In this article we will discuss about Cracking NQ vault step by step.
Introduction with Cracking NQ vault step by step:
The NQ Vault mobile encryption app has been in the news for the wrong reasons. Mobile encryption apps are commonly used to prevent access to sensitive data on the phone (such as pictures, videos, documents, etc.).
These encryption apps usually offer a vault with a required password. You can send any secret files to this vault and they will be safe because the data present in the vault is encrypted and decrypted only after entering the correct password. NQ Vault app is one such mobile encryption app that has boasted that it “encrypts” and secures your confidential files. All this has now become a joke and we will see why!
NQ Vault allows you to choose a private passcode and “encrypt” images, texts and any other data from the eyes of anyone who happens to be looking at your phone or device. For example, an attacker who has access to the device should not be able to view the original files if they do not know the passcode.
The idea is that even if an attacker pulls these files off the device, since they’re encrypted, they’d be nothing more than garbage. But in the case of NQ Vault, it turned out that if an attacker downloaded these encrypted files, he could easily retrieve the original files within seconds.
It’s not about weak encryption
The point is that NQ Vault does not use any encryption algorithm to secure user data. It only uses XOR substitution. So we are not talking about using a weak algorithm or a weak key. We talk about having “no algorithm”. As blogger NinjaDoge24 found out, NQ Vault just XORs the user’s file with the key and calls it “encrypted”.
Break it down step by step
I tried to verify it practically and here is how easy it was:
Download and install the NQ Vault mobile app from the Google Play Store on any Android device. Set the desired passcode (say 000).
Select any secret file (for example apple.png). Here is the HEX representation of apple.png:
Note: HEX is a base-16 positional number system. It uses sixteen different symbols, most commonly the symbols 0-9 to represent the values zero through nine and to represent the values ten through fifteen. You can use the HEX Viewer tool to view the hexadecimal representation of an image.
Now upload the image to NQ Vault using the app. This would mean that the apple.png file is encrypted and should be stored somewhere on the device. This is the message displayed by NQ Vault:
- These so called “encrypted” files are stored on the SD card at the location /mnt/sdcard/SystemAndroid/Data. How do I know this? Well just by looking at SQLite files in this case. Also at the above mentioned location, there is a text file saved by the app which says:
- But these encrypted files are hidden from the user. So initially a simple ‘ls’ on the folder does not reveal anything. But ‘ls’ with –a attribute would reveal all the hidden files, as shown in the following screenshot.
- The next thing is to pull out this encrypted file to the local machine. I used the adb pull command for this purpose. As seen below, the file is stored with a .bin extension.
- Now see the HEX representation of this encrypted file:
- Now just XOR abc.png & the encrypted file:
- What this suggests is, based on the passcode selected by the user, it generates a “key” (30 in this case) and just XORs the user’s file with this key! Upon investigation, it turned out that this key value is always between 00 and ff, which means 255 possible values. As explained by NinjaDoge24, here are some of the passcodes and their corresponding key values:
Thus, an attacker who has access to the encrypted files just need to brute force XOR with 255 possible values to get the original files back!
It’s not over!
The story is not over yet. It is also discovered that the app performs this worthless encryption only for the first 128 bits of the user’s file, and stores the rest in plain format. So it’s all out there in the raw for the attacker to see. For example, in the above example, notice that only the first 128 bits are XOR-ed, and rest of the bits remain the same. The below screenshot gives a clear idea:
Notice that only the initial bits are transformed, while the rest of the file remains the same. Here is a simple script written by NinjaDoge24 that automates this whole process.
Everyone makes mistakes, including reputable organizations like Facebook, Google, etc., and we all understand that. But that only calls for punishment. All those millions of users who believed the claims of this software and unknowingly rated it 4.6 will now feel cheated. The fact that CNET, PC Magazine, and many other review sites rated it highly points to another problem—it’s hard to believe an app’s claims just by looking at what it does. It is definitely not possible for review sites to perform a security audit of an app before rating it.
Companies need to realize the importance of the trust users have in their brand and also remember that once you lose it, it is very difficult to get it back.