September 3, 2015 By Douglas Bonderud 2 min read

App encryption is big business. It’s no surprise: Mobile users are inundated with stories about NSA spooks and international actors poking their noses into personal devices and sniffing out all manner of content — from documents to photos to text message logs. Meeting the demand are apps like Orbot Proxy with Tor, ChatSecure and current newsmaker AppLock for Android. The problem? This isn’t all good press. According to Threatpost, the lock app is telling white lies about how it secures data and how easy it is for attackers to compromise security.

Promise and Practice

On paper, AppLock looks good. Developer DoMobile says that the app can lock down SMS messages, contacts, image galleries and even other apps like Facebook or Gmail. The result should be a PIN-protected, encrypted security system that easily keeps intruders at bay. No wonder, then, that the app enjoys 100 million users in 50 countries across the world looking for an effective way to safeguard their data. But this is just a promise; according to Noam Rathaus of Beyond Security, in practice, the app isn’t so stellar.

In fact, ZDNet described the service as “full to the brim” with security flaws, which shake out into three main vulnerabilities. First up is the big one: Pictures, images and other files supposedly stored in a PIN-protected vault are not actually encrypted, but rather moved to a different location on the device and hidden from view. By installing a file manager and tampering with an SQLite file found in the app, it’s possible for attackers to find the hidden file path and retrieve any user content. It’s also possible for actors with root access to remove the PIN requirement for any application or add a new PIN to other apps on the device by opening the SQLite database and using brute force to crack a user’s PIN, which is always saved using a fixed salt, “domobile.”

Finally, attackers can reset any AppLock password by adding their own email address to the reset script if users haven’t added one or by intercepting mobile HTTP traffic using wireshark. The result? Even with apps and settings blocked, users still aren’t safe — cybercriminals don’t even need root permission to carry out this attack.

Sales or Security?

AppLock is the current target of consumer and tech news ire for failing to perform as advertised, but the lack of real security here isn’t terribly shocking; the company saw a void, filled it and made a tidy sum in the process. It’s not as though the situation is unique.

As reported by The Inquirer, Google is now providing app developers a workaround for new iOS 9 security measures, which will require all iPhone content to use HTTPS encryption. Why? Because some Google-based AdMob advertisments still use HTTP and won’t appear on iOS devices as a result. While Google claims this is a short-term fix and advises developers to “only consider disabling ATS if other approaches to comply with ATS standards are unsuccessful,” the underlying message is clear: Sales trump security.

What does all this mean for users looking to protect data and companies hoping to safeguard corporate assets? It’s often better to go native. When it comes to Android devices, for example, built-in device encryption is a great starting point. While it doesn’t come with the big promises of AppLock, it’s arguably a more honest approach to staying safe.

More from

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today