Researchers have found that a flaw in Android 4.3 Jelly Bean, the most common version available today, can allow applications to bypass security locks on a targeted device, making it susceptible to attacks.
Users have the option to choose from several different security lock options, such as facial recognition, a PIN code, or gesture locks, and change them at any time. The vulnerability in Android 4.3 Jelly Bean can allow a rogue application to leverage this option to disable the locks, according to the researchers.
“The bug exists on the ‘com.android.settings.ChooseLockGeneric class’. This class is used to allow the user to modify the type of lock mechanism the device should have. Android implements several locks, like pin, password, gesture and even face recognition to lock and unlock a device. Before a user can change these settings, the device asks the user for confirmation of the previous lock (e.x. If a user wants to change the pin or remove it it has to first enter the previous pin),” wrote the Curesec Research Team.
The vulnerability was reported to the Google Android security team and assigned CVE-2013-6271, but the researchers stated that given the company’s unwillingness to further discuss the flaw, they felt it necessary to disclose the vulnerability publicly prior to a patch being issued.
“The vulnerability described here enables any rouge app at any time to remove all existing device locks activated by an user. Curesec disclosed this vulnerability as Google Android Security Team was not responding any more about this issue.” the researchers stated.
The disclosure was accompanied by a portion of the researcher’s proof-of-concept code.
Read More Here…