SIK-2016-032


Title:

Keepsafe Plaintext Password Storage

Report ID

SIK-2016-032

Summary:

  • Vendor: keepsafe
  • Product: Hide Pictures Keep Safe Vault
  • Affected Version: 7.10.5
  • Severity: low-medium
  • Short summary: Application stores master password or pin in plain text in app folder.

Details:

In all Android products (Photovault, Applock, Hide Pictures Keep Safe Vault) all passwords are stored in plaintext in the shared preference files.
Examples (Hidepicture, com.kii.safe_preferences.xml):

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="master-password">2468</string>
    <int name="pin-entry-number-of-tries" value="0" />
    <string name="App Restrictions">AAAAAA==

or Applock (com.getkeepsafe.pickford.preferences.xml):

<map>
    <string name="WORKAROUND">[com.android.contacts]</string>
    <set name="preferences-app-lock-monitored-packages">
        <string>com.android.contacts</string>
    </set>
    <string name="preferences-user-email">test@test.de</string>
    <string name="preferences-master-password">1234</string>
</map>

For a system using „military encryption“ standards this is a serious vulnerability.
Perhaps the back-end infrastructure is secure, but if someone steals the victims smartphone he can easily access the stored data in the app.
The only protection mechanism of the plain text shared preference file is the sandbox of the OS. But currently there are a lot of working and easy to use root exploits (dirty cow, rowhammer, stagefright, …) allowing priv. escalation and read out the data.

Workaround

Avoid password storage

Suggested Mitigation

Warn user about password storage. Use keystore for secure password storage.

Timeline

  • 2016-10-25 Discovered
  • 2016-10-28 Vulnerability Reported
  • 2017-01-28 Fixed