VIDE - Vault App Identification and Extraction System for iOS Devices

Abstract Content hiding (or vault) apps are a class of applications that allow users to hide photos, videos, documents and other content securely. A subclass of these applications called decoy apps further supports secret hiding by having a mode which mimics standard apps such as calculators but can turn into a vault app through entering a specific input. In this work we focus on iOS devices and first describe how to identify content hiding applications from the App Store. We consider not only the US Store but also give results for App Stores in Russia, India and China. We show an effective and very fast identification of content hiding apps through a two-phase process: initial categorization using keywords followed by more precise binary classification. We next turn to understanding the behavior and features of these vault apps and how to extract the hidden information from artifacts of the app's stored data. Based on this work, we have designed and built a fully automated vault app identification and extraction system that first identifies and then extracts the hidden data from the apps on an iOS smartphone. Using our vault identification and data extraction system (VIDE), law enforcement investigators can more easily identify and extract data from such apps as needed. Although vault apps are removed regularly from the App Store, VIDE can still identify removed apps as our system continues to maintain information on such apps in our vault database.

[1]  Ryan Harris,et al.  Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem , 2006, Digit. Investig..

[2]  Zhong Chen,et al.  AutoCog: Measuring the Description-to-permission Fidelity in Android Applications , 2014, CCS.

[3]  Ibrahim M. Baggili,et al.  Breaking into the vault: Privacy, security and forensic analysis of Android vault applications , 2017, Comput. Secur..

[4]  Shiuh-Jeng Wang,et al.  iPhone social networking for evidence investigations using iTunes forensics , 2012, ICUIMC.

[5]  Andrew Hoog,et al.  iPhone and iOS Forensics: Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices , 2011 .

[6]  Hui Liu,et al.  Novel Anti-forensics Approaches for Smart Phones , 2012, 2012 45th Hawaii International Conference on System Sciences.

[7]  Alessandra Gorla,et al.  Checking app behavior against app descriptions , 2014, ICSE.

[8]  Luc De Raedt,et al.  Learning Constraints From Examples , 2018, AAAI.

[9]  Tao Xie,et al.  WHYPER: Towards Automating Risk Assessment of Mobile Applications , 2013, USENIX Security Symposium.

[10]  Luc De Raedt,et al.  Learning constraints in spreadsheets and tabular data , 2017, Machine Learning.

[11]  Parag Rughani Forensic Analysis of Content Hiding Android Applications , 2017 .

[12]  Ibrahim Baggili,et al.  iPhone 3GS Forensics: Logical analysis using Apple iTunes Backup Utility , 2010 .

[13]  Sean Morrissey,et al.  iOS Forensic Analysis: for iPhone, iPad, and iPod touch , 2010 .

[14]  Gianluigi Me,et al.  Android anti-forensics through a local paradigm , 2010, Digit. Investig..

[15]  Mario Piccinelli,et al.  Exploring the iPhone Backup made by iTunes , 2011, J. Digit. Forensics Secur. Law.

[16]  Umit Karabiyik,et al.  Detection and Recovery of Anti-Forensic (VAULT) Applications on Android Devices , 2018 .

[17]  Mitsuaki Akiyama,et al.  Understanding the Inconsistency between Behaviors and Descriptions of Mobile Apps , 2018, IEICE Trans. Inf. Syst..

[18]  Daniel T. Larose,et al.  Discovering Knowledge in Data: An Introduction to Data Mining , 2005 .