Skype for Android May Bypass Smartphone Lockscreens
Phone thieves might be able to bypass lockscreens on Android devices, thanks to a flaw in Skype for Android.
An Android developer posted details of the flaw on tech forums yesterday (July 1), explaining that Skype calls answered from a locked phone would enable bypass of the lockscreen, even after the call was terminated.
TechNewsDaily was not able to replicate the bypass in our own tests.
"The Skype for Android application appears to have a bug which permits the Android inbuilt lockscreen (ie. pattern, PIN, password) to be bypassed relatively easily, if the device is logged into Skype, and the 'attacker' is able to call the 'victim' on Skype," wrote developer "Pulser" on the Full Disclosure security forum.
Google Play says more than 100 million Android devices have the Skype app installed.
Pulser's instructions were simple: Call the targeted phone on Skype, wait for it to answer, then hang up. The targeted phone will display the lockscreen, as it should.
But Pulser says that if the power button is then tapped, turning off the screen, then tapped again to turn the screen back on, the lockscreen will be bypassed.
"It will remain bypassed until the device is rebooted," Pulser wrote.
The flaw could let a thief or other attacker use a second device to unlock the first, provided the attacker knew or could find the Skype name for the first device's rightful user.
Pulser said the bypass has been shown to work on three current Android smartphone models: the Sony Xperia Z, the Samsung Galaxy Note II and the Huawei Premia 4G.
However, we were unable to replicate the results ourselves. We used a Samsung Galaxy Nexus phone running Jelly Bean 4.2.1. and a Samsung Nexus 10 tablet running Jelly Bean 4.2.2, and made Skype calls to and from both. On neither device was the lockscreen bypassed.
Pulser's phones were running Skype version 188.8.131.5273, which, according to Pulser, was released yesterday. Our Nexus 10 tablet had that version, but our Galaxy Nexus phone was running Skype 184.108.40.20647. (Google Play sends different versions of the app to different device models.)
It's not clear from Pulser's post whether both the calling and answering devices had to have version 220.127.116.1173 installed.
This isn't the first time smartphone lockscreens have been bypassed, even if inconsistently. Three months ago, we discovered a similar bypass on the so-called "Facebook phone," the HTC First, in which the Facebook overlay sometimes bypassed the lockscreen. (The First was discounted to 99 cents by AT&T after six weeks.)
Lockscreens are an essential part of smartphone security, but recent surveys find that only about a third of users activate them. That's a mistake.
No single item, not even a wallet or purse, contains as much valuable information about a person than his or her smartphone. The lockscreen is the first line of defense in case a smartphone is lost or stolen. If you don't have one activated, activate it now.