This site may earn affiliate commissions from the links on this page. Terms of use.

Android Lock

Google issued its start monthly Android security patch for Nexus devices a few days ago, and ane of the items in the changelog was quite interesting. Google patched a lock screen bypass vulnerability that was present in Android 5.0 and higher. That's certainly a serious bug, and something that would be a real problem if information technology was out in that location unpatched.

However ,even though the patch has been deployed, many reports are treating this as an apocalyptic security problem for Android. But that'south all due to a fundamental misunderstanding of how Android works.

The flaw in question was discovered past Academy of Texas researchers and relies on the password field on the lock screen. So correct off the bat, this vulnerability only applies if you're using a countersign lock method, because it has a text field. A pattern or Pivot lock does not nowadays such a field, even if you enter your code incorrectly multiple times. You demand that text field because the hack relies on pasting text into that field to crash the lock screen.

You can see in the video below how the hack works. It'due south a legitimate lock screen bypass, but it takes a few minutes to execute. Basically, you need to paste long strings of text into the field repeatedly, merely but when accessed from the lock screen's photographic camera interface. Eventually, the photographic camera and lock screen will both crash, and the telephone dumps yous on to the home screen. Whoops. From that signal, you have full admission to the phone until you lot lock it once again. Y'all can do things like enable USB debugging or authorize a bootloader unlock without whatever trouble.

Google has patched Nexus devices with build LMY48M and noted that there were no agile exploits of this vulnerability in the wild. However, many of the news reports on this issue have pointed out with hyperbolic concern that there are still about one-fifth of Android devices from Samsung, LG, and others running un-patched versions of v.x. What these hysterical warnings fail to have into account is that none of those phones were vulnerable in the first place.

The flaw relies entirely upon a stock build of Android like yous'd detect on Nexus devices. All other OEMs have modified lock screens and camera apps. Many also have their own keyboards that don't work with the bug. Simply to make certain, I've tested a Samsung Galaxy S6, LG G4, and 2022 Moto G, and none of them seem to be vulnerable. You lot can't paste into the password field at all. And so what does this hateful? Most every device with this bug has been fixed, and at that place'south no need to panic.

This is how software patches work when handled responsibly — an issue is reported, a patch is issued, and the method is disclosed. There'south nothing unusual nigh this flaw, and there aren't millions of phones out there with cleaved lock screens. Don't believe the hype.