Recently Google has added an application to android repository , which allows the users to lock the device from remote place (Remote Locking Device). Its a great idea ,usually its helpful while we all lost lost ph phone or phone has been theft. But Google fails while implementing this idea, which leads to a serious vulnerability that allows a rogue app can remove all existing device locks activated by a user.
This vulnerability has discovered by the CURESEC Research team. These researchers has already informed to the Google about vulnerability. Unfortunately Google not yet responds on it.
Vulnerability Description
The vulnerability described here enables any rogue (not rouge ;) ) app at any time to remove all existing device locks activated by a user. Curesec disclosed this vulnerability as Google Android Security Team was not responding any more about this issue.
The bug exists on the “com.android.settings.ChooseLockGeneric class”. This class is used to allow the user to modify the type of lock mechanism the device should have. Android implements several locks, like pin, password, gesture and even face recognition to lock and unlock a device. Before a user can change these settings, the device asks the user for confirmation of the previous lock (e.x. If a user wants to change the pin or remove it it has to first enter the previous pin).
The bug exists on the “com.android.settings.ChooseLockGeneric class”. This class is used to allow the user to modify the type of lock mechanism the device should have. Android implements several locks, like pin, password, gesture and even face recognition to lock and unlock a device. Before a user can change these settings, the device asks the user for confirmation of the previous lock (e.x. If a user wants to change the pin or remove it it has to first enter the previous pin).
Conclusion :
Even the "remote locking device " is great idea , but while implementing the app ,Google fails to take care the exceptions . An installed malicious app can unlock easily . Even some third party firms has been given solution for it, waiting for official response and its patching(Google).
let us see, how Google is going to close this patch !
