The popular Applock app encryption service is full to the brim with security flaws which place user data at risk, a researcher has claimed.
Downloaded over 100 million times, Applock is an Android-based app lock service with users in over 50 countries. Developed by DoMobile Lab, the app locks SMS messages, contacts, and other apps including Facebook, image galleries, settings, calls and Gmail, allowing a user to restrict access to content including videos and images, keeping files, apparently encrypted, behind a PIN-based security system.
However, SecuriTeam security blogger and Beyond Security chief technology officer Noam Rathus claims Applock has a number of vulnerabilities which place user apps and data risk -- made worse as all content is not actually encrypted, merely hidden from public view.
The first vulnerability reveals that pictures and images stored behind a PIN wall in a "vault" are not encrypted. Instead, they are simply hidden from the eyes of users -- and even without root permission, the research team were able to recover them in full.
As all the vault files are stored in a partition of the file system which allows read access, if an attacker installs a file manager and tampers with an SQLite file, they can find the vault's file path and retrieve the content they are after.
The second security flaw, due to a weak lock mechanism, shows how a user equipped with root permission can easily remove the PIN code from applications -- or add it to others if they wish. In addition, the flaw allows the PIN code to be changed.
All this attack takes is opening the SQLite database and changing the target PIN code, which is saved using a fixed salt -- domobile -- in all parts of the application. As most people use a simple PIN code with no more than eight digits, the team says using a brute force attack to harvest the code is a "trivial" matter.
The final critical flaw is a PIN bypass issue. Without root permissions and with all applications and settings blocked on the device, the PIN code can still be reset -- thereby allowing an attacker to take full control of the application.
To exploit the flaw, an attacker needs to reset the password function, which can be completed either through adding their own address through the reset procedure -- assuming the owner has not set an email address -- or by using wireshark to intercept the traffic from a mobile device to the Internet, as the server response is in HTTP.
"In the server response will be found an MD5 hash of the reset code sent to the email, so we do not need access to target email to retrieve the code. The code is a simple 8 alpha decimal string, so the MD5 hash can be cracked in max 1 hour using a low-mid end GPU card," the researchers noted.
These security issues are severe and place the reputation of Applock at risk, especially as the issues have not been patched. Rathus says the decision to go public with the vulnerabilities stemmed from a lack of communication between Applock and themselves, having received no responses concerning the flaws since 31 July. Rathus commented:
"We have therefore decided to notify the public of this insecure product as soon as possible, it is being used by a lot of people to protect their phones and therefore they are getting a false sense of security."
ZDNet has reached out to DoMobile Lab and will update if we hear back.