The mobile encryption app NQ Vault has been in the news for bad reasons. Mobile encryption apps are commonly used to prevent access to sensitive data on the phone (such as images, videos, documents and so on). These encryption apps usually offer a vault with your desired password. You can push any secret files to this vault and they would be secure, as the data present in vault is encrypted and would decrypt only when the correct password is entered. The NQ Vault app is one such mobile encryption app which boasted that it “encrypts” and secures your confidential files. All this has now become a joke and we will see why!

NQ Vault allows you to pick a private passcode and “encrypts” pictures, texts, and any other data from the eyes of anyone who happens to look through your phone or device. For instance, an attacker who has access to the device should not be able to view the original files unless he knows the passcode. The idea is that even if an attacker pulls these files from the device, since they are encrypted, they would mean nothing but junk. But in case of NQ Vault, it turned out that if an attacker pulls these encrypted files, he could easily get the original files in a matter of seconds.

It’s not about weak encryption

The point is that NQ Vault doesn’t use any encryption algorithm to secure the user’s data. It just uses XOR substitution. So we are not talking about using a weak algorithm or a weak key. We are talking about having “no algorithm”. As discovered by blogger NinjaDoge24, NQ Vault just XORs the user’s file with a key and calls it “encrypted”.

Breaking it step by step

I tried to verify this practically, and here is how easy it turned out to be:

  1. Download and install the NQ Vault mobile app from Google Play Store on any Android device. Set your desired passcode (say 000).
  2. Select any secret file (for example apple.png). Here is the HEX representation of the apple.png file:

Note: HEX is a positional numeral system base of 16. It uses sixteen distinct symbols, most often the symbols 0–9 to represent values zero to nine, and to represent values ten to fifteen. You can use HEX Viewer tool to view an image’s hex representation.

3. Now send the image to the NQ Vault using the app. This would mean the file apple.png is encrypted and should have been stored somewhere on the device. This is the message shown by NQ Vault:

4. These so called “encrypted” files are stored on the SD card at the location /mnt/sdcard/SystemAndroid/Data. How do I know this? Well just by looking at SQLite files in this case. Also at the above mentioned location, there is a text file saved by the app which says:

Ethical Hacking Training – Resources (InfoSec)

5. But these encrypted files are hidden from the user. So initially a simple ‘ls’ on the folder does not reveal anything. But ‘ls’ with –a attribute would reveal all the hidden files, as shown in the following screenshot.

6. The next thing is to pull out this encrypted file to the local machine. I used the adb pull command for this purpose. As seen below, the file is stored with a .bin extension.

7. Now see the HEX representation of this encrypted file:

8. Now just XOR abc.png & the encrypted file:\

9. What this suggests is, based on the passcode selected by the user, it generates a “key” (30 in this case) and just XORs the user’s file with this key! Upon investigation, it turned out that this key value is always between 00 and ff, which means 255 possible values. As explained by NinjaDoge24, here are some of the passcodes and their corresponding key values:

Thus, an attacker who has access to the encrypted files just need to brute force XOR with 255 possible values to get the original files back!

It’s not over!

The story is not over yet. It is also discovered that the app performs this worthless encryption only for the first 128 bits of the user’s file, and stores the rest in plain format. So it’s all out there in the raw for the attacker to see. For example, in the above example, notice that only the first 128 bits are XOR-ed, and rest of the bits remain the same. The below screenshot gives a clear idea:

Notice that only the initial bits are transformed, while the rest of the file remains the same. Here is a simple script written by NinjaDoge24 that automates this whole process.

Lessons learned

Everyone makes mistakes, including reputed organizations such as Facebook, Google etc., and we all understand that. But this is just asking to be punished. All those millions of users who believed the claims of this software and unknowingly rated it at 4.6 will now feel cheated. The fact that CNET, PC Magazine and many other site reviews rated it highly points out another problem – it’s hard to trust the claims of an app just by looking at what it does. It is definitely not possible for review sites to perform a security audit of an app before they rate it. Companies need to realize the importance of the trust that users have in their brand and also need to remember that once lost, it’s very hard to gain it back.