Apps on Unpatched Android 4.3 can Remove Device Locks from Android Phone – Curesec Research Team – CVE-2013-6271

Pic : From google play

Recently Google introduced a remote Device locking feature  to  its Android Device Manager to unlock a stolen or lost device. This feature was exploited

Researchers from Curesec Research Team from Germany discovered a vulnerability on Android 4.3 that allow a malicious app to remove device locks.leading to CVE 2013-6271.

As per the blog, “ The bug exists on the “com.android.settings.ChooseLockGeneric class”. This class is used to allow the user to modify the type of lock mechanism the device should have.

It further states that “ Android implements several locks, like pin, password, gesture and even face recognition to lock and unlock a device. Before a user can change these settings, the device asks the user for confirmation of the previous lock (e.x. If a user wants to change the pin or remove it it has to first enter the previous pin).”

As per CureSec,it had reported this bug multiple times to  Google Security team but the has not responded to this issue. Entire blog is available here

Share Button
Tagged with 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>