Widely popular Android AppLock application by DoMobile Ltd. is claimed to be vulnerable to Hackers.
AppLock Android app enables users to apply a security layer to their devices, which locks and hides the SMS, Gallery, Gmail, Facebook, Calls and any app installed on the device.
Few of its features are:
- Protecting apps either in a PIN number form or a pattern lock
- Providing users a Photo Vault to hide pictures
- Providing users a Video Vault to hide videos
- Creating different user profiles, easy to change the locks
- Preventing apps from being uninstalled
- AppLock cannot be killed by task killers
This acts as an advance protection for your device, by securing many features that come with an android phone.
But, does this really protects you?
Let’s have a look…
They say, the app that promises to hide and secure your data lacks when:
- You hide your photos and videos in Vault
- You apply PIN Protection to the AppLock App
- You enable reset the PIN
The First vulnerability exploits the vault services with which the “AppLock empowers you to control photo and video access”.
The researchers say, when you put something in the vault, the files did not get encrypted, rather they are hidden in the file system of the device and not the one assigned to the app.
With this activity, anyone can access those files and an intruder can accomplish this task by installing a file manager on the device with simultaneously replacing some files in the directory and getting the data from the SQLite database.
The Second vulnerability allows an attacker to break the PIN attached to an app by brute forcing. The researchers claim that the SALT that used to attach with the password/PIN was a fixed SALT that is “domobile”.
For this, the device is required to be rooted. Also, an attacker can remove and change the lock applied to an app.
The Third vulnerability allows the attackers to reset the PIN code and gain complete access to the targeted application without getting any special permissions.
Here, the researchers say that an attacker can exploit the user’s privacy by resetting the password by:
- If the user has not provided any E-mail address- an attacker can add his own and get the reset code.
- If the user has provided an E-mail address- an attacker can intercept the traffic using Wireshark and get the MD5 hash.
SecuriTeam tried to contact the vendor, but they did not respond. Also, they say their agenda is to protect the user’s privacy by notifying them about a “false sense of security”.
AppLock is installed in over 50 countries with over 100 Million users, supporting 24 languages. Besides AppLock, DoMobile develops various apps supporting on Android and iOS operating system devices.