Popular Android AppLock app full of gaping security holes

AppLock, by DoMobile, is a very popular Android app for limiting access to certain content on the device (text messages, photos, videos, etc.). The user decides what content he or she want to keep private, and “locks” it with a PIN.

According to the developer, it’s used by over 100 million users around the world.

Unfortunately for all of them, the app sports several vulnerabilities that could allow an attacker to access the content in question quite easily (without having root access to the device), and to reset, change, or remove the PIN code.

The vulnerabilities have been discovered by Beyond Security CTO Noam Rathaus, who shared technical details and instructions on how to exploit them on the SecuriTeam portal.

Rathaus says that he opted to disclose this information to the public after DoMobile stopped responding to his emails after an initial acknowledgement of having received the information about the vulnerabilities.

This responsible disclosure attempt happened on 31 July. Since the date of the last update of the app on Google Play is 27 July, it seems that the vendor hasn’t patched the flaws.

As Rathaus pointed out, a lot of people use AppLock to protect their phones, and are lulled in a false sense of security.

To be fair, one of his claims is not quite true. He says that user are lead to believe that the content put in the app’s Vault is encrypted when they used the PIN code. The app’s page on Google Play does not say that.

Nevertheless, the vulnerabilities he found are serious and easily exploitable.

DoMobile has yet to comment on the revelation.