Photo-Picker


Photo-Picker


 
 While digging through an iPhone one day I came across an area that grabbed my attention. Looking at the following location:
 
  •  Private\var\mobile\Contains\Data\PluginKitPlugin\<Application_GUID>\
    • com.apple.mobile_container_manager.metadata.plist
      • MCMMetadataIdentifier key
I was able to determine com.apple.mobileslideshow.photo-picker is the application bundle ID using this file system location.
 



Inside the */Containers/Data/PluginKitPlugin/<Application GUID>/tmp/ folder in this location were several .mov files.

 
So I asked myself "What is Photo-Picker? and "How did these files get here?"

What is Photo-Picker?


"User Selected" User Intent" - Apple WWDC 2021

Bless the Apple dev's and their naming conventions. This plugin does exactly what it's called. The short version, for those not wanting to watch the video linked below, is this plugin was introduced in iOS 14 as a "privacy" feature. Photo-Picker allows applications access to a user's native Photo application, where a user can "Pick" the "Photo" (or video) they would like the app to specifically have access to.

Attached is a link to Apple's WWDC 2020 video further detailing the implementation of the Photo-Picker Plugin. Meet the New Photo Picker iOS 14.

Additional information related to the Photo-Picker can be found on the Apple PhotoKit Developers page under the Photos Picker topic.


How do the files get here?

One can assume, looking at the plugin name and the Apple developer video, files get here when interacted with by the user and an application. We've all heard the old adage about what happens when you assume something so lets take this a step further.

OS VERSION:

  • Apple iPhone 8 [iPhone10,1 D20AP]
    • iOS 14.4.2
    • Filza: v 3.8.1
    • Kik: Display v. 16.1.0 Internal v. 16.1.0.16779
    • Safari: Display v 14.4
    •  Mail: Display v. 1.0.0 Internal v. 3654.60.0.1.23
  • Apple iPhone 6s [iPhone8,1 N71AP]
    • iOS 15.4.1
    • Kik: Display v 16.1.5. Internal v. 16.1.5.88905
    • Safari: Display v 15.4 Internal v. 8613.1.17.0.8
    • Mail: Display v. 1.0.0 Internal v. 3696.80.82.2.2

TOOLS:
  • Axiom Process and Examine v6.0.0.31091

iOS 14

In the beginning stages of research, I tested various applications in an attempt to trigger data being written to */Containers/Data/PluginKitPlugin/<Application GUID>/tmp/. Very early on the only application I ever got results from was Kik.

Since many applications failed to ever write data to this location (more on that later) I focused on what specifically in the Kik application triggered Photo-Picker.

I ran a series of test within the Kik application to see what writes and what doesn't.

What Writes

Pressing the icon above and selecting a video triggers the Photo-Picker UI 

 

Within this UI the option to trim the video file is present. The user must further select the Choose option. At this point the UI indicates the video is Compressing and displays a progress bar. Once compression is completed the file is written to the */Containers/Data/PluginKitPlugin/<Application GUID>/tmp/ folder. This is demonstrated in the video below:

 NOTE: The video was recorded on the jailbroken iOS 14.4.2 test device utilizing the Filza application to monitor the /tmp/ folder. Multiple times throughout the video this folder is refreshed to show no files present. This further demonstrates the Photo-Picker plugin does not write any data until Choose and Compressing actions are completed.

 What Doesn't

Allowing Kik access to all Photos and selecting media through the attachment bar.


Forwarding a video from one Kik message to another.

Copying Media from another application i.e. iMessage, Files, and Mega.

Selecting a file over 10 minutes in length (This does not trigger the same UI as Photo-Picker so files are written to the Kik application folder and not */Containers/Data/PluginKitPlugin/<Application GUID>/tmp/)


iOS 15

With testing completed on iOS 14 I turned my attention to iOS 15. I ran the same series of Kik test as presented earlier. After receiving the same results I decided to focus my attention on something I noticed in the Apple WWDC 2021 video. Apple now includes a listing under Settings > Privacy > Photos which indicates "Apps with One-Time Photo Selection" 



This pushed me to not only find applications outside of Kik that would write to */Containers/Data/PluginKitPlugin/<Application GUID>/tmp/ but also applications that would populate this setting. 
 
 What Writes
 
As of (date posted) I have found two additional applications that have features that will write to */Containers/Data/PluginKitPlugin/<Application GUID>/tmp/ location:

Safari: When a user attempts to upload a video through the Photo Library option it will trigger the Photo-Picker UI. As with Kik the user must Choose the file.



It should be worth noting that Safari is now listed under the "Apps with One-Time Photo Selection"




Mail: When the user selects the photo gallery option and proceeds to select "All Photos" and selects a video the Photo-PickerUI is triggered. Once the user selects Choose the file is written. As with Kik, if the user selects from the "Recent Photos" area it will not trigger a write.

Mail is not listed under "Apps with One-Time Photo Selection"

Additional Information of Interest
  • Some EXIF data will carry over with the video.
  • Video files may persist for months. In testing I have seen files dating back almost 1 year. 
  • If the file still exist in the users Photo application and can be located through visually similar or other means you MAY be able to corroborate "Last Share Data" information from Photos.sqlite.
  • Apple may be allowing developers to implement this plugin and write the files within their perspective application folder.. Thanks to Scott Koeing (Twitter @Scott_Kjr) for pointing out applications like Twitter and GroupMe have features that will trigger Photo-PickerUI and save the video in the following locations:
    • GroupMe: \private\var\mobile\Containers\Data\Application\<GUID>\tmp\trim.<GUID/UUID>.mov
    • Twitter:  \private\var\mobile\Containers\Data\Application\<GUID>\tmp\trim_<GUID/UUID>.mov
  •  If the application that wrote the file is removed the files will persist if stored in */Containers/Data/PluginKitPlugin/<Application GUID>/tmp/  
  • Developers also implement this feature in different ways. As With Kik and Mail a user has multiple ways to select a video file. Not all of these will trigger a write to */Containers/Data/PluginKitPlugin/<Application GUID>/tmp/.
  • Within the apps test it appears Photo-Picker does not present videos stored in shared albums. 
  • After discovery of Safari and Mail on iOS 15.4.1 the test was recreated on the iOS 14.4.2 test device and successfully wrote to */Containers/Data/PluginKitPlugin/<Application GUID>/tmp/
Summary of Findings

Based on my testing, Photo-Picker is a native application that allows applications to interact with assets in the native Photos application. During testing I was not able to access media files marked as recently deleted, or within other applications like iMessage attachments and email attachments. It only allowed access to files stored in the Photos application.

Based on the .mov files located in */Containers/Data/PluginKitPlugin/<Application GUID>/tmp/ the following can be said:
  • Will contain stored videos that have been created using the Photo-Picker UI.
  • Videos will follow the naming convention trim.<GUID/UUID>.mov
    • Example trim.19CF656E-74C5-4585-9C32-E4EE35C8E9C9
  • If the same video file is chosen more than once, it will be assigned a new unique file name <trim.GUID.mov>. If and when a hash comparison is made, the hashes will be different, even if the same original file was chosen by Photo-Picker to be shared.
  • Timestamps for the files will correspond to when the Choose option is selected. 
  • Videos will persist even if original media in Photos application is removed, or the application that interacted with Photo-Picker is uninstalled. 

Final Thoughts

If you are reading this post, then you're are probably like I was at one point. You came across this area on a device and it contained files of interest. Files that maybe existed no where else on the device. You asked yourself "What is Photo-Picker" and "How did these files get here?". Well this answers them. Hopefully this shows you how a user knowingly and willingly interacted videos that had been stored in the Photos application. 
 
Remember Apple's own developer video states this plugin "Provides user selected photos and videos" and shows "a clear user intent of sharing the assets".
 
Thanks 
 
Big thanks to Scott Koeing (Twitter @Scott_Kjr) for not only helping with some research and editing, but also pushing me to make this post. 

Comments

  1. Hi Eddie and thank you for this info re photo picker.
    Did you look at the Exif Data in the Trim files?
    The reason I am asking as a current CSAM job has just the Trim files present and I noticed that the EXIF Created date matches that of the Trim file...so I am guessing that the TRIM file gets its own Exif data and not that of the original device......so the exif GPS data will also reflect where my offender was when he used the photo picker and not the location of the actual abuse?

    ReplyDelete
    Replies
    1. Tim G, Sorry for the late reply I just now saw this. Contact me at mr.evfa@gmail.com or if you are on the forensics discord DM Mr. Eddie Vedder From Accounting.

      Delete

Post a Comment

Popular posts from this blog

Hack The Planet!