In September, Google added the remote Device locking Capability to its Android Device Manager, allowing users to lock their phone if it's stolen or lost.
The mechanism allows user to override the existing device lock scheme and set password scheme for better security.
But Recently, Curesec Research Team from Germany has discovered an interesting vulnerability (CVE-2013-6271) in Android 4.3 that allows a rogue app to remove all existing device locks activated by a user.
'The bug exists on the "com.android.settings.ChooseLockGeneric class". This class is used to allow the user to modify the type of lock mechanism the device should have.' CRT team says in a blog post
Android OS has several device lock mechanisms like PIN, Password, Gesture and even faces recognition to lock and unlock a device. For modification in password settings, the device asks the user for confirmation of the previous lock.
But if some malicious application is installed on the device, it could exploit the flaw to unlock the device without the knowledge of previous password. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks.
Curesec Team has already reported the vulnerability to Google Android Security Team three times, but unfortulatly Google is not responding them about this issue.
Update – 3:11 PM Thursday, December 5, 2013 (GMT) : Curesec Team has released a proof of concept application (CRT-Removelocks.apk) and Source code to demonstrate the vulnerability.
I installed and tested the application on my Samsung Galaxy S4 with Android 4.3 Jelly beans, and seriously - Just one single click on 'Remove Lock Now', it immediately removed my Pattern lock from the device.
I installed and tested the application on my Samsung Galaxy S4 with Android 4.3 Jelly beans, and seriously - Just one single click on 'Remove Lock Now', it immediately removed my Pattern lock from the device.
