14 DAY TRIAL // The Android app AppLock used by millions of users to restrict access to various phone features and applications is plagued by three serious flaws, as Noam Rathaus, CTO of Beyond Security is reporting.
AppLock, an application developed by Honk Kong-based DoMobile, is a mobile app used by over 100 million users in over 50 countries, and can be utilized to block access to a phone's SMS messages, contacts, Gmail, Facebook, image gallery, settings, calls log and any other app installed on the user's Android smartphone.
According to Mr. Rathaus, AppLock is plagued by three vulnerabilities which expose the user's data, despite being locked by the application using a PIN.
The AppLock PIN can be easily changed
The most critical of all is a PIN bypass bug, which can be used without needing root permission on the device. This vulnerability manifests through a weak PIN reset mechanism, which allows attackers to intercept HTTP requests and responses when the user tries to recover a lost PIN.
While this relies on intercepting network traffic originating from the device, there's also a case when the AppLock user has not associated an email with his app's settings.
For this situation, any attacker using the password reset function can enter his own email and receive the code needed to reset the PIN, without any other secondary verification steps.
Pins can be removed or added to other apps by any astute attacker
The second vulnerability resides in a lack of encryption used to store the location of locked files, which can easily be discovered by sniffing around inside AppLock's SQLite database.
As the first, this vulnerability does not need root access and will allow any malicious actor to easily get access to locked files.
For the third vulnerability root access is required, so there are lesser chances of being exploited, but when this happens, attackers can change the PIN, remove the PIN from current applications, and even add it to others, locking the user out of his own files.
All AppLock flaws have been discovered this summer, and the vendor was contacted immediately. Unfortunately, Mr. Rathaus says DoMobile stopped all communications after being informed of the flaws on July 31.
Since the app was last updated four days earlier, after waiting a month he decided to disclose his findings because he felt that the developer is giving users "a false sense of security."