Researchers have discovered that many apps in the Google Android Play store that claim to secure files with encryption either fail to encrypt at all or employ methods that are trivially easy to crack.
James Irvine and Greig Paul of the Department of Electronic & Electrical Engineering at the University of Strathclyde tested nine popular Android apps designed to protect passwords, hide photos and videos and encrypt other files. In some cases the apps were created by Google-endorsed "Top Developers".
The apps tested were all ad-funded and were selected from among those with a high number of downloads from Play, with between 50,000 to 50 million users each. The researchers found major weaknesses in all nine apps studied, many of which made impressive claims for their security credentials.
"Hidden videos are not only moved to a secret location on your phone but are also encrypted using advanced 128 bit AES encryption. This means that even if someone manage to steal your SD card and copy the hidden video files, they will still be unable to view the locked videos," reads the blurb for Video Locker by Handy Apps.
Proper data security requires encryption using a unique key, which is generally created using a password and randomly generated data. However Video Locker was found to use a static key. Moreover, the researchers discovered that the same encryption key was used when they installed the application on different devices and that it was easily recoverable using a technique called the known plaintext attack. A PIN used in conjunction with this static key was also found to be easily accessible to an attacker.
Password Locker, also by Handy Apps, showed similar weaknesses. Although this app stores its password database within its private storage space, with access requiring root privileges, Android phones are easily rooted by attackers via well-known exploits. Once again the encryption guarding the database used a static key and was easily cracked via the known plaintext method, only in this case the dangers are perhaps more serious: not only was it passwords that were risk of compromise rather than pictures, but Password Locker also allows optional synchronisation with a user's Dropbox or Google account.
"It advertises cloud synchronisation while inadequately implementing AES in a manner which exposes passwords to anyone able to see the ciphertext," Paul explained. "This should definitely be a big concern for users, as their passwords are trivially retrievable, with the encryption rendered effectively inert."
Poor as this implementation might be, it is one of the better ones among the nine apps tested. Some of the apps make no attempt to encrypt the data at all, instead simply changing a few bits in the file's header and moving it to a hidden folder.
For example there's Video Locker Advanced by New Softwares, which despite claims to deploy "fast encryption techniques" turned out to do nothing of the sort, instead simply flipping the first hundred bits in the file and leaving the rest intact.
"It was clear that Video Locker Advanced did not use the advanced encryption techniques which it
claimed — this amounted to reversing the bytes of the file header," Irvine and Paul wrote, noting that the app's Dropbox backup option increases the risk still further, as with the Password Locker example.
So why is this happening? The researchers believe that in some case the reason behind the encryption shortcuts is to make the apps easier to port across devices; this convenience comes at the cost of severely weakening the level of protection offered, however. In other cases it may simply be due to developers' ignorance of how to do it properly.
Unfortunately, there's seemingly little that casual users can do tell the good from the bad.
The researchers reported the misleading claims made for the apps to Google, but at time of writing had yet to hear back. In the meantime, honest developers of secure apps should be encouraged "to understand and use open-source, audited, verified implementations of cryptographic algorithms," Paul told V3.
"None of the apps we looked at were open source, even though it is best practice to use open source apps for data encryption," he said.
"Open source is beneficial for encryption and security software, because it makes the barrier to entry for others to inspect, evaluate and audit the code lower. It doesn't guarantee anyone will look at it, but it makes it easier for someone to do so."
Paul also expressed his hope that Google will start to take stiffer measures against developers who misrepresent their apps and to impose stricter criteria for "Top Developer" status.
"Popularity certainly doesn't appear to correlate with quality," he said. "Clearly it's never going to be possible to perfectly evaluate every app, but perhaps special attention should be paid to security-related apps and developers."
If the government doesn't like you, you'll have to walk to work
Connexin drops out of Ofcom auction due to start next week
SwiftKey users now send two billion emoji every week
Recruitment plans are 'most ambitious ever', claims Openreach HR director Kevin Brady