Introduction

The application “Photo, Video Locker-Calculator” on the Google Play Store falsely assures users that their photos and videos are securely hidden from unauthorized access. The app’s description explicitly states that stored files can only be accessed through a numeric PIN entered on the app’s calculator panel. To quote the app description:

Your files will be secretly stored in vault and can only be viewed after a Numeric PIN is entered on calculator panel of this app.

However, version 12.0 of the application has been found to contain critical security vulnerabilities.

Vulnerability #1 (CVE-2017-16835)

An security issue was determined within the AndroidManifest.xml file of the application, where the android:allowBackup attribute was set to true. Consequently, this configuration allowed for the potential retrieval of app data using the Android Debug Bridge (adb). As a result, files stored in the /apps/smart.calculator.gallerylock/f/lockerVault/ directory could be accessed without encryption, posing a concern regarding the app’s assurance of secure file storage.The following code snipped was taken from the AndroidManifest.xml file:

<application[...]
  android:name="smart.calculator.gallerylock.MyApplication"
  android:manageSpaceActivity="smart.calculator.gallerylock.CalculatorActivity"
  android:allowBackup="true"
  android:largeHeap="true"
>

To back up the application and access the files stored within, the Android Debug Bridge (adb) command adb backup -f smart.calculator.gallerylock can be used. Subsequently, the file backup.ab can be converted to a '.tar' archive using the Android Backup Extractor:

java -jar abe.jar unpack backup.ab backup.tar

The .tar archiv can be extracted and the sensitive files are located in the subfolders of /apps/smart.calculator.gallerylock/f/lockerVault/ This proves that the files hidden within the application are not securely stored and also not encrypted.

CVE-2017-16835 has been assigned to this vulnerability.

Vulnerability #2 (CVE-2017-18192)

Furthermore, a deliberate backdoor has been uncovered within the application’s source code. By decompiling the application and examining the file smart/calculator/gallerylock/CalculatorActivity.java, a backdoor function was discovered. This function allows access to sensitive data using the PIN “17621762,” undermining the application’s security measures significantly.

The following code snippet shows the authentication function of the application with the hardcoded backdoor pin.

private void f(){
	String string = this.a.getText().toString();
	if (string.equals(this.X) || string.equals("17621762")) {
  	this.e();
  }
}

CVE-2017-18192 has been assigned to this vulnerability.

Updates:

The issues persisted even after the release of version 13 on January 24, 2018. Remarkably, the version jump from 13 to 18 on January 31, 2018, did not address the presence of the backdoor, further compromising the credibility of the application and the associated development company.