Mobile Device Apps Part 2


Snapchat Analysis with iPhone plists and Android databases


OUR Analysis So Far on user.plist…

Based on our current analysis, we have found that the Android device has provided us with more obtainable information from SnapChat than the iPhone 5. On the iPhone, the user.plist provided the most information about the application and the associated metadata regarding the username and messages sent/received while using the application. We have found evidence that the iPhone logs precise geolocation data within this plist. However, besides some basic information regarding the transmission of messages from one user to another, the pictures and messages appear to be encrypted. We discovered that the encryption method being used is AES-128, which could potentially be cracked. For our Android device we are using a Nexus 5; we are able to view all pictures that were sent from the device, located in the database This database also retains the screenshots that were taken using the device, including both the full-size and thumbnail versions of the picture. Unfortunately, most of the information found within the plist had been encrypted, as we progress through our research we will be looking into ways to get around it.


Our next step in our analysis is to look for additional information regarding the geolocation data, to see if this is exclusive to just the iPhone. We then want to discover if we can find the received photos from the Android, along with further transmission information. Then we will continue to investigate the transmission data on the iPhone and if it can be discovered within the user.plist. 

2 thoughts on “Mobile Device Apps Part 2

  1. Jason Briody

    Location Tracking Dependent upon Filter Option?

    Just a thought, untested at this time: it’s possible that the existence of location data in this file (or related files) could be a function of whether the user enabled the use of “Filters”. On Android, this is an opt-in upgrade (I assume it gives you some kind of Instagram-ish filters for your snaps) that requires the use of Location Services to be enabled. To enable, I swipe right upon taking a snap, it then asks if I want to turn on filters, and then provides the following text: “Filters (with a checkbox). Certain filters require your location. Location services is off on your device. Turn it on in Android Settings to be able to use all filters.”

    I haven’t enabled this, nor have I looked into which filters require location settings to be turned on…just a thought, and something I thought might be forensically interesting and pertinent to what you’re working on here. Keep up the good work!


Leave a Reply

Your email address will not be published. Required fields are marked *