A security researcher recently found a vulnerability which allowed access to apps and the ability to dial phone numbers on the Samsung Galaxy Note II running Android 4.1.2, all when the phone is locked. The vulnerability requires a user to press the ‘Emergency Call’ icon, then the ‘in case of emergency’ button (ICE) and then hold down the home button.
The home screen is briefly displayed prior to the lock screen popping up, so as the home screen flashes, someone could touch one of the apps displayed and access it without any authentication. For someone to use this exploit would require timing, due to the short interval in which the screen is displayed and because the apps immediately go into the background. If you use a widget on your home screen (some users I know do) then this might display your emails and calendar data.
It’s not known right now whether this vulnerability is linked to just Samsung’s TouchWiz user interface. It does appear from testing we have done that most of the Galaxy range of handsets could be affected (we tested on the S3), but only those running Android 4.1.2. This is why we believe that the vanilla version (see Bootnote) of Android, which is the original Google build without any customisations, should be the only version adopted by the handset manufacturers.
The reasons for this actually quite simple…
Vanilla Android is far more robust, has better performance and have no bloatware, which is why OEM versions I’ve used such as Samsung TouchWiz on the S3 and Note II have had firmware upgrade (i.e. unexpected device reboots) and performance problems.
Did you know? Android allows the dynamic loading of code (unlike iOS), so an app could automatically download executable content.
Outside of Android 4.1.2, the “Lock screen widgets” function is also a new feature of Android Jelly Bean versions 4.2/4.2.1 where you can for example view emails and calendar preview widgets on the lock screen without actually unlocking the device (if we swipe left from screen lock. Worse still you can also delete widgets without actually unlocking the device! Some major privacy concerns here. If you value your privacy I suggest you don’t use these widgets right now.
Did you know? Google Bouncer emulates an Android device, so malware could detect the emulation mode and simply not execute. I’ve written about this on countless occasions.
Safe surfing folks!
Bootnote: Vanilla Android means the original Google build without any customisations. An example of a customisation is the Samsung Galaxy S3 which uses a TouchWiz UI.