Hello Full Disclosure, I would like to disclose a security vulnerability identified in a smartphone application: *Koller Secret: Real Hidden App*.
This report is shared in the interest of responsible disclosure and improving overall security awareness. --- *Summary* - Application: Koller Secret: Real Hidden App - Package / Bundle ID: com.koller.secret.hidemyphoto - Platform: Android - Affected Version(s): v.1.0.27 and below - Vulnerability Type: Authentication Bypass - Severity: High - CVE: Pending --- *Background* Koller Secret claims to be the "first truly hidden app" that has "no visible icon nor launcher" and *can be accessed only by entering an Android secret code* from the user's dial pad. --- *Description* The application contains a vulnerability that allows an attacker to *bypass their secret code mechanism* to access the app's main UI. The root cause appears to be improper access control on an exported Android component. The MainActivity is explicitly declared as `android:exported="true"` in the Android manifest, making it accessible to external applications and enabling unauthorized activity invocation. --- *Technical Details* - Relevant components: - MainActivity / Android Manifest - Security mechanism affected: - Access control *Observed behavior:* It was observed that the application's MainActivity can be launched externally via ADB by explicitly invoking it with the expected intent action (ACTION_LAUNCH). When started in this manner, the application bypasses the intended secret code verification mechanism and proceeds directly to the protected interface. *Expected behavior:* The application should reject any attempts to launch the protected main interface from external sources, including ADB or other applications. Access to the protected interface should only be granted through the official application flow, which requires successful secret code entry via the dial pad. All other invocation attempts should be denied. --- *Proof of Concept (PoC)* 1. Install "Koller Secret: Real Hidden App" version 1.0.27 (or earlier) to an Android smartphone. 2. Connect the smartphone to a desktop machine (e.g., via a USB cable) that supports Android Debug Bridge (ADB). 3. Launch a command line terminal (or Command Prompt in Windows OS) 4. Run the command: > adb shell am start -n com.koller.secret.hidemyphoto/.MainActivity -a com.koller.secret.hidemyphoto.ACTION_LAUNCH 5. Observe that: - The main UI of Koller Secret app is loaded on the smartphone. - No secret code entry is required. **Important note**: The Koller Secret Pro app (with more "advanced security features") is also affected by the vulnerability, when no lockscreen protection is enabled. --- *Impact* An attacker exploiting this vulnerability could potentially: - access sensitive user data - bypass security controls - compromise application integrity Successful exploitation of this issue undermine the application's intended security model, potentially allowing unauthorized access to sensitive user data and negatively impacting user trust in the application. --- *Disclosure Timeline* - 2025.11.21 – Vulnerability discovered - 2025.11.25 – Vendor contacted - 2025.11.29 – Vendor acknowledged - 2025.12.29 – Public disclosure The vendor was given reasonable time to respond prior to this disclosure. No malicious exploitation is known at the time of publication. --- *Mitigation / Recommendation* To mitigate this issue, the affected activity should not be exported unless explicitly required. Setting android:exported="false" for the MainActivity would prevent external invocation via ADB or third-party applications. If exporting the activity is necessary, the application should enforce strict access control by validating authorization state at runtime and ensuring that the secret code verification has been successfully completed before granting access to protected functionality. Users are advised to update to a fixed version once available. --- Discovered and reported by: duykham --- *References* - Install: https://play.google.com/store/apps/details?id=com.koller.secret.hidemyphoto - Install (Pro): https://play.google.com/store/apps/details?id=com.koller.secret.hidemyphoto.pro - Vendor: https://www.iotrusted.com --- If additional information is required, I can be reached privately. Regards, duykham _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
