Identification and Extraction of Content-hiding iOS Applications

by Dr. Gokila Dorai

Abstract

Content hiding (or vault) apps are a class of applications that allow users to hide photos, videos, documents, and other content securely. A subclass of these applications called decoy apps further supports secret hiding by having a mode that mimics standard apps such as calculators but can turn into a vault-app through entering a specific input. In this work, we focus on iOS devices and first describe how to identify content hiding applications from the App Store. We consider not only the US Store but also give results for App Stores in Russia, India, and China. We show an effective and very fast identification of content hiding apps through a two-phase process: initial categorization using keywords followed by more precise binary classification. We next turn to understand the behavior and features of these vault apps and how to extract the hidden information from artifacts of the app’s stored data. Based on this work, we have designed and built a fully automated vault-app identification and extraction system that first identifies and then extracts the hidden data from the apps on an iOS smartphone. Using our vault identification and data extraction system (VIDE), law enforcement investigators can more easily identify and extract data from such apps as needed. Although vault apps are removed regularly from the App Store, VIDE can still identify removed apps as our system continues to maintain information on such apps in our vault database.

Author Bio

Gokila Dorai received a Ph.D. degree in Computer Science from Florida State University in December 2019. Her research is in the field of digital forensics tool development for mobile and IoT devices using machine learning and AI. She has collaborated with internal and external organizations including the National Institute of Justice and Law Enforcement agencies.

School of Computer and Cyber Sciences Augusta University