Analysis of a Vault App - Amazon S3

Analysis of a Vault App

Michael Robinson

15 November 2015

Vault Apps

On November 6, 2015 an article appeared in The New York Times regarding a sexting ring,

which occurred at Ca?on City High School in Colorado. The superintendent of the school

system stated that between 300 and 400 nude photos were being circulated among

students' cell phones and the images included "over 100 different kids." The persons in the

images were believed to be students at the high school as well as eighth graders from the

middle school (Cloos and Turkewitz, 2015). The students appeared to be using vault apps

to hide the images on their mobile devices.

While the news story has concerns around the judgment of the involved students, issues of

child pornography, and how the district attorney will purse charges of the participating

minors, the story brings to light a technical issue: how vault apps work and what can be

recovered from them.

Vault apps impersonate legitimate apps on a mobile device and provide a hidden vault in

which a user can store photos, files, and other data. Access to the vault is protected by a

user--assigned password. A casual observer, who examines the phone, would see the app's

fa?ade and find it to be a legitimately functioning app, such as a calculator. The observer

would not be aware of the hidden contents or be permitted access to the vault without

entering the correct password.

Vault apps can be used for the legitimate purpose of protecting sensitive information, but

they also be used for purposes of hiding illicit or illegal pictures, conducting corporate

espionage, etc. There are numerous vault apps in Apple's App Store and Google' Play, which

include Secret Photo+Video Vault ? The Ultimate Private Photo & Video Manager by Zero

Cool, Secret Calculator Folder Free ? Private photo video album manager protection by One

Wave AB, and Vault--Hide SMS, Pics & Videos by NQ Mobile Security.

The following are results of an analysis of the vault app named Secret Calculator Folder Free

? Private photo video album manager protection. The analysis was performed to:

? Determine what information could be recovered regarding the app's installation.

? Identify hidden information within the vault app, which could be recovered after a

forensic acquisition was performed.



Page 1 of 10

Analysis of a Vault App

Installation of Secret Calculator Folder Free ? Private photo video album protection

The iOS app Secret Calculator Folder Free ? Private photo video album protection, was

installed and used on an iPhone. Table 1 contains the details of the installation. After

installation and usage of the vault app, the iPhone was visually inspected and a forensic

acquisition was performed.

Mobile device Apple iPhone 5S

Mobile OS

iOS 9.1, non--jailbroken1

App name

Secret Calculator Folder Free ? Private photo video album protection

App Developer One Wave AB

App Version

Both the free and paid versions were tested

Forensic tool

Cellebrite UFED Physical Analyzer

Table 1: Details of installation of vault app

After the free version of the app was installed on the iPhone, the following actions were

performed:

1. The password 159753 was assigned to the vault app.

2. A photo album was created in the vault app.

3. Three pictures were taken and stored directly within the album in the vault app.

The pictures were not saved to any other location.

4. Contact information for one individual was stored in the vault app.

5. Notes were stored in the vault app.

6. Credentials for a website were stored in the vault app.

7. A file was transferred to the vault app using iTunes.

8. A forensic acquisition was performed of the iPhone.

9. The vault app was upgraded from the free version to the commercial version.

10. Two new photo albums were created in the vault app.

11. Three new pictures were taken: two new pictures were stored in one of the new

albums; one new picture was stored in the other new album. The pictures were not

saved to any other location.

12. A website was visited using the vault app's secure browsing feature.

13. A forensic acquisition of the iPhone was performed.

Observed artifacts from installation of vault app

Vault apps may impersonate a variety of legitimate apps. Secret Calculator Folder Free ?

Private photo video album manager protection, poses as a working calculator. Figure 1a

displays the icon associated with Apple's official calculator, which is located within the

"Extras" container. Figure 1b displays the icon associated with Secret Calculator Folder

Free.

1 By using a non--jailbroken iPhone, Apple's native security remained intact and was not circumvented.



Page 2 of 10

Analysis of a Vault App

Figure 1a: Apple's legitimate calculator contained

Figure 1b: Icon for installed vault app, which used the

within "Extras"

name Calculator+

Upon launching the vault app, a functioning calculator is shown as shown in Figure 2.

Figure 2: Calculator+ user interface



Page 3 of 10

Analysis of a Vault App

To enter the vault, the user--assigned password followed by the percent symbol (%) must be typed into the app.

In addition to the icon being displayed on the user interface, iOS retained additional information regarding the vault app just as the operating system did with all installed applications. The history of the installed vault app appeared in the list of apps under AppStore > Updates > All. This is shown in Figure 3.

Figure 3: List of all installed purchases on the iPhone including the vault app

When examining the list of installed apps, the app's name as it appeared in the App Store was displayed. The name used with the app's icon, i.e., Calculator+, which appeared in Figure 1b, was not listed.

Within the "Settings" area of iOS, additional information was retained regarding the vault app. Examination of the permissions assigned to the app, which appears in Figure 3a, showed the app was able to access both the camera and cellular data. These permissions would be atypical for a calculator app.

By going to Settings > General > Storage & iCloud Usage > Storage ? Manage Storage > CALCULATOR+, the size of the app and the amount of data stored by the app were displayed. After three pictures and some trivial data were hidden in the vault, the amount of data displayed by the app was 4.2MB as identified by iOS. This is shown in Figure 3b.



Page 4 of 10

Analysis of a Vault App

Figure 3a: Permissions for the vault app

Figure 3b: Vault app's storage

After loading data in the vault app, the app was closed. The home button was double

tapped on the iPhone to load the app switcher. The results of this action are displayed in

Figure 5. Rather than displaying the last screen shown in the vault app, which would have

been one of the hidden pictures, the app switcher displayed a screen capture of the app's

working calculator.

Figure 5: App switcher display of vault app



Page 5 of 10

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download