AppLock Android App Easily Hackable and Useless
AppLock Android App Used by 100 Million Users is Easily Hackable and Useless
Short Bytes:
Popular Android app AppLock is used by more than 100 million people.
According to the researchers, the app is providing a false sense of
security to the users as the app is easily hackable and useless.
Millions
of users use the Android applications known as app lockers to protect
their pictures, messages, and other files. With these apps, you can lock
your contacts, Facebook, gallery, texts, call logs to restrict the
unauthorized access. One of the most popular apps named AppLock falls in
the same category and it’s #1 app locker in more than 50 countries with
more than 100 million users.
This app promises to provide complete security to the users, but the security researchers at SecuriTeam have reported three
easily exploitable flaws in the AppLock Android application. According
to the security firm, the app exposes user data even when the
application is using a PIN.
In the AppLock application, the researchers found 3 vulnerabilities. These vulnerabilities are:
- The first vulnerability shows that your pictures and videos are not encrypted and they are just hidden from the users. They can be recovered with their original filenames without any root permission.
- The second vulnerability deals with the root permission and how one can easily remove the PIN code from the app and add it to others. A person can also change the existing PIN.
- The third and most critical vulnerability talks about the PIN bypass. By exploiting this vulnerability, one can reset the PIN code without root permissions and take full control of the device.
The PIN bypass flaw allows the attacker to intercept HTTP request and
responses while trying to recover a lost PIN. This is due to the weak
reset PIN mechanism. In this situation, an attacker can reset
the password by sending the PIN to his/her own email. Along the same
lines, in the app, there is a lack of encryption that allows the
attacker to access the files inside AppLock’s SQLite database
AppLock Multiple Vulnerabilities
Introduction
AppLock is Most downloaded app lock in Play Store:
The following report describes three ( 3 ) different vulnerabilities found in the AppLock, an Android application, with over 10 Millions of downloads, used to secure pictures, videos and application with a PIN code.
The first vulnerability will show how the pictures and videos are not encrypted but just hidden from the users, and even without root permission we can recover them, even with their original filename.
The second vulnerability shows how an user, with root permission on the device, can easily remove the PIN code from applications or add it to others. He can moreover change the PIN code.
The last, and most critical, vulnerability is a PIN bypass. It is possible, without root permissions and with all applications, settings, etc blocked from the app, reset the PIN code to one of our choice, and the take full control of the application.
Weak File “Encryption” Mechanism
This vulnerability allows an attacker to recover the files, photos and videos, set in the “Vault” by the target.
The user is tricked to think that the Vault perform some sort of encryption using his PIN code, instead all the files are just hidden in the filesystem.
It is important to notice that all files are saved in the r/w partition of the filesystem and not in the one assigned to the application. This allows anyone to read those files.
To retrieve the files the attacker just need to install a file manager and go to:
//.dom0o7b1i1le/dont_remove/
and open the SQLite file ( usually it is named using a 16 bytes hash ). Inside we will find the PATH of the images and videos we want, looking at medias table and dest_path column.
We just need to remove the .MySecurityData with .dom0o7b1i1le in the filename to find the correct directory.
Once in the directory the file will have a timestamp as name. We can recover the correct name from the SQLite database we opened before.
Technical Details
Steps
The following screenshots shows the steps to retrieve the file:
We can easily locate the SQLite database file in the hidden directory.
In the file we can find the PATH of the image we want to retrieve. Remember we may need to replace “.MySecurityData” with “.dom0o7b1i1le”
Inside the directory we can find our file named as a timestamp. We can simply copy or rename it as it was to restore access.
Weak Lock Mechanism (root required)
This vulnerability allows an attacker with local access to the target device, which has root permission enabled, to perform some operations:
Technical Details
Steps
The hashed password can be found in the preferences file.
It is possible to see that using 1234 as PIN code, and domobile as SALT the hash matches.
It is possible to see the list of application locked, and remove or add new rows.
Weak PIN reset Mechanism
This vulnerability allows the attacker to reset the PIN code and gain full access to all functionalities of the application without any kind of special permission. To exploit this we just need to start the reset password function, now we have two possibilities:
Technical Details
Steps
For clarity I’ll use a HTTP proxy to intercept requests and response but the same can be done with Wireshark in monitor mode.
Insert password view
We can or set an email, or send the code to our email.
When the code is requested, its MD5 hash is sent back to the application, in HTTP.
Vendor Response
The vendor was very responsive at the beginning with a response within less than 24 hours that they take all vulnerabilities seriously, however, since the 31st July no other response have been response, though numerous attempts to establish communication with them have been attempted. We have therefore decided to notify the public of this insecure product as soon as possible, it is being used by a lot of people to protect their phones and therefore they are getting a false sense of security.
AppLock is Most downloaded app lock in Play Store:
- #1 App lock in over 50 countries.
- Over 100 Million users, supporting 24 languages.
- AppLock can lock SMS, Contacts, Gmail, Facebook, Gallery, Market, Settings, Calls and any app you choose, with abundant options, protecting your privacy.
- AppLock can hide pictures and videos, AppLock empowers you to control photo and video access. Selected pictures vanish from your photo gallery, and stay locked behind an easy-to-use PIN pad. With AppLock, only you can see your hidden pictures. Privacy made easy!
The following report describes three ( 3 ) different vulnerabilities found in the AppLock, an Android application, with over 10 Millions of downloads, used to secure pictures, videos and application with a PIN code.
The first vulnerability will show how the pictures and videos are not encrypted but just hidden from the users, and even without root permission we can recover them, even with their original filename.
The second vulnerability shows how an user, with root permission on the device, can easily remove the PIN code from applications or add it to others. He can moreover change the PIN code.
The last, and most critical, vulnerability is a PIN bypass. It is possible, without root permissions and with all applications, settings, etc blocked from the app, reset the PIN code to one of our choice, and the take full control of the application.
Weak File “Encryption” Mechanism
This vulnerability allows an attacker to recover the files, photos and videos, set in the “Vault” by the target.
The user is tricked to think that the Vault perform some sort of encryption using his PIN code, instead all the files are just hidden in the filesystem.
It is important to notice that all files are saved in the r/w partition of the filesystem and not in the one assigned to the application. This allows anyone to read those files.
To retrieve the files the attacker just need to install a file manager and go to:
/
and open the SQLite file ( usually it is named using a 16 bytes hash ). Inside we will find the PATH of the images and videos we want, looking at medias table and dest_path column.
We just need to remove the .MySecurityData with .dom0o7b1i1le in the filename to find the correct directory.
Once in the directory the file will have a timestamp as name. We can recover the correct name from the SQLite database we opened before.
Technical Details
Steps
The following screenshots shows the steps to retrieve the file:
We can easily locate the SQLite database file in the hidden directory.
In the file we can find the PATH of the image we want to retrieve. Remember we may need to replace “.MySecurityData” with “.dom0o7b1i1le”
Inside the directory we can find our file named as a timestamp. We can simply copy or rename it as it was to restore access.
Weak Lock Mechanism (root required)
This vulnerability allows an attacker with local access to the target device, which has root permission enabled, to perform some operations:
- Change the Application locked by the app: opening the SQLite database: /data/data/com.domobile.applock/databases/domobile_elock.db we can remove rows from tables lock and column pname
- Change the target PIN code: The PIN code hash is saved in: /data/data/com.domobile.applock/shared_prefs/com.domobile.applock_preferences.xml and it is a simple MD5 with a fixed salt used in ALL installation of the app. The salt is: domobile. Since most of people use a simple PIN code ( 4-8 digits ) it is also trivial to retrieve it doing a brute force attack.
Technical Details
Steps
The hashed password can be found in the preferences file.
It is possible to see that using 1234 as PIN code, and domobile as SALT the hash matches.
It is possible to see the list of application locked, and remove or add new rows.
Weak PIN reset Mechanism
This vulnerability allows the attacker to reset the PIN code and gain full access to all functionalities of the application without any kind of special permission. To exploit this we just need to start the reset password function, now we have two possibilities:
- The target has not set a email address: if this is the case we can simply add our own address during the reset procedure to retrive the code to reset the PIN code.
- The target has set an email address: if the target has already put his address we can do the following:
- Using wireshark intercept the traffic from the smartphone to internet
- From the application send out the reset request
- Intercept the server response ( which is in HTTP )
Technical Details
Steps
For clarity I’ll use a HTTP proxy to intercept requests and response but the same can be done with Wireshark in monitor mode.
Insert password view
We can or set an email, or send the code to our email.
When the code is requested, its MD5 hash is sent back to the application, in HTTP.
Vendor Response
The vendor was very responsive at the beginning with a response within less than 24 hours that they take all vulnerabilities seriously, however, since the 31st July no other response have been response, though numerous attempts to establish communication with them have been attempted. We have therefore decided to notify the public of this insecure product as soon as possible, it is being used by a lot of people to protect their phones and therefore they are getting a false sense of security.
Comments
Post a Comment