Breaking the encryption of the GalleryVault app

Note: This article was written years ago and things may have changed.

Gallery Vault is a mobile app with over 10 million downloads on the Google Play Store. It claims to offer privacy and encryption for your photos.

GalleryVault Play Store

Creating a New Vault

However, the developers never mention what kind of encryption they’re actually using — so, naturally, I got curious and decided to dig a little deeper.

Once you create a new “vault” in the app, it generates a few interesting files:

  • An event log located at <code>Android/data/com.thinkyeah.galleryvault/files/events/event_log.txt</code>
  • A folder named <code>.galleryvault_DoNotDelete_1582979061</code> in the shared home directory, which is accessible to every other app on the device. This is where your supposedly “encrypted” files are stored.
    One fun detail: the folder name ends with the Unix timestamp of when the vault was created.

Analyzing the Log File

The log file is full of noisy data, but it’s still useful — it reveals how packed the app is with advertising and tracking SDKs. More interestingly, every time you open a file inside the app, a line like this gets logged:

[VideoPlayManagerImpl] Load video, uri: file:///storage/emulated/0/.galleryvault_DoNotDelete_1582979061/files/b8/b882720e-30e3-4dc2-b977-56a5470b1ed7

From this, we now know that every stored file lives inside the files directory. So, let’s pick one and take a closer look.

Analyzing an “Encrypted” File

Let’s analyze a random file from the <code>.galleryvault_DoNotDelete_</code> folder.

What could it be? AES-256-CBC? Custom encryption? 3DES? Rot13?

tom@Laptop:~$ file 5d123200-8c46-424e-877d-38231ada243a
5d123200-8c46-424e-877d-38231ada243a: PNG image data, 300 x 300, 8-bit colormap, non-interlaced

Surprise — it’s just a regular PNG file, not encrypted and perfectly viewable. In fact, here’s what it looks like:

GalleryVault Preview

Apparently, the developers opted for the CTF-style steganography route. Nice touch!
So, let’s go full CTF mode and toss it into CyberChef:

CyberChef

The “Extract Files” operation immediately detects the magic bytes of another, hidden JPG file around 11KB in size. After extraction, we get this:

Original Image

That’s the original image — likely a low-quality preview version.
There’s still a bunch of leftover data, which seems to contain the high-quality version of the same image, but honestly, do we really need to recover it?
The preview is already good enough that whatever “encryption” remains — if any — is completely meaningless.

What’s Left

To recap:

  • All files are stored in a public directory, unencrypted.
  • There’s also an unprotected SQLite3 database tracking every file you “encrypted” — filenames, timestamps, and all. GalleryVault Database

Don’t Trust Mobile Apps (Blindly)

Just because an app claims to encrypt your data or protect your privacy doesn’t mean it actually does.

If you’re a developer: don’t roll your own crypto.
If you’re a user: verify the software you trust with your private data.

In this case, the app’s “encryption” is basically nonexistent — and that’s assuming the developers even meant well.