Authors: Gokila Dorai (Augusta University), Sudhir Aggarwal (Florida State University), Neet Patel (Florida State University), and Charisa Powell (Florida State University)
DFRWS USA 2020
Content hiding (or vault) apps are a class of applications that allow users to hide photos, videos, documents and other content securely. A subclass of these applications called decoy apps further supports secret hiding by having a mode which mimics standard apps such as calculators but can turn into a vault app through entering a specific input. In this work we focus on iOS devices and first describe how to identify content hiding applications from the App Store. We consider not only the US Store but also give results for App Stores in Russia, India and China. We show an effective and very fast identification of content hiding apps through a two-phase process: initial categorization using keywords followed by more precise binary classification. We next turn to understanding the behavior and features of these vault apps and how to extract the hidden information from artifacts of the app’s stored data. Based on this work, we have designed and built a fully automated vault app identification and extraction system that first identifies and then extracts the hidden data from the apps on an iOS smartphone. Using our vault identification and data extraction system (VIDE), law enforcement investigators can more easily identify and extract data from such apps as needed. Although vault apps are removed regularly from the App Store, VIDE can still identify removed apps as our system continues to maintain information on such apps in our vault database.