unique. Of the previously mentioned apps which require a pin or password, this information is stored as plaintext.
• More photos are created when a thumbnail is made

​

Thumbnails are not your friend!

List of unencrypted apps (Android)

• AppLock
• Audio Manager
• SecretAppLock
• Pic Lock
• HidePhoto
• Calculator

iPhone apps

• Calculator Plus, Private Photo Vault, KeepSafe, and Calculator+
• These iPhone apps forked over every bit of data that was “hidden” after imaging the phone
• 100% of images were found
• The pin number of Private Photo Vault was found
• There was no proper encryption

​

Android Photo Vaults

• From Duncan and Karabiyik:
• From the case studies with the different devices and a total of sixty-four applications, it is determined that 100% of the vault applications can be detected, even on unrooted devices. On fully rooted and semi-rooted devices, it is possible to not only detect 100% of the applications, but it is also possible to recover hidden files that were uploaded to the vault applications by the user

Over 60 vault apps were tested on regular and rooted phones

Audio Manager example

This vault application disguised itself as an audio manager on the device. Once a user holds a tap on the logo at the top of the screen, the real application is activated. Audio manager stored unencrypted photos and videos separately in the subfolder New Album of folder Pictures and Videos under /sdcard/ProgramData/Android/Language/.fr/.

Also, the cleartext password was found in tag password of XML file com.hideitpro_preferences.xml in shared_prefs. Note that New Album is the default name of the album storing the hidden files, which may be customized by users.

Zhang, Baggili, & Breitinger, 2017

Example of shady stuff

• Pick Lock: Did not encrypt photos, just moved to a hidden folder��/sdcard/.AndroidLibs/(some rand hash)/.SafeBox 1

​

• Secret AppLock: The password labeled PIN is found in ApplockPreferences.xml
• Photos are simply found in /sdcard/.hackImages
• HackImages gives me the creeps

Enchanted cloud (Private Photo Vault)

• Both on iOS and Android
• In iOS the data is stored in a local XML file (like most) and is recovered by logical and physical analysis.
• In Android you can view the files directly in the folder /data/data/ com.enchantedcloud.photovault/files/media/orig
• iPhone/mobile/Containers/Data/Application/com.enchantedcloud.photovault/Library/encryptionTestFile.txt
• Apps like these are relying on obfuscation

Summary

• Where there are photos there is “evidence”
• The transport of photos can be problematic, because the app doesn’t account for it.
• Apps can failure to deliver on their promises
• Apps can have fault by not securing the database for the app
• Apps can have very basic protections that won’t hold up
• Apps can be compromised by having their PIN or secret questions revealed

​

Asked: Which app was the best?

• Alissa answer: None, don’t rely on an app

Real answer: Keeper doesn’t store locally, code is obfuscated to prevent RE

Coverme is the most difficult to reverse engineer.

Coverme [ws.coverme.im] was not able to be recovered by Zhang, Baggili, and Breitinger

Triple encryption, three different keys are created.

Brute force is the only way to unlock, password has a maximum of 16 character�

Gilbert didn’t look at Android, Karabiyik and Duncan didn’t analyze this app

​

What do to instead…?

• You don’t need a vault app
• Use built in folder and file system
• Make sure it’s encrypted
• Preferably download to the folder directly, or have the photo save there from camera
• OR Manually move the photos
• Clear cache, clear clipboard, and restart
• Use secured folders (Google – AES256)
• Samsung Knox Secure Folder
• Don’t trust your secrets to an app!
• Encrypt your data, maybe done by your phone by default

Better advice

@purdue.edu� alissa @dnsprincess.com� @practicalcyber.com