Vulnerability in Android 4.3 allows app to remove Device locks
The mechanism allows user to override the existing device lock scheme and set password scheme for better security.
But Recently, Curesec Research Team from Germany has discovered an interesting vulnerability (CVE-2013-6271) in Android 4.3 that allows a rogue app to remove all existing device locks activated by a user.
‘The bug exists on the “com.android.settings.ChooseLockGeneric class”. This class is used to allow the user to modify the type of lock mechanism the device should have.’ CRT team says in a blog post
Android OS has several device lock mechanisms like PIN, Password, Gesture and even faces recognition to lock and unlock a device. For modification in password settings, the device asks the user for confirmation of the previous lock.
But if some malicious application is installed on the device, it could exploit the flaw to unlock the device without the knowledge of previous password. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks.
Remove Android Device Lock Update – 3:11 PM Thursday, December 5, 2013 (GMT) : Curesec Team has released a proof of concept application (CRT-Removelocks.apk) and Source code to demonstrate the vulnerability.
Source : theHackerNews , cureblog.de