AppLock Vulnerability Leaves Configuration Files Open

We have previously discussed about certain file locker apps that fail to hide files properly. We recently came across yet another file locker app, AppLock, which has the same issue. However, the vulnerability concerning this app goes beyond improperly hiding files—the vulnerability can allow other apps to manipulate the app’s configuration files. The configuration files include data such as the application’s preferences files, login passwords and emails, and even the Google Ad Publisher ID, which is used for Google AdSense accounts. Access to Configuration Files When a user tries to “lock” or “hide” a file, the app just moves from its original location into specific location on the SD card, which is a subpath under /sdcard/.MySecurityData/dont_remove/. The “hidden” file is neither encrypted nor encoded in any way. Information related to the file, such as the file name, the extension and the timestamp, will be inserted in a world-readable database in the SD card, with the path /sdcard/.MySecurityData/dont_remove/ 6c9d3f90697a41b. And because this database is world-readable, any app can actually read or access this database. Bad guys can use this access to manipulate the app’s configuration files. One way to manipulate the files is to alter the app’s Google Ad Publisher ID. As mentioned, this ID is used for Google Adsense, as a way to generate income by ads. Attackers can begin this by locking a file then by accessing the database. Given that the database is stored in the SD card, no special or unique permissions are required to edit the files. It only requires the permissions commonly used to read and write the files, android.permission.MOUNT_UNMOUNT_FILESYSTEMS and android.permission.WRITE_EXTERNAL_STORAGE.

Figure 1. Reading the database

Attackers can then create a fake Google Ad configuration file and put it in a specific path. The database can then be updated to point to that particular path, triggered by the “unlock” function of the app. As illustrated in the screencap below, the configuration file was successfully changed.

Figure 2. Fake Google Ad configuration file was successfully inserted

User Information Leakage Manipulating the configuration files can also open the door for data leakage. Cybercriminals can update the media table of the database file and change the paths directories. Once the unlock function is triggered, the media table can be copied to an accessible directory in the SD card. The stored password and email account can then be leaked.

Figure 3. The email address and password can be seen

The password is encrypted but this can be decrypted through an decrypter service or MD5 rainbow tables.

Figure 4. Encrypted passwords can be obtained via different tools

Crashing the Application Manipulating the configuration files can also result in the application crashing. If someone includes a non-existent path in the file, the app will pause for several minutes and finally crash. Losses for Developers and Users The accessibility of the configuration files spells trouble for both developers and users. The developers can lose income if their connection to their Google AdSense account is cut. For users, a major concern would be the potential data leakage of their account credentials and their email accounts. We have notified both the developers and Google about this issue in early August. As of September 4, the developers of AppLock have stated that a new version of the app will be made available, which addresses the issues discussed in this entry.