Photo�Vaults Don't Work
DNSPRINCESS
whoami
You’re looking for an app to hide your stuff
What are Vault Apps?
Before I say they are useless…
So what do these apps do?
Sounds like anti-forensics
My vault app project
Methodology - who will find it?
Other Researchers & their results
What’s your threat model?
Where do the photos come from?
Manual move
Manual move will protect you against someone who isn’t trying to find your photos, like your mom scrolling through your gallery after you show her a picture
“it’s not there anymore”
The file names are barely changed, and there’s a copy artifact left.
A thumbnail may have been made
The most common method is manual – you pick the photos
Results from Apps
Data can be reconstructed without logging into the app
Free and low-quality apps
Calculator app
Thumbnails are not your friend!
List of unencrypted apps (Android)
iPhone apps
Android Photo Vaults
Over 60 vault apps were tested on regular and rooted phones
Audio Manager example
This vault application disguised itself as an audio manager on the device. Once a user holds a tap on the logo at the top of the screen, the real application is activated. Audio manager stored unencrypted photos and videos separately in the subfolder New Album of folder Pictures and Videos under /sdcard/ProgramData/Android/Language/.fr/.
Also, the cleartext password was found in tag password of XML file com.hideitpro_preferences.xml in shared_prefs. Note that New Album is the default name of the album storing the hidden files, which may be customized by users.
Zhang, Baggili, & Breitinger, 2017
Example of shady stuff
Enchanted cloud (Private Photo Vault)
Summary
Asked: Which app was the best?
Real answer: Keeper doesn’t store locally, code is obfuscated to prevent RE
Coverme is the most difficult to reverse engineer.
Coverme [ws.coverme.im] was not able to be recovered by Zhang, Baggili, and Breitinger
Triple encryption, three different keys are created.
Brute force is the only way to unlock, password has a maximum of 16 character�
Gilbert didn’t look at Android, Karabiyik and Duncan didn’t analyze this app
What do to instead…?
Better advice
Set your phone to wipe data after an incorrect amount of login attempts
Set your phone to autolock
Don’t use smart unlock by Bluetooth
Don’t “hide” photos in iPhone gallery – not enough
Don’t tell others you’re doing that or they’ll go snooping
Don’t store locally, use cloud storage and viewer Google Drive is acceptable*
** unless you’re hiding from Google and in which case; SpiderOak (android, local)
@purdue.edu� alissa @dnsprincess.com� @practicalcyber.com