Facebook Home May Disable Android Lockscreen Security
Facebook's Home Android app may disable PIN or pattern locks on the HTC First, the first phone to come with the app pre-installed.
We set our review handset of the HTC First to use a PIN lock, then a pattern lock. Using Facebook Home's default settings, we were able to completely bypass the lockscreen and get into the user's email and Gmail accounts immediately, and into other apps as well.
We were able to duplicate this error on some, but not all, the floor-demonstration units of the HTC First at a local AT&T store. We were not able to duplicate it on a Samsung Galaxy S III and an HTC One X that had installed Facebook Home from Google Play.
Our review handset only asked for a PIN after we turned off the phone entirely and powered it back up again. After we entered the PIN upon initial bootup, the phone did not ask us for it again, even though the stock Android security settings were set to "Power button instantly locks."
A full factory reset seemed to resolve the issue. Once that was done, wiping all user apps and data, the PIN lock cooperated with Facebook Home.
We were able to replicate the issue on two HTC First phones being used as floor demonstration units at the AT&T store up the street from our offices, but not on two other HTC Firsts at the same store. The issue was replicated on the first two phones only after we had logged into our Facebook accounts.
On one phone in the AT&T store, we were able to bypass a PIN lock, but not a pattern lock. When we reset the settings on that phone to use a PIN lock again, we were not able to bypass the PIN.
All the demonstration HTC Firsts in the AT&T store appeared to have the same Android and HTC software builds, and the same baseband firmware.
There do not appear to be any security options in Facebook Home's own settings, but HTC First users can sidestep the issue by changing Home's settings to uncheck "See Home When Screen Turns On," or perhaps, as mentioned above, by performing a factory reset.
We recommend that that anyone using Facebook Home on the HTC First do one of those.
Facebook Home can also be disabled entirely. Once we did that on our review unit, but before the factory reset, the phone prompted us for a PIN immediately after waking the screen. When we re-enabled Facebook Home, the PIN demand disappeared.
It's not clear whether the issue will appear on other Android models that install Facebook Home from Google Play, where the app launched today (April 12).
We installed Facebook Home on a Samsung Galaxy S III and an HTC One X and were not able to replicate the issue. Both phones use manufacturer-installed settings and lockscreen software, while the HTC First uses stock Android Jelly Bean 4.2 software.
We contacted representatives for Facebook and HTC, and they told us they were looking into the matter.
A Facebook spokesman told us last week that Facebook Home would be subordinate to stock Android lockscreen settings. That does not appear to always be the case.
Security experts recommend that users enable PIN, pattern or other locking features on smartphones at all times.
Smartphones contain a wealth of private user data that's valuable to identity thieves and common criminals, and locking the screen behind a passcode is the primary line of defense.