AppLock MITM Password Reset Vulnerability

Posted by Ajin Abraham on Aug 5 2015

TL;DR

Applock is an android application used to add lock screen to gallery and other applications. This app has a vulnerability in the web backend allowing an attacker to reset anyone's password with MITM attack.

Applock is a one of the most common Application Lock utility for android devices that allows anyone to Lock Applications in their android device. If you lock an Application with AppLock, when ever you Launch or resume that Application, AppLock will set a password screen before you. The vulnerability lies in AppLock’s Forgot Password feature.


Vulnerability

The vulnerability lies in AppLock’s Forgot Password feature. From a lock screen, you can access the Forgot Password Feature.


It shows an activity where your email address which you have given while installing the application is shown in a disabled EditText. When you click SEND THE CODE TO SECURITY EMAIL option, an HTTP request is sent to http://applock.domobile.com/servlet/applock with a POST data containing a parameter named email which contains the email to which the rest code needs to be sent. 

REQUEST
POST /servlet/applock HTTP/1.1 
Content-Length: 139 
Content-Type: application/x-www-form-urlencoded 
Host: applock.domobile.com 
Connection: Keep-Alive 

action=domo_user_reset&app_package=com.domobile.applock&version_code=2015061101&imei=000000000000000&
email=xyz%40gmail.com&code_md5=

 The response to this request is the MD5 of the reset code which will be stored in the device. 

RESPONSE
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache
Vary: Accept-Encoding
Date: Tue, 28 Jul 2015 14:49:07 GMT
Server: Google Frontend
Alternate-Protocol: 80:quic,p=0
Accept-Ranges: none
Content-Length: 59

{"done":"1","code_md5":"CD18E6BDA8990DDAF6ADD006C6EC64E0"}
The user can put the reset code received through email into the Forgot Password option to reset the password. AppLock will generate the MD5 of the reset code received form user and compare it with the previously received MD5 in the HTTP response and if they matches then the user is allowed to set a new AppLock Password. The vulnerability exist in the logical flow that AppLock's server does not validate the email parameter against a user. Attacker can do an MITM and tamper the email parameter with an email that he controls and steal the rest code. The fact that the communication is over HTTP makes MITM very easy and practical. To simulate the attack, I fired up a proxy that will tamper the email parameter on the fly whenever a request is made to http://applock.domobile.com/servlet/applock

PoC Video



This is a simple client side attack that requires the attacker to be in the same network for doing the MITM and access to the device to enter the reset code.

Vulnerability Disclosure 


We follow 30 days disclosure policy.
Reported: 5th July 2015
Acknowledgement:  6th July 2015
Published: 5th August 2015


  • Tags: 
  • applock
  • applock bypass
  • applock password reset vulnerability
  • applock pin reset
Ajin Abraham

    • |
    • |
    • |

Ajin Abraham is a Security Engineer with 7+ years of experience in Application Security including 4 years of Security Research. He is passionate on developing new and unique security tools. Some of his contributions to Hacker's arsenal include OWASP Xenotix XSS Exploit Framework, Mobile Security Framework (MobSF), Droid Application Fuzz Framework (DAFF), Xenotix xBOT, NodeJsScan etc to name a few. He has been invited to speak at multiple security conferences including ClubHack, Nullcon, OWASP AppSec Eu, OWASP AppSec AsiaPac, BlackHat Europe, Hackmiami, Confidence, BlackHat US, BlackHat Asia, ToorCon, Ground Zero Summit, Hack In Paris, Hack In the Box, c0c0n and PHDays.