We have previously discussed about certain file locker apps that fail to hide files properly. We recently came across yet another file locker app, AppLock, which has the same issue. However, the vulnerability concerning this app goes beyond improperly hiding files—the vulnerability can allow other apps to manipulate the app’s configuration files. The configuration files include data such as the application’s preferences files, login passwords and emails, and even the Google Ad Publisher ID, which is used for Google AdSense accounts.
Access to Configuration Files
When a user tries to “lock” or “hide” a file, the app just moves from its original location into specific location on the SD card, which is a subpath under /sdcard/.MySecurityData/dont_remove/. The “hidden” file is neither encrypted nor encoded in any way. Information related to the file, such as the file name, the extension and the timestamp, will be inserted in a world-readable database in the SD card, with the path /sdcard/.MySecurityData/dont_remove/ 6c9d3f90697a41b. And because this database is world-readable, any app can actually read or access this database.
Bad guys can use this access to manipulate the app’s configuration files. One way to manipulate the files is to alter the app’s Google Ad Publisher ID. As mentioned, this ID is used for Google Adsense, as a way to generate income by ads. Attackers can begin this by locking a file then by accessing the database.
Given that the database is stored in the SD card, no special or unique permissions are required to edit the files. It only requires the permissions commonly used to read and write the files, android.permission.MOUNT_UNMOUNT_FILESYSTEMS and android.permission.WRITE_EXTERNAL_STORAGE.
Figure 1. Reading the database
Figure 2. Fake Google Ad configuration file was successfully inserted
Figure 3. The email address and password can be seen
Figure 4. Encrypted passwords can be obtained via different tools
Tags