3

In the knowledge base of the Vaulty app to answer this question: Is Vaulty safe? they say that they modify the files and the files are safe.

I wonder if Vaulty is really safe and specifically whether this app uses AES encryption or not?

wiki
  • 465
  • 2
  • 9
  • 20

3 Answers3

4

First, I'd like to quote all texts from the knowledge base,

Is Vaulty safe?

Yes, Vaulty uses several advanced layers of security to protect your private media. Files are moved to a location that the gallery cannot view and are modified so that they are not able to be viewed without changing the file back. Vaulty's protection offers the perfect balance between privacy, security and speed.

As of current version (4.0.10 r3710), what the app is doing:

  1. Move the file to /sdcard/Documents/Vaulty/data (can be changed inside the app) with .nomedia ("Files are moved to a location that the gallery cannot view")
  2. Change the file's extension (.vdata) and obfuscate the filename (currently, no idea how it's generated)
  3. Prepend obscured to the file ("modified so that they are not able to be viewed without changing the file back")

The app doesn't actually encrypt the file at all. The file's content is the same, but only prepended by obscured which make it invalid image/video file. The reason why this works is because of how image/video viewers work. They check the signature of the file, and if it doesn't match to any, they will think that it's an invalid image/video file.

The conclusion is:

  1. Moving a file to a folder with .nomedia is only safe for device without file manager. However, anyone can download file manager. To make it worse, the file is saved on external storage which can be accessed when connected to PC.
  2. If someone doesn't know that .vdata is Vaulty's data, then it's at least "safe", unless they analyze the content. However, if they know, then obfuscating the filename is actually not useful at all (any filename is valid for image/video). The only problem is to determine the correct original extension.
  3. This is the main feature. I assumed Vaulty avoided real encryption due to speed, since en/decrypting a big file (especially, video) can be slow ("Vaulty's protection offers the perfect balance between privacy, security and speed"). Instead, it decided to only prepend a short text, which can be removed easily and considerably faster even on big file. However, if someone knows this, then they can remove it manually and retrieve the original file. From here, they can also determine the extension/file format based on the signature itself.
Community
  • 1
Andrew T.
  • 15,988
  • 10
  • 74
  • 123
1

Was curious so I downloaded the app and tested: pictures are saved in the apps data folder without any encryption.

user1850479
  • 111
  • 1
-1

Vaulty is a private app and disclosing publicly the type of encryption they use would not be in their best interest.

karlphillip
  • 99
  • 2
  • 2
    If the encryption is performed properly it doesn't matter if a would-be attacker knows what algorithm is used. It is pretty common for encryption programs to specify their algorithms. – eldarerathis Dec 28 '14 at 18:51