Yesterday (well, technically today) I was trying to find some data on my old phone to copy to my new phone so I decided to copy over all the folders from the phone to my desktop to make it easier to look through it. While I was going through the data I found a folder called .keepsafe under the Android/data folder so I looked in it cause I got curious and found some interesting data. Actually before I tell you what I found lets take a step back and go over what Keepsafe is: It is an app for both iOS and android that allows you to hide photos/files on your phone and then only people with the correct PIN can view them. From their site: “You lock your rings in a jewelry box. You lock your certificates in a cabinet. Now KeepSafe makes sure your personal files are locked down and hidden, using privacy features such as PIN Pad and Fake PIN.” I had installed this version of Keepsafe a few years ago to try it out but had since uninstalled it as I didn’t find it useful.
Coming back to the folder and what I found. It had two files under it: .local and .email. The .email file had my email address in it but the contents of the .local file were shocking. It had my ‘secret pin’ in clear-text in the file. So anyone with some idea of how apps store data and access to a file browser would have been able to get my pin and view images/data that was supposed to have been protected.
Since this was an older version of the software I downloaded and installed the latest version on my S5 to see if the issue was still there. Thankfully someone at the company figured out that storing the data in clear-text was extremely stupid and in the latest version of the software the same two files are still there but the data is encrypted. Not sure how strong the encryption is because I don’t have the knowledge/skill set to try to figure that out. I did however identify where the files are being stored (they are all encrypted as well) so someone with the original image and an encrypted copy could potentially reverse engineer the encryption and assuming they are using a static encryption key decrypt the remaining files as well.
Moral of the story is that if you want to ‘hide’ data on your phone be very careful of the software you use to do it. Ideally you should avoid storing any data that is sensitive on the phone. There are plenty of ways to get access to the data if someone is interested and has time. This is not an isolated case of a badly written software, There are other cases as well where other software was found to have similar amazing security. So be careful out there.
I did find some more interesting data on the phone that I will take a stab at when I get some time.
Well this is all for now. Will write more later.