CVE-2017-16835 in Photo
Summary
by MITRE
The "Photo,Video Locker-Calculator" application 12.0 for Android has android:allowBackup="true" in AndroidManifest.xml, which allows attackers to obtain sensitive cleartext information via an "adb backup '-f smart.calculator.gallerylock'" command.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/07/2020
The vulnerability described in CVE-2017-16835 represents a critical security flaw in the Photo,Video Locker-Calculator Android application version 12.0, where the developers inadvertently enabled the android:allowBackup="true" attribute in the application's AndroidManifest.xml configuration file. This configuration setting fundamentally undermines the application's security posture by permitting unauthorized access to the application's data through legitimate Android backup mechanisms. The vulnerability stems from a misconfiguration that violates fundamental security principles for mobile applications, particularly those handling sensitive user data such as photos and videos that are typically stored within locked containers.
The technical exploitation of this vulnerability occurs through the Android Debug Bridge (ADB) backup functionality, which is designed for legitimate backup and restore operations but becomes a security vector when improperly configured. Attackers can execute the specific command "adb backup '-f smart.calculator.gallerylock'" to extract the entire application backup archive, which contains cleartext data including user photos, videos, and potentially sensitive calculator information. This cleartext exposure represents a direct violation of data protection principles and creates a significant risk for users who store confidential information within the application's locked environment. The vulnerability is classified as a configuration error that falls under CWE-1004 which specifically addresses insecure backup and restore mechanisms in mobile applications.
The operational impact of this vulnerability extends beyond simple data theft, as it fundamentally compromises the security model that users rely upon when locking their media files. Users who trust the application to provide secure storage for their private photos and videos are deceived into believing their data is protected when in reality it can be extracted through standard Android backup mechanisms. This vulnerability affects the core security assumption that locked content remains secure even when the application itself is running on a device. The implications are particularly severe for applications handling sensitive personal information, as the backup functionality becomes a backdoor for data exfiltration. This represents a clear violation of the principle of least privilege and demonstrates how a single configuration parameter can undermine comprehensive security controls.
Mitigation strategies for this vulnerability must address both immediate remediation and long-term security architecture improvements. The primary fix involves setting android:allowBackup="false" in the AndroidManifest.xml file to prevent unauthorized backup operations, which aligns with the ATT&CK framework's recommendation for securing mobile application configurations. Organizations should also implement comprehensive mobile security policies that include regular configuration reviews, automated security scanning of application manifests, and mandatory security training for development teams. Additional protective measures include implementing proper encryption for sensitive data at rest, utilizing Android's built-in backup encryption mechanisms when backup functionality is required, and conducting regular security assessments to identify similar misconfigurations across the application portfolio. The vulnerability highlights the critical importance of adhering to mobile security best practices and demonstrates how seemingly minor configuration decisions can have significant security implications.