Title:

Disable Authentication in KidControl GPS Tracker App

Report ID

SIK-2017-016

Summary:

• Vendor: KidControl Dev.
• Product: Family GPS tracker Kid Control
• Affected Version: 3.4.3
• Severity: Low
• Short summary:
  The app allows itself to be protected using the device unlock mechanism. However, the flag whether this protection is enabled or not, can be manipulated by an attacker through the app backup/restore mechanism.

Details:

Normally, the app opens without requiring the user to provide any authentication. Optionally, the user can require authentication in the app’s settings („Protection“ / „Security“). If this option is enabled, the user must perform an unlock Operation equivalent to the one of the Android operating system (e.g., draw his phone unlock pattern) when accessing the app. The security is apparently tied to the device unlocking mechanism, e.g., the user can’t choose a different pattern other than his phone unlock pattern. This reduces the protection setting to boolean option (enabled or not).

The flag is stored in the app’s shared preferences file. Furthermore, the app allows backups. A user can therefore back up the app, change the flag in the shared preferences XML file inside the backup, and restore the app to the device. This allows him to disable the app’s protection mechanism. Relevant XML file contents:

    <boolean name="pflag" value="true" />

Severity low because the attacker needs access to the phone to perform the backup unless another vulnerability allows for both read and write access to the shared preferences file.

Workaround

Disable USB debugging to prevent backups. Make sure that your phone is never left unlocked.

Suggested Mitigation

Always require authentication.

Timeline

• 2017-04-15 Vulnerability discovered.
• 2017-05-18 Reported
• 2018-08-11 Published