A Simple Design Flaw In Qmobile's Messaging System
IntroductionThis post describes a simple design flaw inside of Qmobile handsets and describes why you shouldn't rely upon built in password protection mechanisms and why encryption is the best solution rather than using password protection mechanism.
The testing was carried out on Qmobile Noir A20. The problem lies in the fact that even after the password protection of the messages, other applications which have the READ_SMS permission, could read the SMS in clear text (defeating the purpose of password in this case) .
Qmobile based on a customized version of Android OS for the smartphones, has its own messaging app with an additional functionality of password protecting the messages, thus preventing it from unauthorized access.
Google HangoutGoogle hangout is a very popular android app used by millions of users for sending/receiving messages and it's most likely to be present in every android phone. As discussed before, Qmobile messaging app allows users to password protect the messages. However, the problem is that this doesn't prevent Google hangout or any other app (that has read access to messages) to read the messages. The Qmobile messaging app does not encrypt the messages.
DemonstrationThe following video demonstrates the issue:
Since, Mobile security has never been my area of research, i asked one of my friends "Francesco Stillavato" for his opinion on this issue. For those of you who don't know, Francesco is the author of the "Mobile Appication And Penetration Testing Course" at elearnsecurity.com. take a look at his opinion:
I agree with you: the application password protection isn't enough if you really want to protect your data (SMS in this case). There are many things to consider when implementing this type of security mechanism: for example, if the app stores its data in the memory card (not encrypted), almost every application would be able to read them. It's still important to note that in this case, during the installation process, Hangout requires permission to read SMS; so if you accept and install it, you are granting permission to the app.
While this may seem obvious, you should consider that if someone is able to physically access your device (open the play store and install an application), the application password protection may fails! So if you really want to protect your app data, you should consider to implement encryption (maybe using a master password) or store data in its own sandbox (like the SMS app) without allowing other app to ask for read permissions.
Here is what a world renowned android security expert and the CEO of Attity "Aditiya Gupta" has to say pertaining this issue:
QMobile should ensure that rather than giving a false sense of security to the users with a password protection of the messaging app (which could be easily bypassed), should also encrypt the messages while storing on the device if a user opts in for the password based security
If you have any questions or opinions, feel free to ask.