21 June 2017
Blogs by author: Ben Marks, Mobile App Security Specialist, BT
We trust our private images and videos to vault apps in the same way we secure our money in bank vaults, but should we?
Rise of the droid
Since the Android operating system exploded onto the market with an 87 per cent share of the smartphone market in 2016, its users have been able to pick and choose their choice of apps from over 2.8 million available in the Play Store.
Of course, not all of these are original. Many apps have multiple variations, formats and functionalities — authored by many different people. Multiple authors mean many different skill sets and coding capabilities, and some aren’t aware of the security flaws and vulnerabilities that surround Android as a mobile operating system.
A review or an analysis?
Photo Vaults, Locker Vaults and Hide Pictures are all generalised names for the same type of application — designed with one main function in mind, to hide photos and videos of a sensitive nature from the standard Android system gallery. This protects the user’s privacy should they lose or share their device.
These apps advertise claims such as ‘secure, protect and hide your information’, ‘hack proof’ or ‘the hidden files are encrypted’. But how true are these claims? And how many are false claims to drive downloads and boost revenue?
We research banks to make sure they suit our needs before we store our money with them. But do we check out the applications that are storing our private data?
How could we even do this effectively? Number of downloads? Reviews? Ratings? Number of reviews? These are only as good as the knowledge of the person writing the review, and who reviews an app based on its security? Would these reviewers even know what to look for?
So, are they safe?
Our paper, ‘Vault101’, investigated the security of these applications — looking at what protections are actually in place on the user images (if any), and to what level.
For this analysis, we investigated ten apps. This included both manual and dynamic on-device examination, using tools and techniques to identify if any simple issues were present. The applications selected provided a good functional reflection of the number of apps of this kind and their popularity, with download counts ranging from 500,000-500,000,000.
In 100 per cent of cases, the issues we discovered allowed for the complete compromise of the application. For every application we looked at, we managed to bypass the protections in place to protect the user’s photos, and thus obtain the original image. Just let that sink in.
Putting users at risk
The failure of these apps to secure images is no small matter, as the target attack surface for this type is incredibly large. Using the upper and lower estimates of the Android Play Store downloads count, this attack vector could hit between 141,500,000 and 676,000,000 users — and that’s just for the ten apps we checked!
There are maybe hundreds of this type of app on the Play Store — all of which may have the same flaws, large number of downloads and active users.
But the risk is minimal, right? Surely, you’d have to lose or have your device stolen for anyone to get to your private images. But, due to a flaw in the way some applications are coded, they contain hardcoded paths to files and directories — meaning that files for all users are stored in the same location, using the same path and directory names on every device.
What’s worse is that these files, in the majority of cases, are stored on an external storage area that any app can access via a standard device, given the correct permissions. This makes it easy for some malicious outside party to author a malware app and scrape all the files onto a remote server.
They don’t need to rely on a complex zero-day attack or a rooted device — it’s all basic Android functionality.
The reality is that these apps are vulnerable, and easy to exploit. People have private photos; that’s a fact. There are significant campaigns about not ‘sexting’ photos, but what about simply taking them and storing them on your device? They appear to be safe because they’re locked away in the secret vault app, but really they’re easily stolen — without the user ever being aware.
Banks spend thousands hiring consultants to make sure their premises and vaults are secure from theft. So why aren’t we working to keep our private data secure in the same way? Why are the developers not coding their apps to adequately protect our user data?
Or, is it that — in this vastly connected world — our private lives and photos are deemed less valuable than hard currency, app authors only really care about download counts and they don’t legitimately care about the users?
Change isn’t coming
We reached out to the application authors identified in this investigation to present our findings responsibly, in the hope that they’d update their apps. However, over the 30-day grace period we received a mixed response, with some developers replying and some not, and since this analysis was carried out, just two of the above mentioned developers have made positive updates to their apps to further secure them from our findings.
Find out more about how vault apps fail to protect your privacy — read the full technical paper here. You can also get in contact with the BT Pentest Team, or the authors of the paper, with any queries at firstname.lastname@example.org.