Android is now the most popular mobile operating system in the world by some distance. One billion devices were shipped in 2014 (800 million more than second-place Apple), and it controls 82 percent of the market.
That’s great news for Google, but also means it’s disastrous when bugs and flaws are found – the problems can affect a huge percent of the planet’s population.
Unfortunately, a new Android security flaw was found earlier this week by researchers at the University of Texas.
Hack android lockscreen, We take a look at what it is and what you can do about it.
What’s The Problem?
A modern Android phone has three ways to secure its lockscreen; a PIN code, a pattern, or a password. The new flaw concerns users who choose to use a password.
The researchers explained the vulnerability in a post on the university’s website, saying “By manipulating a sufficiently large string in the password field when the camera app is active, an attacker is able to destabilize the lock-screen, causing it to crash to the home-screen“.
In practice, that means a would-be hacker can gain access to your phone, contacts, private app information, cloud storage spaces, and a lot more personal data, all without needing to perform any clever back-end tricks. Even a normal tech-savvy person who found a lost phone on the street could break their way in.
The hack works by entering a random series of characters into the phone’s “Emergency Call” dial pad, and then repeatedly pressing the camera’s “Take Photo” button. It will cause the lock-screen to fail, with the phone ultimately rebooting itself to a user’s home-screen.
Once there, a hacker would have full access to the device, regardless of whether or not the file-system is encrypted – it means they could even enable developer access to the device.
Are You At Risk?
Luckily, the flaw is not present on every single version of Android – you’ll only be affected if you have an Android Lollipop device that’s running version 5.0 to 5.1.1.
As mentioned, the hack also only works if you’re using password protection. Those using PIN numbers or patterns are safe.
— Eugene Kaspersky (@e_kaspersky) September 16, 2015
While those two criteria undoubtedly limit the number of people who are affected, a side-effect is that it probably targets the most security-conscious users – those who believe that a long password is more secure than PIN or pattern. Under normal circumstances they are correct, but this loophole proves that nothing is ever as secure as you think it is.
What Can You Do?
The most important thing is to protect your lock-screen as soon as possible.
The vulnerability has been fixed in the LMY48M Android 5.1.1 build which was released by Google last week. At the moment it’s only available for the Nexus 4, 5, 6, 7, 9, and 10.
Even though it’s available, several users have reported that they have not yet received their over-the-air update. If that’s the case, you can head directly to googlesource.com and download the new build manually.
If you don’t own a Nexus or you’ve not yet received an over-the-air update, you should at least change your lock-screen login credentials to a PIN number instead.
Why Should You Choose a PIN over a Pattern?
Android lock patterns (ALPs) have been in place since 2008 and are used by lots of people, but a researcher has recently suggested they are no more safe than all-too-obvious passwords such as “password”, “12345678”, and “qwertyuiop”.
The researcher in question was Marte Løge, a 2015 graduate from the Norwegian University of Science and Technology. She discovered that a staggering 44 percent of ALPs started in the top left-hand corner and a mammoth 77 percent of them started in one of the four corners.