Infosec Apple fanboys are not known for their empathy — either for those who can’t afford their holy high fetish of phone security (iPhone) or for those who simply can’t stomach the ecosystem’s mounting hypocrisies.
But there’s one thing on their side. Apple’s App Store at least tries to curate product security, while Google’s Play Store is like playing appsec Russian roulette.
Nowhere has that been made more clear than in a post by researcher Jon Sawyer, called Password Storage in Sensitive Apps. Sawyer does freelance contract work “breaking and/or fixing Android phones and related software” — he hacks everything Android. For a recent gig, he was contacted by a forensic specialist for a law enforcement agency.
The law enforcement contact told Sawyer they had a phone with information on it “that could make or break a very sensitive case.” They had been trying to access the phone’s files and get data off the device with commercial mobile forensic tools but weren’t having any luck.
Sawyer verified their identity and purpose and got to the task at hand. “Using a backdoor … and some trickery we were able to fully extract all data off the device,” he explained. “This had me thinking, what next? What if this criminal was using another layer of security? What if they had a “secure storage” app, what if their photos, videos and whatnot were encrypted in an additional layer of security?”
Sawyer searched Google’s app store for “Secure Photo” and grabbed the first result. He doesn’t say which app this is. But in my search, the top result was Hide Pictures Keep Safe Vault, listed as a Play Store “Editors’ Choice” by a “Top Developer,” with 4.6 stars and between 10 million and 50 million downloads.
When he started hacking the app and looking at the supposedly safe and secure files, Sawyer found that “sure enough the files stored were encrypted.” But then he discovered that “the PIN was stored in plaintext as a shared preference” — making the app neither safe nor secure should you want to keep your files from the prying eyes of hackers or law enforcement.
Apparently, for Sawyer, this was so easy it was no fun. He moved on to installing and hacking the next result in his search, Private Photo Vault. That one had a 4.1-star rating, 17,000 starred reviews, and over one million downloads.
“The #1 iOS Private Photo App is now available on Android! Private Photo Vault is a photo safe that keeps all of your private pictures and videos hidden behind a password.”
The researcher was hopeful. “The initial results were more promising than the first app, no plaintext PIN stored in the shared preferences.” But, he wrote, “the promise didn’t last long.” When Sawyer found (by testing it on himself) that unmasking any Vault user’s PIN code was easy, he “stopped analysis at this point, the app was already beyond broken.
“These companies are selling products that claim to securely store your most intimate pieces of data, yet are at most snake oil. You would have near equal protection just by changing the file extension and renaming the photos.”
If you want to know what happens when a hacker visits the Google Play Store trying to find an app that can’t be cracked … well, it’s not pretty. And that’s where Apple’s App Store has some advantage, even though iOS apps aren’t as secure as users want to believe. Yet while the App Store is hypocritically censored to hell and back, treats developers like crap and has its share of garbage on offer, app security has always been its strong suit.
Although there was that one time scientists at Georgia Tech got an app named Jekyll into the App Store in 2013. Jekyll bypassed every security measure put in place by Apple to protect its users and could stealthily tweet, take photos, steal device identity information, send email and SMS and much more. “Our method allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process,” the researchers wrote in their paper, Jekyll on iOS: When Benign Apps Become Evil.
The app was pulled before anyone downloaded it, but the point was made: Nothing is as secure as any company promises. And in typical Apple PR fashion, it still remains unclear whether the vulnerabilities exploited by Jekyll were completely fixed.
With Google’s new Pixel phone, an attack like this is at least less likely. Similar to its Nexus phones on Google’s Project Fi program, the Pixel will mainline operating system updates and security refreshes (one of many reasons I’ll be excited to get my hands on one, app store sketchiness notwithstanding). But, as Jon Sawyer found out after his recent law enforcement project, there’s a lot of false advertising in the Play Store under the guise of “secure” apps.
As I mentioned, I’m an Android phone user and fan, so I obviously don’t believe it’s all snake oil in the Google Play Store. I just think it’s wise to make our downloading decisions with the scrutiny afforded by the death of security-by-way-of-wishful-thinking.