2021 8th NAFOSTED Conference on Information and Computer Science (NICS) Forensics analysis of FacePlay application to seek digital artifacts on data ownership and privacy Doan Minh Trung1,2,a, Le Thanh Duan1,2,b, Nghi Hoang Khoa1,2,c, Phan The Duy1,2,d, Nguyen Tan Cam1,2,e, Van-Hau Pham1,2,f Information Security Lab, University of Information Technology, Ho Chi Minh City, Vietnam Vietnam National University Ho Chi Minh City, Hochiminh City, Vietnam {a18521547, b19521370}@gm.uit.edu.vn, {ckhoanh, dduypt, ecamnt, fhaupv}@uit.edu.vn Abstract— Smartphones are indispensable items for more than 95% of young people today And of course, intelligent applications on phones are also born more to meet the needs Thanks to its unique ease of use and modern technology, the applications are beautiful to users Nowadays, the term AI (Artificial Intelligence) is more and more popular and close to Android phone users thanks to the addition of AI to their functions Big phone brands like Samsung, Huawei, or Google make significant machine learning improvements to their phone cameras Especially with the application of filming and taking photos that can edit faces and create animations Therefore, it has attracted countless users, especially selfie enthusiasts who have used their images to post apps to animate their pictures and videos Android devices are now more popular; as of 2021, there are more than billion active Android devices, three times more than IOS Besides, there are applications related to editing, creating images, effects for users on Android The use of personal photos by users for such applications may inadvertently cause the applications to violate privacy Therefore, it is necessary to carry out forensic investigations of applications to detect access violations and theft of user privacy This paper performs forensic analysis of the FacePlay app to analyze, evaluate, and warn users about FacePlay privacy issues Furthermore, granting an application a bunch of unnecessary permissions carries many potential risks Thus, FacePlay can gather the user’s personal information simply by providing images, and the purpose of the use is unknown They could assist or sell these images to a unit that employs artificial intelligence to modify facial recognition Facial recognition is a technology mainly used for password authentication [3] and is becoming more prevalent Criminals might impersonate individuals to get past security or communicate fraudulently on behalf of a business with just one profile picture [4] Besides that, criminals could easily exploit the provision of personal photos to third-party applications by inserting “pornographic’’ video images on “dark” webs [5] Keywords— Mobile Forensics, Smartphone Forensics, FacePlay, Steganography, Privacy, Cybersecurity I INTRODUCTION In 2021, the number of global smartphone users is estimated at 6.4 billion, marking a 5.3 percent annual increase It is also 73.9 percent more than the number of smartphone users in 2016, just half a decade ago [1] Two-thirds of smartphone users (68%) use news, entertainment, games, and sports apps [2] Nowadays, AI Face Editor apps are trending globally on social media with its many new features such as gender swap, sketching portraits like cartoon characters, automatically merging the two faces into photos and videos of stars and celebrities, cosplay videos Since its launch, FacePlay has been promoted as one of the best mobile apps for AI video editing It has received a lot of attention by creating a video in the style of historical Chinese fashion (Fig 1a) After downloading the Face Play app, which requires the user to allow auto-launch, run in the background, access the camera to get a personal image, transfer the user’s data to the server, or log in with a social network account can perform photo and video editing steps, FacePlay will present the user with video filters to choose from and then connect the user’s face with the characters in the available videos (Fig 1b) Suppose the user forgets to uninstall the application from the device after the 3-day trial period ends In that case, FacePlay will automatically register to purchase the app’s pro version without the user’s knowledge 978-1-6654-1001-4/21/$31.00 ©2021 IEEE (a) (b) Fig GUI of FacePlay application (a) Home screen of the app (b) After using video filters This paper resolves the following significant concerns, including 1) how FacePlay can protect itself against various attacks such as steganographic attacks and sniffer attacks 2) dangerous things FacePlay and third parties can with user information they obtain by requesting a lot of needless permissions Hence, the paper aims to investigate the above concerns, analyze and discuss FacePlay’s privacy policy, and offer users caution about sharing personal information The remainder of this paper is structured as follows: Section provides an overview of related works, Section focuses on components of the methodology and the tools for investigating The results and findings are presented in Section Whereas Section is the conclusions and the future works II RELATED WORKS Digital forensics is a branch of forensic science that has received increasing attention and attention from researchers, 107 2021 8th NAFOSTED Conference on Information and Computer Science (NICS) giving rise to many topics From forensic analysis on social networking sites, messaging app platforms on IOS, and especially on Android In [6], the paper presented the method of forensic analysis of artifacts created on the phone by Telegram They design a set of forensic experiments to elicit artifacts and store them in device memory to ensure that third parties can reproduce their findings Their forensic methods apply to other Android-based applications The first shows how to build a list of contacts, message content, and files sent and received chats Furthermore, they identify the identifiers, creation date, join date, etc., of the chat groups and channels in which the user enters And finally, they show how to build a user’s call log Fahad E Salamh (Member, IEEE) [7] performed a complete technical forensic analysis of 27 Android mobile apps and 33 iOS apps He demystified the application’s architecture, pinpointed forensic artifacts, highlighted security and privacy goals on the app, and identified tools for each step of reproducibility and verification in forensics Like other papers on WhatsApp Messenger, in [8], the author also pointed out that artifacts were created from the application using forensic techniques These artifacts have a lot of valuable information Get a list of contacts and chronology from data stored in databases That could make it possible for analysts to recover previously deleted contacts and their deletion date They also clarify that their techniques are only applicable to Android because, on different platforms, they create various artifacts in the information they store or in their format An in-depth forensic analysis of WeChat [9] that used Anti-Forensics The author has taken advantage of reverse engineering techniques with Apktool, dex2jar, JD-GUI, BakSmali, etc They can decode encrypted data as well as know the location of encryption Thanks to reverse engineering, the forensic process becomes more accessible with 350 forensic techniques The result is user data, decryption of encrypted messages, investigations of communication, and what users share about moments In [10], focuses forensic investigations on major social networks known and used by most users such as Facebook, Twitter, and LinkedIn on Android smartphone platforms, Apple iPhones, Windows, and BlackBerry devices The results showed that only BlackBerry smartphones could not be extracted even bits of data and evidence On the other hand, Android and Windows devices, as well as Apple iPhone, store a significant amount of critical data In [11], the authors used reverse engineering techniques, packet sniffer tools to analyze required OS permissions and the network traffic They also used steganography in FaceApp (version 3.4.10) to hide secret message text or files into images and videos before uploading them to the app They discovered after extracting the data that FaceApp did remove implanted metadata and hidden messages on pictures and videos In addition to the approaches mentioned above, we will utilize some other tools in this paper to examine and make more thorough and accurate evaluations While social network applications have been discussed in many works, there is a lack of thorough investigation on FacePlay in the same approach As mentioned before, hundreds of different social networking sites gradually become familiar with people’s daily lives Many discussions about these applications have been getting more popular to help users better understand all aspects of the application It is included as a topic of discussion on forums, analytical blogs, and even scientific papers Besides, FacePlay is also a popular application used by many young people, but there has not been any complete research and discussion about it III METHODOLOGY A Environment setup This paper set up an experiment environment with FacePlay version 2.3.0 loaded on a rooted Genymotion [12] on Android version 7.1 to analyze the FacePlay application To reverse the apk file, hide a secret file or message, capture network traffic, and extract data from the targeted devices, many analyzing tools are employed, such as: • Androguard [13] is a great tool written in Python to analyze/reverse Android applications • Wireshark [14] can be used to sniff a packet in network traffic • Burp Suite [15] is to pentest web applications • SQLite Database Browser [16] supports reading database files • Steghide [17] & StegoMagic [18] support hiding secret file or message into a video file • ADB debugging [19] can communicate with a device and provide access to a shell that can be used to run a variety of commands on a device B FacePlay forensics methodology The authors use the environment mentioned above in this section to start analyzing the app The following methodology was divided into six sections • Reverse Engineering Interesting information can be extracted from an apk file, such as permissions, activities, and so on • Databases Exploiting useful FacePlay’s private data to support the investigation • Network Traffic Analyzing network traffic to see whether FacePlay sends user data to the server via traffic encryption • Steganography We are using Steganography techniques to hide the secret into images and upload it to the app • Security Posture Evaluation Metadata from the images will be removed or altered when processed by the app • Analysis of EULA and Privacy Agreements Based on FacePlay’s privacy policy analysis, users are warned about the dangers of disclosing personal information IV ANALYSIS AND RESULTS A Reverse Engineering Androguard is a Python-based tool used for reverse engineering Android apps Androguard features a lot of functions for automated analysis This entails taking the raw Android Package (.apk) files of the app Androguard support Windows, Linux, and OSX and requires Python version 3.4 or above as a pre-requisite To install Androguard on Ubuntu, use the following command below: sudo apt-get install androguard 108 2021 8th NAFOSTED Conference on Information and Computer Science (NICS) Fig shows how to start Androguard and decompile the apk file The FacePlay apk [20] file was used in this case to launch the iPython shell, where you may input commands to see files and permissions Fig indicates the name of the FacePlay app’s signature name Fig Method to start analysis The three objects are, a an androguard.core.bytecodes.apk.APK object, d an array of androguard.core.bytecodes.dvm.DalvikVMFormat object and dx an androguard.core.analysis.analysis Analysis object APK object contains get_app_name() method to get the App name as shown below Fig Signature in FacePlay Fig Signature name of FacePlay Fig Method to get App name Using the get_permissions() method of an APK object, all the permissions requested byFacePlay are displayed With these permissions, FacePlay can access to WifiManager (for managing all aspects of Wi-Fi connectivity in particular), the internet, access the network state, access camera, reading phone state (phone number, current cellular network information, the status of any ongoing calls and so on), reading, and writing to the external storage Fig shows the list of all the permissions on the FacePlay App code Disclosing users’ personal and financial information is becoming increasingly critical as the use of mobile applications grows It has also increased the number of people who become victims of a hacking attempt or a scam An application developer must consider security requirements while developing mobile applications For this reason, reverse engineering with tools such as Androguard is helpful in the forensic investigation for finding vulnerabilities, data collection of mobile applications (APK files) B Databases For this paper, we only analyze the application’s private data having access to the privileges of the root user In the Android system, FacePlay data is stored in a dedicated directory located at /data/data/com.aicoser.video.editor once the application is installed In order to extract data from the device, we use ADB tool Fig shows how to pull data from FacePlay using ADB command Fig All the permissions in FacePlay Fig Getting data from FacePlay using ADB Fig Information about users’ devices Fig All the activities in FacePlay The get_activities() method in the APK object lists all of the activities in the app MainActivity, FacebookActivity, CustomTabActivity, and some ads activities are just a few of the activities Fig shows all the activities associated with the FacePlay application The APK object also includes get_signature() method that returns data of the first signature file discovered, which can either be a v1 signature or a JAR signature The signature returned by the apk is shown in Fig Most of the useful data for investigation is stored at databases and shared_prefs folders All data of interest between FacePlay and ad providers is located at data/data/com.aicoser.video.editor/databases 109 • data/data/com.aicoser.video.editor/databases/slslog Fig illustrates the information about users’ devices, such as device model (Custom_Phone_1), device platform (Android), device version (7.1.1), device information (cpu_core:4, cpu_used:8.25%, etc),… and other related information 2021 8th NAFOSTED Conference on Information and Computer Science (NICS) • data/data/com.aicoser.video.editor/databases/vungle db contains many links to images and videos of ads services, as shown in Fig 10 devices that FacePlay collected In addition, it also has the value limit_ad_track set to false, indicating that the user has allowed FacePlay ad tracking Fig 10 Many links to images and videos of ads services Fig 14 FacePlay collecting information about users’ devices The shared_prefs directory contains some potential information in form of XML files, as follows: • The installation time of the application • The first time of ad request • The setting of the application • Advertising ID, device ID, location • The first lauching time of the application D Steganography Steghide and StegoMagic were used for embedding steganographic information into the image files, the following command was used in steghide command-line tool: steghide embed -cf -ef The information about ads services is stored in admob.xml, as shown in Fig 11 Fig 15 Embedding hidden text message into the images using Steghide Fig 15 and Fig 16 show how to use Steghide and StegoMagic for embedding hidden text message into the image file Fig 11 Ads services information in admob.xml Fig 12 shows the first opening time, installation time of the application, and some information such as advertising ID,… Fig 16 FacePlay embedding hidden text message into the images using StegoMagic Fig 12 Content of appsflyer-data.xml C Network Traffic Based on an analysis of all pcap files captured by Wireshark, when users send or receive data from FacePlay, they are encrypted using Secure Sockets Layer (“SSL”) or other algorithms As a result, sniffing on users who log in, upload or download images via FacePlay will be extremely difficult Fig 13 FacePlay using encryption for traffic On the other hand, there is one very valuable identifier that most users are not even aware of: advertising ID Using Burp Suite to analyze network traffic, the authors discovered that FacePlay collects some amount of information about users’ devices, such as an OS model, a phone model and then send to cloud server Fig 14 shows information about users’ Fig 10 One of the folders containing embedded image Fig 17 One of the folders containing embedded image This is probably the best approach to create an image with hidden text After uploading and processing the image into FacePlay, there was a resulting image without any hidden text FacePlay algorithm would almost probably be able to apply AI or anti-forensic approach to remove stego content from images [21] Fig 17 indicates that after extracting the data, there will be some folders containing that embedded image, in addition to a folder containing photos from users’ storage that they have never uploaded (related to the permissions that were mentioned above) Fig 18, Fig 19, and Fig 20 show the process of extracting secret messages from 110 2021 8th NAFOSTED Conference on Information and Computer Science (NICS) images in all folders on Android smartphones that got from using ADB Fig 18 The hidden text message was stripped out Fig 19 The extraction process in StegoMagic Fig 20 The garbled text file extracted from the Android smartphone E Security Posture Evaluation To evaluate security posture FacePlay, metadata of selected images were edited to add texts (such as malware names, popular threat actors, and so on) that would raise lowlevel security flags FacePlay stripped away such metadata from the images According to the authors, these apps have low-level checks against metadata strings to screen out irrelevant information, making it more difficult for malicious actors to inject dangerous programs or messages into image metadata sections F Analysis of EULA and Privacy Agreements The privacy policy of FacePlay [22] is publicly available on the Internet From this policy, the following can be deduced Information Collection 1) Contact and feedback information The FacePlay company collects user content (account name, email address, phone number, and region) that users login in through a thirdparty media website or users submitted feedback and customer service to contact FacePlay 2) Information about users use of the Platforms Thirdparty analysis tools like Google Analysis, browser cookies, and web beacons are used by FacePlay to measure traffic and usage trends that users click, download, browse, share, and search record 3) The photos/images users have chosen to upload FacePlay “might” store the photos/images users have chosen to upload in Alibaba Cloud’s encrypted storage After the synthesis process is completed, users’ pictures will not be shared with third parties and automatically deleted immediately 4) Device and log information FacePlay’s privacy policy claims that the App will collect users’ devices (OS model, a phone model, etc.), IP address, location, and log file information to provide user-targeted advertising services 5) Children’s privacy FacePlay explains that they respect the information provided by children and ensure all the children’s data is removed FacePlay also considers making parents responsible for their children’s use of FacePlay products and services Information Usage 1) FacePlay collects information to provide services to users on its Platforms User information is needed in some cases, such as creating a personal account, accessing an account, or when a user accidentally forgets an account When uploading videos and images for editing, users also need this platform 2) Process and respond to users’ inquires or feedback requests FacePlay said that they need to use personal information to handle user inquiries, complaints and feedback 3) Improve products and services FacePlay uses data to build, develop, operate, deploy, and upgrade its goods and services to stay on top of trends and ensure that Platforms are simple to use 4) Security for an application is a top priority To avoid pretending to be a user logging into an account, FacePlay needs to verify some of the user's information to ensure their interests Verification, authentication, monitoring account, and transaction systems need the original user's information to confirm ownership 5) FacePlay’s marketing purposes FacePlay never sells personal information to third parties It may only be shared when necessary to carry out legitimate business functions They also say that from personal information, FacePlay can send special offers and promotions to users And advertise only some of the new third-party offers that FacePlay finds users will be interested in 6) Send important notices From the necessary notes and warnings to users about the account to changes to the terms, policies, and conditions of the FacePlay app, information from the account owner is required 7) Store and maintain user information for FacePlay’s legal obligations To avoid bad behaviors on social networks as well as FacePlay, user information is essential for legal obligations and in emergency cases when a user’s wrongdoing is detected to affect the application Users can find the privacy agreements for FacePlay in detail on their App or the Internet The ordinary FacePlay user, on the other hand, rarely sees and reads the FacePlay website’s privacy agreement Users often not pay attention to privacy agreements and notifications All FacePlay’s images are processed on its servers rather than on the smartphone To use some functions of the theme templates editing and short video production services, users only need to log in and allow FacePlay to take pictures and record videos They not need to grant FacePlay access to device storage if they not intend to utilize it Like FaceApp, FacePlay company’s decision to store uploaded images/photos in Alibaba Cloud’s encrypted storage for a short time will be automatically deleted immediately after the synthesis process is completed that raises a few controversies over privacy and ownership FacePlay will employ the Mob ShareSDK service of Shanghai Youkun Information Technology Co., Ltd (“MobTech”) to allow users to share their videos to other platforms Users need to give their 111 2021 8th NAFOSTED Conference on Information and Computer Science (NICS) permission for MobTech SDK to collect their data Users can turn on or off any or all permissions at their discretion at any time However, if the app is not allowed to access media storage after the user downloads it, the user will not be able to use any FacePlay’s services In terms of ownership and copyrights, FacePlay claims that users can request the deletion of their data by clicking “setting”- “feedback” in the FacePlay V CONCLUSION With the incredible popularity of AI Face Editor apps like FacePlay, this app had rapidly gained a large number of users across all ages and a huge download on app stores, just as the FaceApp app did in 2020 when it had already taken the internet by storm on social networks with over 100 million downloads Because of that, the FacePlay application has indirectly become a valuable data source for forensic investigations Starting from a free application, the actions of collecting user information are predictable Because when using free software, we should ask ourselves why it is free and where the publisher can make money somehow to remain their software This paper presents the steps to investigate the FacePlay application to answer such a question The investigation results show that FacePlay processing garbled the hidden content of images and videos, and FacePlay encrypts all the traffic, making it difficult for network sniffers The reverse engineering of the APK file shows that FacePlay requires many needless permissions carries many potential risks Although FacePlay has released a statement claiming that most photos uploaded to the cloud server will be automatically deleted immediately after the synthesis process is completed and never sell any personal information to third parties, there are no legal guarantees for this in the privacy policy The authors suggest that the user community should not provide personal data to such applications In this paper, we have forensically analyzed the FacePlay application on the Android platform It is important to note that FacePlay’s deployment environment is not limited to only Android but also many other platforms (e.g., IOS); more work needs to be done, so there may be differences in performance, storage format, or location of other platforms From now on, we will continue to test different methods and tools on all other platforms to improve the efficiency of the forensic investigation process ACKNOWLEDGMENT Our thanks to our colleagues from Information Security Lab - University of Information Technology, VNU-HCM for their support during this work REFERENCES https://www.ipsos.com/sites/default/files/2017-08/Google-mobileapps-report-2017.pdf [Accessed October 2021] [3] D R Ibrahim, J S Teh and R Abdullah, "Multifactor authentication system based on color visual cryptography, facial recognition, and dragonfly optimization," Information Security Journal: A Global Perspective, vol 30, pp 149-159, 2021 [4] R Hingley, "Security alert: the cyber threats on the rise in 2021," 11 July 2021 [Online] Available: https://www.rpint.com/blog/securityalert-the-cyber-threats-on-the-rise-in-2021 [Accessed October 2021] [5] K Hao, "A horrifying new AI app swaps women into porn videos with a click," 13 September 2021 [Online] Available: https://www.technologyreview.com/2021/09/13/1035449/aideepfake-app-face-swaps-women-into-porn/ [Accessed October 2021] [6] M C a M G C Anglano, "Forensic analysis of Telegram Messenger on Android smartphones," Digital Investigation, vol 23, pp 31-49, 2017 [7] M M M S H Y H Y a U K F E Salamh, "What’s on the Horizon? An In-Depth Forensic Analysis of Android and iOS Applications," IEEE Access, vol 9, pp 99421-99454, 2021 [8] C Anglano, "Forensic analysis of WhatsApp Messenger on Android smartphones," Digital Investigation, vol 11, pp 201-213, 2014 [9] Y Z X W X X a L D S Wu, "Forensic analysis of WeChat on Android smartphones," Digital Investigation, vol 21, pp 3-10, 2017 [10] F A Awan, "Forensic examination of social networking applications on smartphones," in 2015 Conference on Information Assurance and Cyber Security (CIACS), pp 36-43, 2015 [11] A Neyaz, A Kumar, S Krishnan, J Placker and Q Liu, "Security, privacy and steganographic analysis of FaceApp and TikTok," International Journal of Computer Science and Security, vol 14, pp 38-59, 2020 [12] "Genymotion – Android Emulator for app testing Cross-platform Android Emulator for manual and automated app testing," [Online] Available: https://www.genymotion.com/ [Accessed October 2021] [13] A Desnos, G Gueguen and S Bachmann, "Introduction Androgruard 3.4 Documentation," 2018 [Online] Available: https://androguard.readthedocs.io/en/latest/intro/ [Accessed October 2021] [14] "Wireshark · Go Deep," [Online] https://www.wireshark.org/ [Accessed October 2021] Available: [15] "Burp Suite - Application Security Testing Software," PortSwigger, [Online] Available: https://portswigger.net/burp [Accessed October 2021] [16] "DB Browser for SQLite," [Online] https://sqlitebrowser.org/ [Accessed October 2021] Available: [17] "Steghide," [Online] Available: http://steghide.sourceforge.net/ [Accessed October 2021] [18] MrMugiwara, "StegoMagic," 2016 [Online] Available: https://github.com/MrMugiwara/StegoMagic [Accessed October 2021] [19] "Android Debug Bridge (adb)," [Online] Available: https://developer.android.com/studio/command-line/adb [Accessed October 2021] [20] "FacePlay for Android APK Download," Apkpure, 2021 [Online] Available: https://apkpure.com/faceplay-face-swapvideo/com.ai.face.play [Accessed October 2021] [21] P P Amritha, M Sethumadhavan, R Krishnan and S K Pal, "Antiforensic approach to remove stego content from images and videos," Journal of Cyber Security and Mobility, pp 295-320, 2019 [1] Statista, "Number of smartphone users from 2016 to 2021," Statista, June 2021 [Online] Available: https://www.statista.com/statistics/330695/number-of-smartphoneusers-worldwide/ [Accessed October 2021] [22] FacePlay, "Privacy Policy," 15 April 2021 [Online] Available: https://static-ai.s3.amazonaws.com/FacePlay/PrivacyPolicy.html [Accessed October 2021] [2] Ipsos, "Something for Everyone - Why the growth of mobile apps is good news for brands," July 2017 [Online] Available: 112 ... "Forensic analysis of WeChat on Android smartphones," Digital Investigation, vol 21, pp 3-10, 2017 [10] F A Awan, "Forensic examination of social networking applications on smartphones," in 2015 Conference... investigation is stored at databases and shared_prefs folders All data of interest between FacePlay and ad providers is located at data/ data/com.aicoser.video.editor/databases 109 • data/ data/com.aicoser.video.editor/databases/slslog... and other related information 2021 8th NAFOSTED Conference on Information and Computer Science (NICS) • data/ data/com.aicoser.video.editor/databases/vungle db contains many links to images and