Short Bytes: Popular Android app AppLock is used by more than 100 million people. According to the researchers, the app is providing a false sense of security to the users as the app is easily hackable and useless.
This app promises to provide complete security to the users, but the security researchers at SecuriTeam have reported three easily exploitable flaws in the AppLock Android application. According to the security firm, the app exposes user data even when the application is using a PIN.
In the AppLock application, the researchers found 3 vulnerabilities. These vulnerabilities are:
- The first vulnerability shows that your pictures and videos are not encrypted and they are just hidden from the users. They can be recovered with their original filenames without any root permission.
- The second vulnerability deals with the root permission and how one can easily remove the PIN code from the app and add it to others. A person can also change the existing PIN.
- The third and most critical vulnerability talks about the PIN bypass. By exploiting this vulnerability, one can reset the PIN code without root permissions and take full control of the device.
The PIN bypass flaw allows the attacker to intercept HTTP request and responses while trying to recover a lost PIN. This is due to the weak reset PIN mechanism. In this situation, an attacker can reset the password by sending the PIN to his/her own email. Along the same lines, in the app, there is a lack of encryption that allows the attacker to access the files inside AppLock’s SQLite database.
These vulnerabilities and steps to access locked files is shared in details on the SecuriTeam blog.