Modernizing Authentication — What It Takes to Transform Secure Access
Developer "Pulser" recently noted on the Full Disclosure mailing list that the Skype for Android app seems to contain a bug that makes it relatively easy to bypass the device's lockscreen (h/t TechNewsDaily).
The developer successfully tested the flaw with the latest version of Skype, version 220.127.116.1173, on the Sony Xperia Z, Samsung Galaxy Note 2, and Huawei Premia 4G.
The exploit, according to Pulser, is extremely straightforward: simply initiate a Skype to the target device, which causes it to display a prompt on the screen. Accept the call on the target device using the green "Answer" button, then end the call from the initiating device. Once the call ends, the target device should display the lockscreen -- at that point, all you have to do is turn off the screen of the target device using the power key, then turn it on again. At that point, the lockscreen will be bypassed until the device is rebooted.
When security engineer Ryan Dewhurst noted that the flaw couldn't be reproduced on a 10-inch Galaxy Tab 2 running Android 4.1.2, Pulser responded, "It appears that it is in some way device or firmware dependent (when tested on a Sony device, it happened on the Sony ROM, but not on CyanogenMod ROM). Unfortunately I'm not sure of the criteria that make this happen, but it seems a little difficult to reproduce right now on some devices."