Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Researcher reveals easy as pie Android Lollipop lockscreen bypass

Liam Tung (CSO Online) | Sept. 16, 2015
Don't misplace your Nexus phone if you haven't received Google's September patch for Android Lollipop and happen to use a password and not a pattern or code to lock the device.

Android OEMS Samsung, LG and HTC all vowed to follow Google in delivering regular monthly security updates following the widespread Stagefright bug revealed in August, though to date none have delivered a September patch.

Interestingly, as noted in Google's Android issue tracker, the Android Security team initially rated the flaw Gordon found as a low severity bug, which didn't qualify for payment under Google's new Android security rewards program.

Gordon however convinced Google in July, a month after reporting the bug, that it warranted a higher severity rating.

"This is a local attack with no user interaction leading to user-level control of the device, essentially "local unprivileged code execution" and I would think it would rank at or just below "remote unprivileged code execution." I hope this rating can be re-evaluated with consideration for the type of attack and extent of device and user data compromise achieved," wrote Gordon.

Google later upgraded its severity to moderate and offered Gordon a $500 reward.

Source: CSO Australia

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.