On the Google Play Store the application “Photo,Video Locker-Calculator” promises to hide your videos and photos from unauthorized access. To quote the app description
“Your files will be secretly stored in vault and can only be viewed after a Numeric PIN is entered on calculator panel of this app.”
Unfortunately, this is not true because of a security vulnerability in the version 12.0. The problem is, that in the AndroidManifest.xml, where the permissions of the app are defined, android:allowBackup="true" is set. This means the data of the app can easily be recovered with the Android Debug Bridge (adb). The code below shows again where the problem is.
<application [...] android:name="smart.calculator.gallerylock.MyApplication" android:manageSpaceActivity="smart.calculator.gallerylock.CalculatorActivity" android:allowBackup="true" android:largeHeap="true" >
To backup the application and therefore the files stored within the app we can use adb with adb backup '-f smart.calculator.gallerylock'
This creates the file backup.ab which we can convert to a .tar archiv with the Android Backup Extractor.
java -jar abe.jar unpack backup.ab backup.tar
The .tar archiv can be extracted and the sensitive files are located in the subfolders of /apps/smart.calculator.gallerylock/f/lockerVault/
This proves that the files hidden within the application are not securely stored and also not encrypted.
CVE-2017-16835 has been assigned to this vulnerability.
The backdoor
But even worse, the Application also has a backdoor. If you decompile the application and look in the file smart/calculator/gallerylock/CalculatorActivity.java you can find the following function.
private void f() {
String string = this.a.getText().toString();
if (string.equals(this.X) || string.equals("17621762")) {
this.e();
}
}
This is a classic backdoor. The pin “17621762” gives anyone access to the files stored in this application. The app itself has many other issues, which I didn’t mention here. But having a backdoor in an app is reason enough to get rid of it. As a result, the application and the company behind it can’t be trusted.
CVE-2017-18192 has been assigned to this vulnerability.
Update: Version 13. published on January 24, 2018 also has the above mentioned backdoor.
Update (02, February 2018): They made a version jump from 13 to 18 on 31, January 2018. Backdoor is still present.
Thanks for publishing this vulnerability. It’s a shame such apps are in the android store.