September 3, 2015 By Douglas Bonderud 2 min read

App encryption is big business. It’s no surprise: Mobile users are inundated with stories about NSA spooks and international actors poking their noses into personal devices and sniffing out all manner of content — from documents to photos to text message logs. Meeting the demand are apps like Orbot Proxy with Tor, ChatSecure and current newsmaker AppLock for Android. The problem? This isn’t all good press. According to Threatpost, the lock app is telling white lies about how it secures data and how easy it is for attackers to compromise security.

Promise and Practice

On paper, AppLock looks good. Developer DoMobile says that the app can lock down SMS messages, contacts, image galleries and even other apps like Facebook or Gmail. The result should be a PIN-protected, encrypted security system that easily keeps intruders at bay. No wonder, then, that the app enjoys 100 million users in 50 countries across the world looking for an effective way to safeguard their data. But this is just a promise; according to Noam Rathaus of Beyond Security, in practice, the app isn’t so stellar.

In fact, ZDNet described the service as “full to the brim” with security flaws, which shake out into three main vulnerabilities. First up is the big one: Pictures, images and other files supposedly stored in a PIN-protected vault are not actually encrypted, but rather moved to a different location on the device and hidden from view. By installing a file manager and tampering with an SQLite file found in the app, it’s possible for attackers to find the hidden file path and retrieve any user content. It’s also possible for actors with root access to remove the PIN requirement for any application or add a new PIN to other apps on the device by opening the SQLite database and using brute force to crack a user’s PIN, which is always saved using a fixed salt, “domobile.”

Finally, attackers can reset any AppLock password by adding their own email address to the reset script if users haven’t added one or by intercepting mobile HTTP traffic using wireshark. The result? Even with apps and settings blocked, users still aren’t safe — cybercriminals don’t even need root permission to carry out this attack.

Sales or Security?

AppLock is the current target of consumer and tech news ire for failing to perform as advertised, but the lack of real security here isn’t terribly shocking; the company saw a void, filled it and made a tidy sum in the process. It’s not as though the situation is unique.

As reported by The Inquirer, Google is now providing app developers a workaround for new iOS 9 security measures, which will require all iPhone content to use HTTPS encryption. Why? Because some Google-based AdMob advertisments still use HTTP and won’t appear on iOS devices as a result. While Google claims this is a short-term fix and advises developers to “only consider disabling ATS if other approaches to comply with ATS standards are unsuccessful,” the underlying message is clear: Sales trump security.

What does all this mean for users looking to protect data and companies hoping to safeguard corporate assets? It’s often better to go native. When it comes to Android devices, for example, built-in device encryption is a great starting point. While it doesn’t come with the big promises of AppLock, it’s arguably a more honest approach to staying safe.

More from

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today