A new security flaw has been discovered on the Samsung Galaxy Note II running Android 4.1.2 by Terence Eden. He has shared the details of the vulnerability on his blog, explaining that the bug allows one to run apps and dial numbers on a locked device, albeit in limited circumstances. Eden adds that the vulnerability can go through security features like Pattern Lock, PIN, Password and Face Unlock activated on a user's phone. What this means then is that “there is no way to secure your phone against your homescreen being accessed.”
He then moves on to present the way to do it, step-by-step. Demonstrating the vulnerability, Eden explains that one has to lock the device first using any of the security features – PIN, pattern lock or password. Once done, he can activate the screen and press the “Emergency Call” option. Then he has to press the “ICE” button on the bottom left. He has to then hold down the physical home key for a few seconds and then release it. It is now that the phone's screen is displayed (briefly), and now the user can click on an app or a widget. Now, if this widget is “direct dial”, the calls will go through.
Here Eden brings up a couple of important points. He says that one of the reasons he has made this discovery public is that the attack is of limited value. It is only if a user has a direct dial widget on his homescreen that an unintended call will go through. Apps too go into the background. However, actions like recording, playing music will still go through, if apps for those are accessed.
Of course, someone accessing your phone's homescreen would give him an insight into the kind of apps that you have downloaded, in addition to saved Calendar entries, if any.
He also confirms that he only tried this on Galaxy Note II N7100 running Android 4.1.2 (the latest UK variant). Elaborating further, he states that the devices ran the stock launcher and lockscreen – one rooted and the other “factory fresh”. He has not tested it on any other device, he states.
In his post, he also advises that affected users should not use direct dial widgets on their homescreen. Also, they should remove calendar or email widgets that may lead to private information getting leaked. Users should also take care that no app on their homescreen should cost them money automatically. They should use an app locker, asking them for passwords each time an app is launched. “Changing to a different launcher will not protect you. Using a 3rd party lock screen will not protect you if it accesses the emergency dialer,” he adds.
About the issue at hand, Eden writes, “I spoke to several external security people, and Samsung relationship managers within the industry, who have raised the issue directly with Samsung. I also tried emailing Samsung directly. I know that people within Samsung have been made aware of this bug.”