Thursday, September 10, 2015

What's hiding in your child's Calculator%?

An iOS "Calculator%" app designed to hide photos: here's how to retrieve hidden images without the passcode.
This is one of those rare times when I get to write about two of my favorite subjects at the same time: parenting in a digital age, and digital forensics. In the past week, two people have brought an unusual iOS calculator app to my attention, each coming from a different perspective. One is a high school teacher I have known for years, mentioning it from the perspective of a teacher or parent that might want to know of its hidden features. The other is a Twitter persona that I know only by his (?) alias @munin, asking a question from the perspective of digital forensics.

Between the two, my curiosity was piqued.

So first, what are we talking about?

There is a calculator app for iOS devices (i.e. iPhones, iPads, and iPods) that has a hidden purpose. This app is titled "Calculator%", hence the apparent typo in the article title. On the surface, it is a basic (and functional) calculator app. However, if you enter a secret code (a four-digit PIN between two periods, such as .1234.), the app reveals a second function: it allows the owner to hide documents and image files so they are not readily accessible to someone that does not know the passcode.


At first glance, it's a calculator. Enter a secret passcode, and it's a hidden file folder.

Why might someone want to do this? I can think of many reasons, some pragmatic and some naughty. On the pragmatic side, have you ever lent your phone to a friend so they could make a phone call? Are you certain all they did was make a call? Early cell phones did little more than make calls, so the only danger in lending a friend your phone was they might make an unexpected long-distance call. Modern phones carry all sorts of private information, photos, banking apps, and other things one might want to keep private. On the naughty side, it's not hard to imagine how hormone-driven teens might be using the app...


The Digital Parenting Perspective


Most of the headlines I have seen discussing this app are a bit on the paranoid side: "Parents Should Be On The Lookout!" "District Attorney Warns of Hidden Photo App!" "Kids Using Secret Apps To Hide Photos From Parents!"

Personally, I tend to tune out over-the-top headlines. When a headline starts with "You'll Never Believe..." I walk away in favor of more rational information. Frank conversations with kids are likely to be far more productive than trying to merely police their use of apps (though in fairness, you know your child better than I do).

That said, part of successful parenting (and teaching) is being aware of your child's surroundings. My teacher friend said it quite eloquently: "parents need to educate themselves about these kinds of things and be prepared to discuss them with their children. There are many more apps, like this one, that are designed to hide information. Although it may be designed to keep things from 'a nosy friend', they reach beyond that purpose and can become a huge temptation!"

A couple of things to consider in that frank conversation:
  1. Once you share something, it's out of your control. You may have a parting of ways with a once-trusted friend or significant other. Or maybe the person you shared with is so impressed they want to share it with their buddies or girlfriends. Even if the other party proves completely trustworthy, can you be certain the other party is as security/privacy-conscious as you? Might they make a mistake, choose an easy-to-guess password, or use a service that (through no fault of their own) is compromised? Assume that anything you share digitally might be seen by your parents, teachers, pastor, siblings, and the person at school you would be mortified to have see it. If you don't want what you are about to share to be seen by everyone, DON'T SHARE IT!

  2. Anything shared online is forever. What you share today can come back to haunt you in the future. Despite some services' promise otherwise, you can never be certain something shared online is truly gone. As an 11 / 13 / 15-year-old, you may not be thinking about college, job interviews, getting married, etc. One day you will though. If you don't want what you are about to share to be seen by everyone, DON'T SHARE IT!

  3. There can be long-lasting legal consequences. Possessing or sharing sexually explicit images of a minor, regardless of how the images came to be, can in many cases be a felony offense. In a truly bizarre case of legal (il-)logic, a North Carolina teen is facing charges as an adult ... for exploitation of a minor ... said minor being himself. You read that correctly: the teen is being tried as an adult, on child exploitation charges, for possessing images of himself. Ridiculous as the case is, teens need to know that taking indecent images of themselves puts themselves in serious danger.

The Digital Forensics Perspective


That's not the only reason I am writing this post though - I said very nearly the same thing a year ago when Snapchat was in the news. If my only intent was to give some advice to fellow parents of digital teens, I'd simply repeat what I'd already said.

What really piqued my curiosity this time around was the following tweet by the afore-mentioned @munin:

@Munin asks if the files are encrypted

Security and privacy come in different shapes and sizes. A free or $0.99 app is not likely to implement Fort Knox-grade security, but with free and open-source encryption libraries available, it is not unreasonable to wonder if such an app encrypts the hidden data. So wonder I did.

My "wondering" though often takes on the form of "finding out," so I set out to discover the answer myself. I installed the Calculator% app on my iPad and took a few sample pictures to hide with the app, then set out to see if I could locate the picture files without using the app.

Naturally, Apple makes it rather inconvenient to explore the files on an iOS device. Unlike Android, Windows, and even MacOS, iOS has no native file explorer. You get apps, or nothing. Even better, the file explorer apps available in the App Store are essentially useless for exploring anything other than the default camera roll.

An iOS device can be tethered to a PC much like a digital camera or a USB thumb drive, but again, file access appears limited to images stored in the native camera app's default folders.

Ah, but there is still a way to peer deeper.

iOS works works hand-in-hand with iTunes to backup the contents of an iPhone / iPad / iPod. By connecting an iOS device to a PC or Mac running iTunes, it is possible to make a (nearly) complete backup of the files stored on that device. I say nearly because Apple wisely prevents backing up passwords and private health-related data unless the archive is encrypted.

Upon connecting an iOS device to a PC to which the device has not been previously synced, both the device and iTunes will require confirmation that you do in fact want each to trust the other. This is the one "gotcha" of this approach: you cannot backup an iPhone to a new PC in this manner if the iPhone is not logged in and the screen unlocked (meaning either the rightful owner unlocked it for you, or you have the PIN or password).

Enabling an iOS device and a PC to trust one another

Once the device and iTunes installation trust one another, iTunes shows a screen similar to the one below, from which you can manually perform a backup.

Backing up an iOS device with iTunes

The next step is to locate the actual backup. Fortunately, Apple is quite helpful with a support article that describes exactly where the backups are located on various computer and iTunes versions. In my case, given Windows 8.1 and iTunes 12.2 (the latest version as of this writing), the backups were located in the following folder:

C:\Users\<user>\AppData\Roaming\Apple Computer\MobileSync\Backup

Locating the backup files is nice, but they are still in Apple's custom backup format. Next, I needed a program that could interpret the backup files and show me the contents. There are a variety of programs that can do this, but for my demonstration I chose a free evaluation version of MobileSyncBrowser. Using MobileSyncBrowser and opening up the backup folder I located earlier, I could browse through the file structure looking for a folder name that seemed appropriate. It was not that difficult to find, as you can see from the below screen captures.


Exploring the backup archive with MobileSyncBrowser

After a few minutes of searching, I found the pictures I had taken, in the following location:

/FilesAppDomain/com.aromdee.HiddenPhoto/Documents/Album

Since I was using the demo version of MobileSyncBrowser instead of a purchased full version, I could only preview the images - but that was all I needed to answer the question.

The answer? Calculator% hides photos and documents, but does not encrypt them. Given logged in access to the device, it is possible to create a device backup onto a PC or Mac, and then extract the hidden documents from that backup.

Calculator% will keep photos and documents hidden from the typical nosy friend; it might even keep them hidden from a moderately tech-savvy friend (at least a friend that does not read this blog!), but it won't keep documents out of reach of a three-letter agency or a trained forensic expert. But what did you expect from a free app?

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.