Multiple weaknesses exist in AppLock, a popular lock application for Android devices that boasts more than 100 million users.
A researcher is claiming that the app, which is supposed to securely store photos, videos and other apps, doesn’t really use encryption to do so, it simply hides the files elsewhere on the phone, where an attacker could theoretically read them.
The app also suffers from what Noam Rathaus, a researcher who blogs about vulnerabilities for the portal SecuriTeam, dubs a weak PIN reset mechanism and a weak lock mechanism. Rathaus, who is also the Chief Technology Officer for Beyond Security, published technical details on the vulnerabilities, along with step by step methods to exploit them on Monday.
Rathaus claims that when users save files on AppLock, they’re actually stored in the read/write partition of the filesystem and not in the one assigned to the application. This means that an attacker would only have to install a file manager application and guide themselves to a certain SQLite database, then a PATH, to find the images.
“We can simply copy or rename it as it was to restore access,” Rathaus writes of files, which are named as timestamps.
The second issue, the weak lock mechanism vulnerability, allows an attacker with root access to the device to either see the PIN code associated with an app, or change it.
But it’s the last issue, the PIN reset vulnerability, that’s perhaps the most dangerous as it could give an attacker full control of the app. By exploiting its password reset function, an attacker could potentially reset a user’s PIN code and “gain full access to all functionalities of the application without any kind of special permission,” Rathaus claims.
The problem stems from the fact that if a user hasn’t set an email address, an attacker can simply add their own to retrieve a code and then reset the PIN, Rathaus says, adding that even if an email address has been set, an attacker could use Wireshark, intercept the traffic, and facilitate a reset request from there.
Rathaus claims the vendor, the Hong Kong-based DoMobile Lab, was receptive in the early stages, even telling the researcher that it values security and takes all vulnerabilities seriously. The company hasn’t returned an email in a month however, even after “numerous attempts to establish communication with them have been attempted.” After a month of waiting Rathaus was prompted to disclose the issues on Monday.
An email from Threatpost to the company on Tuesday asking for a timeline on a fix was not immediately returned but as Applock’s latest update came July 27, it’s unlikely DoMobile has addressed the issues yet.