Media vault apps are an interesting niche in the mobile app market – there’s a lot of them out there, and they often describe (in grandiose terms) just how securely they handle your data. They encourage users to trust them with their most sensitive media and so their appeal for use with illegal content is unsurprising.
In a law enforcement context, there are certain types of investigations, such those involving CSAM, where their presence on a device can be crucial evidence. I encountered them as an examiner, and as I embarked on the world of mobile app reversing last year discovered they could be an excellent learning aide as well.
The Difference With Media Vault Apps
What is it that makes these apps different? Unlike other app genres where cryptography is expected (which have only become more commercialized over the years) many popular vault apps were created by indie developers – either individuals or very small companies – who likely don’t have much experience implementing sound cryptography. This can lead to various outcomes; the most disappointing of which being the app doesn’t encrypt media at all.
Another possibility is that the app does encrypt, but relies on using a third-party library to do so. These libraries can actually be pretty secure, but don’t always provide any specific guidance on how to address critical elements such as key storage, derivation of a user’s PIN/password into an encryption key of the appropriate length, and so on. So developers tend to search the internet for an easy answer. A hash (or “digest”) function like SHA-256 is a convenient solution because it translates input data of any length into a 32 byte output which is the size needed for AES. The problem there is that computers have gotten really efficient at computing SHA256 digests! So much so that you can perform huge numbers of them in a very short time. If you couple that with questionable design decisions (such as limiting PINs to be a max of 4 digit numeric, a keyspace of only 10,000) and you’ve got yourself one highly vulnerable cryptographic implementation.
(For your inner geek, a common mitigation for this is to perform the digest function repeatedly on itself along with some salt. The number of times it is repeated can be adjusted by the developer. It can be anywhere from a few thousand to hundreds of thousands of times. In sufficient numbers, this can bring bruteforcing speeds to a crawl, without creating any unreasonable delay on a single attempt for legitimate users just trying to authenticate. See PBKDF2 on Wikipedia for more details).
No Encryption Key or PIN Required When Using AXIOM 4.0 or Higher
In April, as the world descended into pandemic-related madness, I connected with a customer in law enforcement working a file involving an extraction from an iPhone. The examiner had located a large number of images and videos encrypted using Private Photo Vault (PPV). The media was strongly believed to be CSAM as the many album titles were not encrypted. In this case, the device keychain didn’t store the full encryption key, so additional reversing work would be needed if the examination were to move forward.
When I wrote my blog last spring, I speculated it may be possible to decrypt the media without any keychain content at all. This particular case provided ample motivation to see whether that hypothesis was accurate. If you read our AXIOM release notes, you may already know the outcome! Private Photo Vault on iOS came out with Magnet AXIOM 4.0, and Android in the latest AXIOM version 4.2, What you may not know is that no encryption key or PIN is required. The PPV artifact will identify the encryption key and PIN for you automatically provided you have the artifact enabled.
I am so thankful the customer thought to reach out to let us know about the situation. Not only were we able to directly assist on an important file, now AXIOM can assist other customers in a similar situation – which we’ve had great feedback on already for PPV. I strongly encourage you after reading this to do the same if you encounter an unsupported app! Reach out to your tool vendors or the DFIR community – chances are high you aren’t the first one to run into that particular app. You never know what could result from just asking the question!
If you’re not already using AXIOM, you can request a free 30-day trial today.