The Severe Flaw Found in Certain File Locker Apps

Protecting data has always been one of the most important aspects of our digital life. Given the amount of activity done on smartphones, this is especially rings true for smartphones. While users may use the built-in privacy and security settings of their devices, others take it a step further and employ security and privacy protection apps.

One of the ways to protect smartphone data is by using “file locker” apps. As the name implies, these apps can be used as storage for sensitive data. The apps store the data away from prying eyes, often using encryption and passwords for additional security.

But how effective are these apps in protecting your data? Is it safe to assume that these apps will live up to their promise and offer the level of security that our data needs? Unfortunately, we analyzed the more popular ones in Google Play and found that these apps fail to deliver what they promise.

The apps we analyzed are the following:

  • https://play.google.com/store/apps/details?id=com.tonado.boli.hiper
  • https://play.google.com/store/apps/details?id=com.domobile.applock
  • https://play.google.com/store/apps/details?id=com.newsoftwares.folderlock_v1
  • https://play.google.com/store/apps/details?id=com.mwgo.filelocker

As of posting, we have informed the developers of the said apps as well as Google.

Tip Calculator in Disguise

File Hide Pro claims to hide files “in seconds!” It even disguises itself as a tip calculator for an additional layer of privacy. However, we have learned that the only “protection” this app offers is renaming files to begin with a “.”

Figure 1 shows that the only difference after the action “hide” is performed is the renaming of the file.

Figure 1. File name of images before and after the “hide” function is performed

The application creates a file located in sdcard/.hermit/.hermit_restore.hider as an index. These files are found in the SD card and these files are world-readable, meaning, they are readable by any application in the system. In fact, these “hidden” files can be browsed using a file explorer. Malicious apps and users could also use /.hermit_restore.hider as a clue to find and read the so-called hidden files.


Figure 2. Contents of “.hermit_restore.hider”

Hidden Files in a Readable Database

File Locker “hides” a user’s files by moving them to the fixed folder /sdcard/ .MySecurityData/dont_remove/. Unfortunately, the location of the hidden files and the original files are stored in a SQLite3 database. Both the database and the hidden files are located in the SD card and they are world-readable.

“Secure” Wallet for Banking Information

Folder Lock, meanwhile, tries to distinguish itself from other applications by offering a secured “wallet” for information such as credit card numbers, passwords, and other banking/business-related information. Analysis shows that rather than be encrypted, the data in the “wallet” is stored in cleartext in a world-readable path. Other “hidden” files are stored in fixed path folders without any encryption.


Figure 3. Sample data in the “wallet” function


Figure 4. Sample data is stored in cleartext

Encryption Without Protection

The app App Lock we analyzed actually does what it advertises—it encrypts files. But does this mean a user’s files are safe? As it turns out, they aren’t.

The application encrypts files using a fixed, self-defined algorithm. Unfortunately, cybercriminals can easily implement the decryption algorithm by decompiling the .APK file. This means that there really is no difference between the data that is encrypted and data stored in cleartext.

Figure 5. Files are locked with the sample password “123″

Figure 6. The decrypted locked files with the password displayed

It’s worth noting that the use of passwords is pretty moot for this app. The set password is simply encrypted and saved in the last block of each encrypted files. In short, the password is treated as just another file to be stored. Once the files are decrypted, both the files and the passwords are revealed.Ideally, the password would prevent other people from accessing the files, even if they know the decryption process.

Protecting Your Data

Of course, the initial issue here is the fact that these apps don’t work as they claim. However, the bigger issue is that files are potentially at risk for data theft or leakage. One common detail we’ve noticed with these apps is that the data can be accessed by other apps and accounts. This means that even non-malicious apps can access these files.

The issue is further compounded by the fact that these apps are very popular. One app alone has reached the 50 million download mark while others have also reached millions of downloads.  Users must be discerning when downloading apps. App reviews can help a person check if an app truly works as its claims. For apps concerning security, it’s best to download apps from known security vendors.

But more than selecting the right apps, perhaps another way of securing data is to remember that apps are not the end-all, be-all solution to protecting your privacy. Users should employ other privacy features and solutions to protect their data from prying eyes. For example, they could store their files and make back-up copies in a different, secure location via Trend Micro Safe Sync.

Another way to protect sensitive data is to actually limit the amount of data stored in mobile devices. Given the amount and variety of activities performed on mobile devices, it seems unavoidable to store some form of sensitive data. However, keeping the amount of stored data to the barest minimum will make it easier for users to keep track of it. After all, it’s easier to keep track of data stored in five apps than say, twenty apps. Less data could mean fewer privacy problems.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

The Severe Flaw Found in Certain File Locker Apps

Read more: The Severe Flaw Found in Certain File Locker Apps

Story added 31. July 2014, content source with full text you can find at link above.