The most common ways to protect an Android smartphone are by a pattern, a PIN code or a password, from less to more complicated to guess. While a pattern can be easily guessed simply by looking at the device against the light to see the fingerprint on the screen, a password is very complex, being almost impossible to guess without a clue of it.
A group of security researchers have discovered a flaw in the Android lock screen that allows access to the entire system by skipping this lock screen when it is configured with an access password.
The way to exploit this flaw is very simple. From the lock screen protected with the password we must open the emergency call application. There we must type a code, as long as possible, that we will use to later force the unlocking. For this we can, for example, write 10 asterisks and copy / paste them several times until there are no more digits in the marker, to copy the resulting code.
Once we have the longest code, copy it to the clipboard, we return to the lock screen and open the camera application that, by default, we can use without the need for the password. From the camera we open the menu at the top to access the “System Settings” section, where it will automatically ask for the unlock password.
Here we must paste (probably several times) the asterisk code that we have previously saved. After two or three times that we paste the code (depending on how long we have copied it for the first time to the clipboard) Android will return an error, the camera and the lock screen will close and we will automatically be inside the system, with full access to all files and all applications on it.
In case of locking the device again (for example due to the passage of time) we simply have to repeat the process again to force the unlock again.
Here is a video where they show the process step by step.
From Google they have confirmed that they are aware of the failure and that they have already solved it, thus reaching the solution to Nexus devices through a conventional patch. Users of devices manufactured by other companies will have to wait for them to publish the corresponding patches in order to solve this vulnerability. Meanwhile, the using a PIN code as an unlocking method that, for the moment, seems the safest.
Do you think that Google should better review this type of action to guarantee the safety of its users?
You may be interested in: