ANDROID APPLOCK APP ABORTIVE : 3 CRITICAL FLAWS DETECTED!

ANDROID APPLOCK APP ABORTIVE : 3 CRITICAL FLAWS DETECTED!

A DoMobile Ltd. ‘s Android security app, Applock has been claimed to be prone to the hackers as three critical flaws have been reported in the App.

AppLock Android app, with over 100 million users, has been known to allow users apply a security layer to their device and the other apps installed on the device.

This feature-rich advanced protection app for your device enforced security by

  • locking apps using either PIN, PASSWORD or a PATTERN
  • providing users with a vault for photos and videos.
  • ease to change the locks by allowing different user profiles.
  • preventing apps from being uninstalled.

These security features, no doubt, draws the attention of android users to enforce data  security in their devices. However, according to a recent report 3 critical security flaws have been reported in the app by Beyond Security’s 'SecuriTeam Secure Disclosure' (SSD).

The Fallacy has been reported to harm the security when :

Photos and videos are hidden in Vault: Files put in the vault were not encrypted, in fact  hidden in the file system of the device rather than the one assigned to the app. Thus making the files easily accessible to the intruder by simple installation of  a file manager on the device, simultaneous replacement of some files in the directory and the data extraction from the SQLite database.

PIN Protection to the AppLock App is applied: The attacker can easily brute force the PIN as a fixed SALT was employed to hitch with the password/PIN i.e. “domobile”. Just by rooting the device the hacker can reset the applied lock.

Reset the PIN is enabled: According to the researchers, the intruder can easily add his e-mail address if not added by the user and get the PIN altered. Or, if e-mail id has been provided, the hacker may obtain the MD5 hash by intercepting the traffic using Wireshark.

However ,the SecuriTeam,with an agenda to protect the user’s privacy by warning them about a “false sense of security”, didn’t receive any reply from the vendor.