1 reply to this topic

[eyecre8]

A vulnerability exists in Samsung devices running Android version 4.1.2 that could
give unauthenticated users the ability to circumvent the screen lock and view the home screen,
run apps, and reach out to contacts without successfully completing Android’s pattern lock, PIN,
password or Face Unlock mechanisms. This flaw was discovered recently by Terence Eden, a UK-based mobility expert.
At the moment there is no way to secure your phone against your home screen being accessed.

Please Login or Register to see this Hidden Content

THE HOW-TO:

• Lock the device with a "secure" pattern, PIN, or password.
• Activate the screen.
• Press "Emergency Call".
• Press the "ICE" button on the bottom left.
• Hold down the physical home key for a few seconds and then release.
• The phone's home screen will be displayed - briefly.
  While the home screen is displayed, click on an app or a widget.
  The app or widget will launch.
  If the widget is "direct dial" the phone will start ringing.

Please Login or Register to see this Hidden Content

 

Please Login or Register to see this Hidden Content

  7.36KB   31 downloads

Please Login or Register to see this Hidden Content

 

Please Login or Register to see this Hidden Content

  6.24KB   33 downloads

Please Login or Register to see this Hidden Content

 

Please Login or Register to see this Hidden Content

  6KB   31 downloads
Making a call relies on the phone having a direct dial widget on the home screen.
Running the apps is also of limited use - they go into the background immediately.
If the app performs an action on launch (like recording from the microphone, switching on the flash, playing music,
interacting with a server) that action will occur. Privacy concerns also exist in that an attacker could see what
apps you have installed on your homescreen - or see your calendar / emails if you use a widget which displays them.

Rapidly tapping the home button will - depending on your launcher - allow you to see what is on every home screen.
Using an external video camera you should be able to clearly see all the user's calender & email widgets if they have enabled

According to Eden, this has only been tried on one class of handset, the Galaxy Note II N7100 running 4.1.2.
The two devices both ran the stock launcher and lock screen. One device was rooted while the other was factory stock.

Things to keep in mind and ways to limit exposure:

• Do not use direct dial widgets on your home-screen.
• Remove any calendar or email widgets which may show sensitive information from your home-screen.
• Ensure that any apps which you do have on your home-screens do not automatically cost you money or act maliciously when launched.
• Use an app locker to prompt for a password when apps are launched.
• Changing to a different launcher will not protect you.
• Using a 3rd party lock screen will not protect you if it accesses the emergency dialer.

Via & Related:

Please Login or Register to see this Hidden Content

Please Login or Register to see this Hidden Content

Please Login or Register to see this Hidden Content

Please Login or Register to see this Hidden Content

[stewie griffin]

For anyone who roots their phone, I wonder if deleting the "ICE" apk would prevent the vulnerability of the lock screen from the method described in this article. I don't have a Samsung phone, so I can't try it myself, but that apk is one I delete from my phone anyway, along with a lot of bloat assuming the fastboot files are available.