Unpatched vulnerability in Android 4.3 allows apps to Remove Device Locks !!! In September, Google added the remote Device locking Capability to its Android Device Manager, allowing users to lock their phone if it’s stolen or lost. The mechanism allows user to override the existing device lock scheme and set password scheme for better security. But Recently, Curesec Research Team from Germany has discovered an interesting vulnerability (CVE-2013-6271) in Android 4.3 that allows a rogue app to remove all existing device locks activated by a user. The bug exists on the “com.android.settings.ChooseLockGeneric class”. This class is used to allow the user to modify the type of lock mechanism the device should have. CRT team says in a blog post. Android OS has several device lock mechanisms like PIN, Password, Gesture and even faces recognition to lock and unlock a device. For modification in password settings, the device asks the user for confirmation of the previous lock. But if some malicious application is installed on the device, it could exploit the flaw to unlock the device without the knowledge of previous password. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks.
Posted on: Tue, 03 Dec 2013 11:32:41 +0000
Trending Topics
Recently Viewed Topics
© 2015