Skype App Flaw Enables Android Lockscreen Bypass

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Developer "Pulser" recently noted on the Full Disclosure mailing list that the Skype for Android app seems to contain a bug that makes it relatively easy to bypass the device's lockscreen (h/t TechNewsDaily).

The developer successfully tested the flaw with the latest version of Skype, version, on the Sony Xperia Z, Samsung Galaxy Note 2, and Huawei Premia 4G.

The exploit, according to Pulser, is extremely straightforward: simply initiate a Skype to the target device, which causes it to display a prompt on the screen. Accept the call on the target device using the green "Answer" button, then end the call from the initiating device. Once the call ends, the target device should display the lockscreen -- at that point, all you have to do is turn off the screen of the target device using the power key, then turn it on again. At that point, the lockscreen will be bypassed until the device is rebooted.

When security engineer Ryan Dewhurst noted that the flaw couldn't be reproduced on a 10-inch Galaxy Tab 2 running Android 4.1.2, Pulser responded, "It appears that it is in some way device or firmware dependent (when tested on a Sony device, it happened on the Sony ROM, but not on CyanogenMod ROM). Unfortunately I'm not sure of the criteria that make this happen, but it seems a little difficult to reproduce right now on some devices."