September 3, 2015 By Douglas Bonderud 2 min read

App encryption is big business. It’s no surprise: Mobile users are inundated with stories about NSA spooks and international actors poking their noses into personal devices and sniffing out all manner of content — from documents to photos to text message logs. Meeting the demand are apps like Orbot Proxy with Tor, ChatSecure and current newsmaker AppLock for Android. The problem? This isn’t all good press. According to Threatpost, the lock app is telling white lies about how it secures data and how easy it is for attackers to compromise security.

Promise and Practice

On paper, AppLock looks good. Developer DoMobile says that the app can lock down SMS messages, contacts, image galleries and even other apps like Facebook or Gmail. The result should be a PIN-protected, encrypted security system that easily keeps intruders at bay. No wonder, then, that the app enjoys 100 million users in 50 countries across the world looking for an effective way to safeguard their data. But this is just a promise; according to Noam Rathaus of Beyond Security, in practice, the app isn’t so stellar.

In fact, ZDNet described the service as “full to the brim” with security flaws, which shake out into three main vulnerabilities. First up is the big one: Pictures, images and other files supposedly stored in a PIN-protected vault are not actually encrypted, but rather moved to a different location on the device and hidden from view. By installing a file manager and tampering with an SQLite file found in the app, it’s possible for attackers to find the hidden file path and retrieve any user content. It’s also possible for actors with root access to remove the PIN requirement for any application or add a new PIN to other apps on the device by opening the SQLite database and using brute force to crack a user’s PIN, which is always saved using a fixed salt, “domobile.”

Finally, attackers can reset any AppLock password by adding their own email address to the reset script if users haven’t added one or by intercepting mobile HTTP traffic using wireshark. The result? Even with apps and settings blocked, users still aren’t safe — cybercriminals don’t even need root permission to carry out this attack.

Sales or Security?

AppLock is the current target of consumer and tech news ire for failing to perform as advertised, but the lack of real security here isn’t terribly shocking; the company saw a void, filled it and made a tidy sum in the process. It’s not as though the situation is unique.

As reported by The Inquirer, Google is now providing app developers a workaround for new iOS 9 security measures, which will require all iPhone content to use HTTPS encryption. Why? Because some Google-based AdMob advertisments still use HTTP and won’t appear on iOS devices as a result. While Google claims this is a short-term fix and advises developers to “only consider disabling ATS if other approaches to comply with ATS standards are unsuccessful,” the underlying message is clear: Sales trump security.

What does all this mean for users looking to protect data and companies hoping to safeguard corporate assets? It’s often better to go native. When it comes to Android devices, for example, built-in device encryption is a great starting point. While it doesn’t come with the big promises of AppLock, it’s arguably a more honest approach to staying safe.

More from

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today