Saturday, 22 July 2017
Mobile Software Security

Lock Screen Flaw found in Android 5.0 (Lollipop)

A flaw has been detected in Android 5.0 Lollipop version that lets a user bypass the lock-screen if the Android phone was locked using a password. The exploit does not succeed if the phone was locked using a PIN or lock pattern.

The vulnerability was detected and details were published by researchers from University of Texas. It allows anyone to bypass the general lock screens on Android 5.0 devices.

Devices upgraded to Android version 5.1.1, with updated patch for the vulnerability, are on the safer side.

Whenever your camera or camera app is under operation and a considerably long password string is passed to the lock screen, a person may attack your screen, destabilizing it and forcing to push back to home screen,”

the published report stated.

By passing too much characters, one can kill the security operations and bypass it to have full access over the device and the attacker may have access to all the applications and thus can run remote viewer to control it later on.

The research mentions that only the users with lock-screen passwords are unsafe as it doesn’t affect lock patterns or PIN protected screens.

Keep in mind that not every phone is under attack. It affects only Android 5.0 or 5.1.1 (without patch), about 21% of Android users.

Google named the flaw CVE-2015-3860 and classified it as moderate and the security update was released on September 9.

The update is specially meant for Google’s own Nexus phones while other platforms that run Android OS like LG, Samsung and HTC will soon come up with their own patches.

So Android users are advised to change their protection mode from lock screen password to PIN or lock pattern to be on the safer side.

One can change the setting by tapping Settings, hitting Security and then clicking Screen lock.

Google has released the update while other users have to wait for their respective vendors until they release the updated patch.