Encryption, Lock Mechanism Vulnerabilities Plague AppLock

Multiple weaknesses exist in AppLock, a popular lock application for Android devices that boasts over 100 million users.

Multiple weaknesses exist in AppLock, a popular lock application for Android devices that boasts more than 100 million users.

A researcher is claiming that the app, which is supposed to securely store photos, videos and other apps, doesn’t really use encryption to do so, it simply hides the files elsewhere on the phone, where an attacker could theoretically read them.

The app also suffers from what Noam Rathaus, a researcher who blogs about vulnerabilities for the portal SecuriTeam, dubs a weak PIN reset mechanism and a weak lock mechanism. Rathaus, who is also the Chief Technology Officer for Beyond Security, published technical details on the vulnerabilities, along with step by step methods to exploit them on Monday.

Rathaus claims that when users save files on AppLock, they’re actually stored in the read/write partition of the filesystem and not in the one assigned to the application. This means that an attacker would only have to install a file manager application and guide themselves to a certain SQLite database, then a PATH, to find the images.

“We can simply copy or rename it as it was to restore access,” Rathaus writes of files, which are named as timestamps.

The second issue, the weak lock mechanism vulnerability, allows an attacker with root access to the device to either see the PIN code associated with an app, or change it.

But it’s the last issue, the PIN reset vulnerability, that’s perhaps the most dangerous as it could give an attacker full control of the app. By exploiting its password reset function, an attacker could potentially reset a user’s PIN code and “gain full access to all functionalities of the application without any kind of special permission,” Rathaus claims.

The problem stems from the fact that if a user hasn’t set an email address, an attacker can simply add their own to retrieve a code and then reset the PIN, Rathaus says, adding that even if an email address has been set, an attacker could use Wireshark, intercept the traffic, and facilitate a reset request from there.

Rathaus claims the vendor, the Hong Kong-based DoMobile Lab, was receptive in the early stages, even telling the researcher that it values security and takes all vulnerabilities seriously. The company hasn’t returned an email in a month however, even after “numerous attempts to establish communication with them have been attempted.” After a month of waiting Rathaus was prompted to disclose the issues on Monday.

An email from Threatpost to the company on Tuesday asking for a timeline on a fix was not immediately returned but as Applock’s latest update came July 27, it’s unlikely DoMobile has addressed the issues yet.

 

Suggested articles

Discussion

  • somebody on

    Before you go criticizing something, it probably would make sense for you to understand the purpose and claims made about the software. I just read the program's description, and it does not even ONCE use the words 'encryption' or 'security'. This application is *not meant* to encrypt data or store it securely. It is meant to HIDE it from casual device sharing. Like when you hand your phone to your buddy to make a call, prevents him from seeing the naughty pictures in your gallery.
  • Dan on

    I use AppLock but for its original purpose, to lock apps from nosy kids and spouses. I lock YouTube cause my kids are addicted to it, and I lock my note-taking app cause that's where I keep lists of people who borrowed money from me. I didn't even know they could "lock" pictures or documents.
    • hahaha on

      Haha Dan your comment made me laugh my ass off. I don't use an app for app locking because nobody uses my phone but me but I do use notepad to keep track of who owes me money aswell. Hahahaha
      • Dan on

        When you have young kids, every gadget you own is fair game for them. It's ok if they just play Angry Birds now and then, but they are addicted to Youtube. They can watch it hours on end. We are cord cutters BTW and don't have cable TV. As for the borrowers' list. Well you can never know. I have close kin and in-laws who might want to access my list, and they could innocently borrow my phone to Uber or "call" a cab.
        • hahaha on

          My cousins son(3yr old) was using my phone to play angry birds once, he ended up deleting a bunch of contacts... I don't have cable tv either, too expensive.. anything I want to watch is simply a google search away.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.