Header Ads

Google fixes an Android Lollipop lockscreen bypass bug - how bad was it?



Google issued its first monthly Android security patch for Nexus devices a few days ago, and one of the items in the changelog was quite interesting. Google patched a lock screen bypass vulnerability that was present in Android 5.0and higher. That’s certainly a serious bug, and something that would be a real problem if it was out there unpatched.
However ,even though the patch has been deployed, many reports are treating this as an apocalyptic security problem for Android. But that’s all due to a fundamental misunderstanding of how Android works.
The flaw in question was discovered by University of Texas researchers and relies on the password field on the lock screen. So right off the bat, this vulnerability only applies if you’re using a password lock method, because it has a text field. A pattern or PIN lock does not present such a field, even if you enter your code incorrectly multiple times. You need that text field because the hack relies on pasting text into that field to crash the lock screen.
Google has patched Nexus devices with build LMY48M and noted that there were no active exploits of this vulnerability in the wild. However, many of the news reports on this issue have pointed out with hyperbolic concern that there are still about one-fifth of Android devices from Samsung, LG, and others running un-patched versions of 5.x. What these hysterical warnings fail to take into account is that none of those phones were vulnerable in the first place.
The flaw relies entirely upon a stock build of Android like you’d find on Nexus devices. All other OEMs have modified lock screens and camera apps. Many also have their own keyboards that don’t work with the bug. Just to make sure, I’ve tested a Samsung Galaxy S6, LG G4, and 2015 Moto G, and none of them seem to be vulnerable. You can’t paste into the password field at all. So what does this mean? Virtually every device with this bug has been fixed, and there’s no need to panic.
This is how software patches work when handled responsibly — an issue is reported, a patch is issued, and the method is disclosed. There’s nothing unusual about this flaw, and there aren’t millions of phones out there with broken lock screens. Don’t believe the hype.
Source >>   Subscribe for more :))