Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,736,513 Members 52,379 Now Online
XDA Developers Android and Mobile Development Forum

Skype Lockscreen Bypass Bug

Tip us?
 
pulser_g2
Old
#1  
pulser_g2's Avatar
Developer Admin / Senior Recognized Developer - OP
Thanks Meter 10689
Posts: 19,244
Join Date: Nov 2009
Default Skype Lockscreen Bypass Bug

Tested with Skype version 3.2.0.6673 (released 1st July 2013) on various
Android devices (Sony Xperia Z, Samsung Galaxy Note 2, Huawei Premia 4G

The Skype for Android application appears to have a bug which permits the
Android inbuilt lockscreen (ie. pattern, PIN, password) to be bypassed
relatively easily, if the device is logged into Skype, and the "attacker"
is able to call the "victim" on Skype.

This can be reproduced as follows with 2 Skype accounts, and 2 separate
devices to use with Skype. The target phone is presumed to have an Android
lockscreen configured and in use, and to be locked during the test.

1. Initiate a Skype call to the target device, which will cause it to
wake, ring, and display a prompt on the screen to answer or reject the call
2. Accept the call from the target device using the green answer button
on the screen
3. End the call from the initiating device (ie. the device used to call
the target phone)
4. The target device will end the call, and should display the
lockscreen.
5. Turn off the screen of the target device using the power key, and
turn it on again
6. The lockscreen will now be bypassed. It will remain bypassed until
the device is rebooted

Similar to (ironically enough):
http://arstechnica.com/security/2013...ndroid-phones/.
Seems that internet based calling apps might well be "unlucky".

I suggest logging out of skype when not using it, until there is a fix.

Thanks to Turl for originally bringing this to my attention.


Having trouble getting an answer? | What is XDA about? | How to ask for help?

if [ $PM.incoming.type = $type.question.ROM.how_to_use ] || [ $PM.incoming.type = $type.question.ROM.silly_question ]; then mv $PM.incoming /.trash; PM.response($responsetype.ignore); $PM.sender.ignore_in_future=true; init.sequence($boy_who_cried_wolf); fi;

BTC: 1K2fpDsRHkirWmk3PKiqtzhVHKUJCWPWnN
PGP: 0x260F4FDEF258E3C4
The Following 2 Users Say Thank You to pulser_g2 For This Useful Post: [ Click to Expand ]
 
c0rnholio
Old
#2  
Senior Member
Thanks Meter 33
Posts: 497
Join Date: Sep 2005
Location: in the basement...
Greetings pulser_g2,

Thanks for posting this. I found that all these screenlock bypass vulns (including yours) won't work if a enterprise policy is enforced on the target device. I've tested with 2 different smartphones, Note 8.0 and Note 2. Both with the current stock firmware. Can you or anyone else confirm this?

Cheers,
Michael
Current devices: N7100, N5100
Development devices: P1000, Xoom, Magic
 
egzthunder1
Old
#3  
egzthunder1's Avatar
Member Advocate Admin - Spirit of XDA
Thanks Meter 4702
Posts: 18,225
Join Date: Jul 2005
Location: At The Good End Of My Hammer, Likes: My Family & XDA, Dislikes: Incompetence
Quote:
Originally Posted by c0rnholio View Post
Greetings pulser_g2,

Thanks for posting this. I found that all these screenlock bypass vulns (including yours) won't work if a enterprise policy is enforced on the target device. I've tested with 2 different smartphones, Note 8.0 and Note 2. Both with the current stock firmware. Can you or anyone else confirm this?

Cheers,
Michael
Hi Michael,

Thanks for the tip. However, forcing enterprise policy onto a device that does not need it should not be a solution for a bug like this (not ranting against you, please don't take it that way). Skype was already informed about this a couple of weeks ago and nothing has been done afaik.

I received a Skype update today from the market, so I guess it might be worth checking if the bug can be repeated or if it has been fixed.

"As I walk through the Valley of the Shadow of Death, I fear no evil for I am the God of Death... and this is my valley"



I have ORD

Want to see my devices? Click Below

 
HTC Blue Angel
ROM: WM 6.5.3 Build 23698 by d-two
Radio: 1.15

HTC Vogue (Verizon Touch)
ROM: Froyo Android (NAND) by incubus26j
Radio: 3.42.50

HTC EVO 3D
ROM: YAS4 v9 by howpathetic (ICS 4.0.4)
PRI: 1.43_003
Radio: 1.09.00.0706
HBOOT: Eng HBOOT (S-OFF)

Sony Xperia T LT30p
ROM: Stock, 91.A.0.148 (Jelly Bean 4.1.2)
Bootloader: Locked

Sony Xperia Z Ultra - GPE
ROM: Stock, Unrooted (KitKat 4.4.2)
Bootloader: Locked

Huawei Premia 4G
ROM: Stock, Rooted (ICS 4.0.4)

HTC One (M8)
ROM: Stock, unrooted (1.57.531.7)
Radio: 1.16.21331931
HBOOT: Locked (S-ON)




Learn how to flash: CDMA Rapahel, Vogue
 
c0rnholio
Old
#4  
Senior Member
Thanks Meter 33
Posts: 497
Join Date: Sep 2005
Location: in the basement...
Hi egzthunder1,

I don't take your post personal. My post was not made with the intent to be a bugfix. I just want someone else who also has access to provisioned devices to confirm my observation. Additionally if my observation is correct then it should be mentioned in a security advisory that enterprise provisioned devices with an enforced password seem to not be affected by all these lockscreen bypasses. I'm just discussing here
Current devices: N7100, N5100
Development devices: P1000, Xoom, Magic
 
SamsungPisser
Old
#5  
Member
Thanks Meter 6
Posts: 44
Join Date: Jun 2011
Does andybody know which wrong usage of the Android-API might be used here? I'm developing myself an app which switches the Screen on and shows information without the need to unlock the device. Know I'm concerned that I might use the API wrong, too. There were also such bugs in other apps in the past month, so there must be some wrong usage type. Saidly I didn't find anything about it via googling. If you have links, please share.
 
pulser_g2
Old
#6  
pulser_g2's Avatar
Developer Admin / Senior Recognized Developer - OP
Thanks Meter 10689
Posts: 19,244
Join Date: Nov 2009
Quote:
Originally Posted by SamsungPisser View Post
Does andybody know which wrong usage of the Android-API might be used here? I'm developing myself an app which switches the Screen on and shows information without the need to unlock the device. Know I'm concerned that I might use the API wrong, too. There were also such bugs in other apps in the past month, so there must be some wrong usage type. Saidly I didn't find anything about it via googling. If you have links, please share.
It seems to be related to the use of the permission to disable the lockscreen.

I.e. http://stackoverflow.com/questions/1...ogrammatically

You want to ensure you definitely disable the option once done. I suggest you create a test plan and ensure even if everything goes wrong, the lock will still get enabled again in the end.


Having trouble getting an answer? | What is XDA about? | How to ask for help?

if [ $PM.incoming.type = $type.question.ROM.how_to_use ] || [ $PM.incoming.type = $type.question.ROM.silly_question ]; then mv $PM.incoming /.trash; PM.response($responsetype.ignore); $PM.sender.ignore_in_future=true; init.sequence($boy_who_cried_wolf); fi;

BTC: 1K2fpDsRHkirWmk3PKiqtzhVHKUJCWPWnN
PGP: 0x260F4FDEF258E3C4
 
pulser_g2
Old
#7  
pulser_g2's Avatar
Developer Admin / Senior Recognized Developer - OP
Thanks Meter 10689
Posts: 19,244
Join Date: Nov 2009
Quote:
Originally Posted by c0rnholio View Post
Hi egzthunder1,

I don't take your post personal. My post was not made with the intent to be a bugfix. I just want someone else who also has access to provisioned devices to confirm my observation. Additionally if my observation is correct then it should be mentioned in a security advisory that enterprise provisioned devices with an enforced password seem to not be affected by all these lockscreen bypasses. I'm just discussing here
Hmmm that is interesting actually.

I need to see if I can replicate this by forcing provisioning manually.

I don't have an exchange server unfortunately (I use my own mail server that uses the protocol but doesn't do the complex provisioning.)

I'll have a look though as I think it supports provisioning in the configuration where it emulates Exchange. I believe this likely is a workaround for enterprise users.

This would be enough motivation actually to look at setting up proper provisioning of my devices.

Thanks for letting me know


Having trouble getting an answer? | What is XDA about? | How to ask for help?

if [ $PM.incoming.type = $type.question.ROM.how_to_use ] || [ $PM.incoming.type = $type.question.ROM.silly_question ]; then mv $PM.incoming /.trash; PM.response($responsetype.ignore); $PM.sender.ignore_in_future=true; init.sequence($boy_who_cried_wolf); fi;

BTC: 1K2fpDsRHkirWmk3PKiqtzhVHKUJCWPWnN
PGP: 0x260F4FDEF258E3C4

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


XDA PORTAL POSTS

Get Your Cargo to its Destination in 4×4 Military Operations Reborn

Racing games have evolved quite a bit since the days of Pole … more

Automate Your Device with Sfen

Changing the profile of yourdevice manually is now long forgotten. Since the advent of Android automation … more

Galaxy Photo Screen Lock Displays a Photo Slideshow on Your Lock Screen

Being the most often looked at part of our devices UI, the lock … more