AppLock MITM Password Reset Vulnerability

Posted by Ajin Abraham on Aug 5 2015


Applock is an android application used to add lock screen to gallery and other applications. This app has a vulnerability in the web backend allowing an attacker to reset anyone's password with MITM attack.

Applock is a one of the most common Application Lock utility for android devices that allows anyone to Lock Applications in their android device. If you lock an Application with AppLock, when ever you Launch or resume that Application, AppLock will set a password screen before you. The vulnerability lies in AppLock’s Forgot Password feature.


The vulnerability lies in AppLock’s Forgot Password feature. From a lock screen, you can access the Forgot Password Feature.

It shows an activity where your email address which you have given while installing the application is shown in a disabled EditText. When you click SEND THE CODE TO SECURITY EMAIL option, an HTTP request is sent to with a POST data containing a parameter named email which contains the email to which the rest code needs to be sent.

POST /servlet/applock HTTP/1.1 
Content-Length: 139 
Content-Type: application/x-www-form-urlencoded 
Connection: Keep-Alive 


 The response to this request is the MD5 of the reset code which will be stored in the device.

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache
Vary: Accept-Encoding
Date: Tue, 28 Jul 2015 14:49:07 GMT
Server: Google Frontend
Alternate-Protocol: 80:quic,p=0
Accept-Ranges: none
Content-Length: 59

The user can put the reset code received through email into the Forgot Password option to reset the password. AppLock will generate the MD5 of the reset code received form user and compare it with the previously received MD5 in the HTTP response and if they matches then the user is allowed to set a new AppLock Password. The vulnerability exist in the logical flow that AppLock's server does not validate the email parameter against a user. Attacker can do an MITM and tamper the email parameter with an email that he controls and steal the rest code. The fact that the communication is over HTTP makes MITM very easy and practical. To simulate the attack, I fired up a proxy that will tamper the email parameter on the fly whenever a request is made to

PoC Video

This is a simple client side attack that requires the attacker to be in the same network for doing the MITM and access to the device to enter the reset code.

Vulnerability Disclosure 

We follow 30 days disclosure policy.
Reported: 5th July 2015
Acknowledgement:  6th July 2015
Published: 5th August 2015

  • Tags: 
  • applock
  • applock bypass
  • applock password reset vulnerability
  • applock pin reset

Ajin Abraham

  • |
  • |
  • |

Ajin Abraham is a Security Engineer with 10+ years of experience in Application Security, Research and Engineering. He is passionate about building and maintaining open source security tools and communities. Some of his contributions to Hacker's arsenal include Mobile Security Framework (MobSF), nodejsscan, OWASP Xenotix, etc. Areas of interest include runtime security instrumentation, offensive security, web and mobile application security, code and architectural reviews, cloud-native runtime security, security tool development, security automation, breaking and fixing security products, reverse engineering, and exploit development.