September 3, 2015 By Douglas Bonderud 2 min read

App encryption is big business. It’s no surprise: Mobile users are inundated with stories about NSA spooks and international actors poking their noses into personal devices and sniffing out all manner of content — from documents to photos to text message logs. Meeting the demand are apps like Orbot Proxy with Tor, ChatSecure and current newsmaker AppLock for Android. The problem? This isn’t all good press. According to Threatpost, the lock app is telling white lies about how it secures data and how easy it is for attackers to compromise security.

Promise and Practice

On paper, AppLock looks good. Developer DoMobile says that the app can lock down SMS messages, contacts, image galleries and even other apps like Facebook or Gmail. The result should be a PIN-protected, encrypted security system that easily keeps intruders at bay. No wonder, then, that the app enjoys 100 million users in 50 countries across the world looking for an effective way to safeguard their data. But this is just a promise; according to Noam Rathaus of Beyond Security, in practice, the app isn’t so stellar.

In fact, ZDNet described the service as “full to the brim” with security flaws, which shake out into three main vulnerabilities. First up is the big one: Pictures, images and other files supposedly stored in a PIN-protected vault are not actually encrypted, but rather moved to a different location on the device and hidden from view. By installing a file manager and tampering with an SQLite file found in the app, it’s possible for attackers to find the hidden file path and retrieve any user content. It’s also possible for actors with root access to remove the PIN requirement for any application or add a new PIN to other apps on the device by opening the SQLite database and using brute force to crack a user’s PIN, which is always saved using a fixed salt, “domobile.”

Finally, attackers can reset any AppLock password by adding their own email address to the reset script if users haven’t added one or by intercepting mobile HTTP traffic using wireshark. The result? Even with apps and settings blocked, users still aren’t safe — cybercriminals don’t even need root permission to carry out this attack.

Sales or Security?

AppLock is the current target of consumer and tech news ire for failing to perform as advertised, but the lack of real security here isn’t terribly shocking; the company saw a void, filled it and made a tidy sum in the process. It’s not as though the situation is unique.

As reported by The Inquirer, Google is now providing app developers a workaround for new iOS 9 security measures, which will require all iPhone content to use HTTPS encryption. Why? Because some Google-based AdMob advertisments still use HTTP and won’t appear on iOS devices as a result. While Google claims this is a short-term fix and advises developers to “only consider disabling ATS if other approaches to comply with ATS standards are unsuccessful,” the underlying message is clear: Sales trump security.

What does all this mean for users looking to protect data and companies hoping to safeguard corporate assets? It’s often better to go native. When it comes to Android devices, for example, built-in device encryption is a great starting point. While it doesn’t come with the big promises of AppLock, it’s arguably a more honest approach to staying safe.

More from

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

How I got started: Cyber AI/ML engineer

3 min read - As generative AI goes mainstream, it highlights the increasing demand for AI cybersecurity professionals like Maria Pospelova. Pospelova is currently a senior data scientist, and data science team lead at OpenText Cybersecurity. She also worked at Interest, an AI cybersecurity company acquired by MicroFocus and then by OpenText. She continues as part of that team today.Did you go to college? What did you go to school for?Pospelova: I graduated with a bachelor’s degree in computer science and a master’s degree…

Europe’s Cyber Resilience Act: Redefining open source

3 min read - Amid an increasingly complex threat landscape, we find ourselves at a crossroads where law, technology and community converge. As such, cyber resilience is more crucial than ever. At its heart, cyber resilience means maintaining a robust security posture despite adverse cyber events and being able to anticipate, withstand, recover from and adapt to such incidents. While new data privacy and protection regulations like GDPR, HIPAA and CCPA are being introduced more frequently than ever, did you know that there is new…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today