Decrypting ‘LOCKED Secret Calculator Vault’

This weeks post was prompted from a live case and actually didn’t take too long to work through because of how remarkably similar the application is to a previous post: ‘Decrypting the ‘Calculator’ App(s)‘. Which means it will follow very closely whilst highlighting the slight differences between them.

‘LOCKED Secret Calculator Vault’ mimics the functionality of a calculator whilst hiding a vault behind a user created PIN / pattern lock. The files are encrypted using “proven military-grade AES encryption which is used by governments & banks worldwide. Hide photo, Lock photos and videos, then put them into your private Calculator vault. Now they are in the safest place in the world! Nobody can reach them except you.” This application also has the ability to store encrypted notes as well as a built in browser.

Examination into the application identified the following key locations:

Data
/data/data/com.lkd.calculator
Media Files
/sdcard/.locked_vault/
Key Artefact Locations

The Lock

Although the default lock type is PIN it can also be protected with a pattern lock. Within the ‘/data/data/com.lkd.calculator/shared_prefs’ folder is the preferences file, ‘share_locked_vault.xml‘. This file contains a number of encrypted values:

The above screenshot shows the encrypted PIN and pattern, highlighted in red. In all likelihood the ‘share_locked_vault.xml‘ file will only show the encrypted PIN denoted by the tag ’57DFEA9AEC99CD87013E3862B9DE5B7D’. The less common encounter is the other highlighted value which is the encrypted pattern.

The PIN is entered by typing the PIN into the calculator and pressing equals. In order to enter a pattern, the user holds the 3 dots in the top right corner which opens up a user input screen for the pattern:

Lock Code Entry and Access

Media Files

Similarly to the other calculator application, media files are stored separately, split into subfolders based on file types. A separate encrypted database file is stored in its own folder. The media files in this location are encrypted, with some caveats.

Recursive View of ‘.locked_vault’

Something I noticed when encrypting the files during the tests was the option to encrypt the files as ‘Full’ or ‘Light’. Files encrypted using ‘Full’ were fully encrypted and are prepended with the letter ‘h’. If the ‘Light’ option is selected the file is created and prepended with the letter ‘e’. Both then use the same UUID naming convention. The biggest difference between the two is that the file doesn’t get encrypted if the ‘Light’ option is selected, it simply loses its file extension and gets a name change.

Decryption – Pattern / PIN

All cryptographic functions that occur in the application use the same hard coded encryption key: Rny48Ni8aPjYCnUI. This key is converted to hex before use. The encryption mode used is AES_CBC which typically takes 2 arguments; the key and the IV. In this application the key and IV are the same value: Rny48Ni8aPjYCnUI.

Any data within the ‘share_locked_vault.xml‘ file, including the user created PIN and pattern, can be decrypted in this way using this value and algorithm. The following screenshot of CyberChef shows the process of decrypting the PIN lock:

CyberChef Decrypting PIN

The pattern lock can be decrypted in the same way. One thing to note is how the decrypted numbers correlate to the users pattern lock. In the example below decrypting the pattern results in the string ‘03678‘.

CyberChef Decrypting Pattern

This style of mapping is similar to some of the other Android applications and the pattern can be determined using the grid below, which shows this pattern relates to a ‘L’ shape:

Pattern Screen Layout

Decryption – Media Files

In a very similar way, media files can be decrypted using the hardcoded Key and IV:

CyberChef Decrypting Media Files

Decryption – Database Files

The database file, ‘locked_vault.db‘, is also encrypted using the same value. However, rather than converting the value to hex it can be used directly as the passphrase to decrypt it.

Using ‘DB Browser (SQLCipher)’ the database can be imported and decrypted:

DB Browser (SQLCipher) Database Decryption

It is important to make sure that within the encryption settings the SQLCipher is set to 3, otherwise it will not work.

The database file holds information pertaining to the encrypted files and status before encryption. It is also the location for browser artefacts and ‘notes’ if the user has chosen to use this feature:

Decrypted Notes from Database

Conclusion

This application shares the majority of the cryptographic features as the previous post: ‘Decrypting the ‘Calculator’ App(s)‘. The main differences relate to the naming and location of files but the method by which they are encrypted / decrypted, AES_CBC and the hard coded Key Rny48Ni8aPjYCnUI, remain the same.

A script was created for the previous post and has now been edited and uploaded to cover this application. The script does not handle the decryption of the database as it is easily handled in ‘DB Browser (SQLCipher)’. The script can be found on GitHub here.

I would always encourage feedback so if you found this helpful etc then hit me up in the comments on here or my twitter @4n6chewtoy.

One thought on “Decrypting ‘LOCKED Secret Calculator Vault’”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create your website with WordPress.com
Get started
%d bloggers like this: