According to Germany-based Curesec, the vulnerability essentially enables any rogue app at any time to remove all existing device locks activated by a user. Android devices can implement several locks, like PIN, password, gesture and even facial recognition to lock and unlock a device. Before a user can change these settings, the device asks the user for confirmation of the previous lock (i.e., if a user wants to change the PIN or remove it, he or she must enter the existing code).
But the bug, which exists on the “com.android.settings.ChooseLockGeneric” class, allows the user to modify the type of lock mechanism the device should have, Curesec noted in a forensic analysis.
“This first piece of code allows the caller to actually control if the confirmation to change the lock mechanism is enabled or not,” the firm explained. “We can control the flow to reach the [‘update preferences’ function], and see that if we provide a password type, the flow continues to [the update and unlock’ function].” If the password is of type ‘password_quality_unspecified,’ the code is executed and effectively unblocks the device.
The issue does not simply translate to a lockscreen bypass (of which there have been many for both Android and iPhone in the past). It also offers the ability to access other protected areas of the phone. So, a malicious app can be written that, if installed on a vulnerable device by an unwitting user, could then set about disabling the security mechanisms that enable access to locked apps or information on the phone, and access any area that requires an existing code to change security locks.
Curesec said that it decided to disclose this vulnerability after the Google Android Security Team failed to adequately respond to the issue. Google, for its part, said that the loophole is closed in the next version of Android, dubbed KitKat 4.4—so, as always, the best policy is to keep all operating versions up to date. A Google representative said the problem was fixed in Android Kit Kat 4.4.