Samsung's lock screen grants unauthorised insights
On several Samsung Android smartphones, the lock screen can temporarily be bypassed to take a quick glance at a user's home screen – at least, this has been found to be possible on a Samsung Galaxy Note II running the Jelly Bean (4.1.2) operating system and on a Galaxy S Plus with Android 2.3.6. While the issue doesn't represent a serious security hole, a home screen that is accessible to unauthorised viewers does have the potential to become a source of irritation for the affected users.
In mid-February, it was found that locked iOS devices potentially disclose contacts and photos if attackers are fast and clever. The security hole in the Galaxy Note II that has been discovered, and disclosed complete with a proof-of-concept video and vulnerability description, by UK blogger Terence Eden also requires nimble fingers.
Apparently, attackers can view a locked smartphone's home screen without entering the code to unlock the phone by accessing the emergency call feature; if components such as the calendar widget are used, attackers can potentially also view the owner's upcoming calendar items or find out more about which apps and preferences are being used. With a little dexterity, attackers can potentially also launch widgets such as the direct call feature.
The H, together with our associates at heise Security, was able to reproduce the issue Eden describes on a Note II with Android 4.1.2. With a little trial and error, the Galaxy S Plus with Android 2.3.6 also grants unwanted insights. A Samsung Galaxy S III running Android 4.1.2 and a HTC Sensation, on the other hand, kept all their information hidden during spot checks.
Eden says that he reported the hole to Samsung, but that the company failed to respond – and that he therefore decided to publish the information.