Applock is a one of the most common Application Lock utility for android devices that allows anyone to Lock Applications in their android device. If you lock an Application with AppLock, when ever you Launch or resume that Application, AppLock will set a password screen before you. The vulnerability lies in AppLock’s Forgot Password feature.
Vulnerability
The vulnerability lies in AppLock’s Forgot Password feature. From a lock screen, you can access the Forgot Password Feature.
It shows an activity where your email address which you have given while installing the application is shown in a disabled EditText. When you click SEND THE CODE TO SECURITY EMAIL option, an HTTP request is sent to http://applock.domobile.com/servlet/applock with a POST data containing a parameter named email which contains the email to which the rest code needs to be sent.
The response to this request is the MD5 of the reset code which will be stored in the device.
The user can put the reset code received through email into the Forgot Password option to reset the password. AppLock will generate the MD5 of the reset code received form user and compare it with the previously received MD5 in the HTTP response and if they matches then the user is allowed to set a new AppLock Password.
The vulnerability exist in the logical flow that AppLock’s server does not validate the email parameter against a user. Attacker can do an MITM and tamper the email parameter with an email that he controls and steal the rest code. The fact that the communication is over HTTP makes MITM very easy and practical. To simulate the attack, I fired up a proxy that will tamper the email parameter on the fly whenever a request is made to http://applock.domobile.com/servlet/applock.
PoC Video
This is a simple client side attack that requires the attacker to be in the same network for doing the MITM and access to the device to enter the rest code.
DISCLOSURE TIMELINE
We follow 30 days disclosure policy.
Reported: 5th July 2015
Acknowledgement: 6th July 2015
Published: 5th August 2015