September 3, 2015 By Douglas Bonderud 2 min read

App encryption is big business. It’s no surprise: Mobile users are inundated with stories about NSA spooks and international actors poking their noses into personal devices and sniffing out all manner of content — from documents to photos to text message logs. Meeting the demand are apps like Orbot Proxy with Tor, ChatSecure and current newsmaker AppLock for Android. The problem? This isn’t all good press. According to Threatpost, the lock app is telling white lies about how it secures data and how easy it is for attackers to compromise security.

Promise and Practice

On paper, AppLock looks good. Developer DoMobile says that the app can lock down SMS messages, contacts, image galleries and even other apps like Facebook or Gmail. The result should be a PIN-protected, encrypted security system that easily keeps intruders at bay. No wonder, then, that the app enjoys 100 million users in 50 countries across the world looking for an effective way to safeguard their data. But this is just a promise; according to Noam Rathaus of Beyond Security, in practice, the app isn’t so stellar.

In fact, ZDNet described the service as “full to the brim” with security flaws, which shake out into three main vulnerabilities. First up is the big one: Pictures, images and other files supposedly stored in a PIN-protected vault are not actually encrypted, but rather moved to a different location on the device and hidden from view. By installing a file manager and tampering with an SQLite file found in the app, it’s possible for attackers to find the hidden file path and retrieve any user content. It’s also possible for actors with root access to remove the PIN requirement for any application or add a new PIN to other apps on the device by opening the SQLite database and using brute force to crack a user’s PIN, which is always saved using a fixed salt, “domobile.”

Finally, attackers can reset any AppLock password by adding their own email address to the reset script if users haven’t added one or by intercepting mobile HTTP traffic using wireshark. The result? Even with apps and settings blocked, users still aren’t safe — cybercriminals don’t even need root permission to carry out this attack.

Sales or Security?

AppLock is the current target of consumer and tech news ire for failing to perform as advertised, but the lack of real security here isn’t terribly shocking; the company saw a void, filled it and made a tidy sum in the process. It’s not as though the situation is unique.

As reported by The Inquirer, Google is now providing app developers a workaround for new iOS 9 security measures, which will require all iPhone content to use HTTPS encryption. Why? Because some Google-based AdMob advertisments still use HTTP and won’t appear on iOS devices as a result. While Google claims this is a short-term fix and advises developers to “only consider disabling ATS if other approaches to comply with ATS standards are unsuccessful,” the underlying message is clear: Sales trump security.

What does all this mean for users looking to protect data and companies hoping to safeguard corporate assets? It’s often better to go native. When it comes to Android devices, for example, built-in device encryption is a great starting point. While it doesn’t come with the big promises of AppLock, it’s arguably a more honest approach to staying safe.

More from

DOD establishes Office of the Assistant Secretary of Defense for Cyber Policy

2 min read - The federal government recently took a new step toward prioritizing cybersecurity and demonstrating its commitment to reducing risk. On March 20, 2024, the Pentagon formally established the new Office of the Assistant Secretary of Defense for Cyber Policy to supervise cyber policy for the Department of Defense. The next day, President Joe Biden announced Michael Sulmeyer as his nominee for the role.“In standing up this office, the Department is giving cyber the focus and attention that Congress intended,” said Acting…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today