Skip to content ↓ | Skip to navigation ↓

Researchers have found that a flaw in Android 4.3 Jelly Bean, the most common version available today, can allow applications to bypass security locks on a targeted device, making it susceptible to attacks.

Users have the option to choose from several different security lock options, such as facial recognition, a PIN code, or gesture locks, and change them at any time. The vulnerability in Android 4.3 Jelly Bean can allow a rogue application to leverage this option to disable the locks, according to the researchers.

“The bug exists on the ‘ class’. This class is used to allow the user to modify the type of lock mechanism the device should have. Android implements several locks, like pin, password, gesture and even face recognition to lock and unlock a device. Before a user can change these settings, the device asks the user for confirmation of the previous lock (e.x. If a user wants to change the pin or remove it it has to first enter the previous pin),” wrote the Curesec Research Team.

The vulnerability was reported to the Google Android security team and assigned CVE-2013-6271, but the researchers stated that given the company’s unwillingness to further discuss the flaw, they felt it necessary to disclose the vulnerability publicly prior to a patch being issued.

“The vulnerability described here enables any rouge app at any time to remove all existing device locks activated by an user. Curesec disclosed this vulnerability as Google Android Security Team was not responding any more about this issue.” the researchers stated.

The disclosure was accompanied by a portion of the researcher’s proof-of-concept code.

Read More Here…

Tripwire University
  • Natalia

    Hi, is it possible for you guys to explain to me how it is that the phone can be unlocked? I put a password on my phone and forgot part of the password i've tried everything that i've seen online. I also contactes both my cellphone provider and Samsung and the options they gave me was 1.) use the Samsung find my phone web page through the Samsung website & 2.) Hard reset my phone. Options one didnt work because I don't have that option enabled so the "find my phone" webpage/app won't work. Option two definetly isn't an option for me, I have pictures of a few trips and hadn't gotten around to passing them to my laptop, I dont want to lose those pictures. Please help me if you can, i'll try anyhting that might work to save those pictures.