Viber app enables lock screen bypass
A security firm has warned that the Viber messaging and VOIP Android application allows an attacker to bypass the lock screen. Bkav have demonstrated the flaw on a range of Android devices where sending a message to a victim's phone using Viber causes a popup to appear over the lock screen to allow them to answer the message. At that point, Bkav shows a number of different manipulations, depending on the device, such as displaying notifications, culminating in pressing the back button at which point the victim's device would drop to the Android home screen.
If an attacker has physical possession of the phone and the phone's owner has previously installed Viber, then this would make it possible for the attacker to unlock the device. Viber claims a user base of 175 million users, though it is not clear how many of them are on Android devices – Viber runs on a wide selection of mobile operating systems and devices.
When they are installed, Android applications are allowed to request permission to temporarily unlock a device. The permission is designed to allow users to interact with an application, such as the phone app, to answer a call or respond to text messages without having to unlock the phone first. But, the application is supposed to re-enable the lock immediately after. Viber asks for this permission, among the mass of permissions that the app requires, so that it can present messages on the lock screen. It appears though to get confused by the various manipulations and lose track of its state. On the forums, there are discussions about issues with the feature and the logic of when and how it would pop up.
But the popup-and-reply feature isn't mandatory, just a default. If users navigate to the settings, they will find an option "Unlock for popups" which can disable the unlocking behaviour and leave the app just delivering normal non-interactive popups or notifications of new messages. In responding to Bkav's disclosures, Viber has advised users to do exactly that – disable "Unlock for popups" – while it works on fixing the issue. The company says it hopes to deliver a fixed version of the app next week.