Skype Lockscreen Bypass Bug

Search This thread
By:
Advanced…
pulser_g2

pulser_g2

Admin Emeritus / Senior Recognized Developer
Nov 27, 2009
19,544
11,630
Tested with Skype version 3.2.0.6673 (released 1st July 2013) on various
Android devices (Sony Xperia Z, Samsung Galaxy Note 2, Huawei Premia 4G

The Skype for Android application appears to have a bug which permits the
Android inbuilt lockscreen (ie. pattern, PIN, password) to be bypassed
relatively easily, if the device is logged into Skype, and the "attacker"
is able to call the "victim" on Skype.

This can be reproduced as follows with 2 Skype accounts, and 2 separate
devices to use with Skype. The target phone is presumed to have an Android
lockscreen configured and in use, and to be locked during the test.

1. Initiate a Skype call to the target device, which will cause it to
wake, ring, and display a prompt on the screen to answer or reject the call
2. Accept the call from the target device using the green answer button
on the screen
3. End the call from the initiating device (ie. the device used to call
the target phone)
4. The target device will end the call, and should display the
lockscreen.
5. Turn off the screen of the target device using the power key, and
turn it on again
6. The lockscreen will now be bypassed. It will remain bypassed until
the device is rebooted

Similar to (ironically enough):
http://arstechnica.com/security/201...een-lock-on-up-to-100-million-android-phones/.
Seems that internet based calling apps might well be "unlucky".

I suggest logging out of skype when not using it, until there is a fix.

Thanks to Turl for originally bringing this to my attention.
 
  • Like
Reactions: shadowcreeper_1 and egzthunder1
C

c0rnholio

Senior Member
Sep 6, 2005
510
45
in the basement...
Greetings pulser_g2,

Thanks for posting this. I found that all these screenlock bypass vulns (including yours) won't work if a enterprise policy is enforced on the target device. I've tested with 2 different smartphones, Note 8.0 and Note 2. Both with the current stock firmware. Can you or anyone else confirm this?

Cheers,
Michael
 
egzthunder1

egzthunder1

Admin Emeritus - Spirit of XDA
Jul 13, 2005
21,071
10,912
At The Good End Of My Hammer, Likes: My Family & X
c0rnholio said:
Greetings pulser_g2,

Thanks for posting this. I found that all these screenlock bypass vulns (including yours) won't work if a enterprise policy is enforced on the target device. I've tested with 2 different smartphones, Note 8.0 and Note 2. Both with the current stock firmware. Can you or anyone else confirm this?

Cheers,
Michael
Click to expand...
Click to collapse

Hi Michael,

Thanks for the tip. However, forcing enterprise policy onto a device that does not need it should not be a solution for a bug like this (not ranting against you, please don't take it that way). Skype was already informed about this a couple of weeks ago and nothing has been done afaik.

I received a Skype update today from the market, so I guess it might be worth checking if the bug can be repeated or if it has been fixed.
 
C

c0rnholio

Senior Member
Sep 6, 2005
510
45
in the basement...
Hi egzthunder1,

I don't take your post personal. My post was not made with the intent to be a bugfix. I just want someone else who also has access to provisioned devices to confirm my observation. Additionally if my observation is correct then it should be mentioned in a security advisory that enterprise provisioned devices with an enforced password seem to not be affected by all these lockscreen bypasses. I'm just discussing here ;)
 
S

SamsungPisser

Senior Member
Jun 17, 2011
50
7
Does andybody know which wrong usage of the Android-API might be used here? I'm developing myself an app which switches the Screen on and shows information without the need to unlock the device. Know I'm concerned that I might use the API wrong, too. There were also such bugs in other apps in the past month, so there must be some wrong usage type. Saidly I didn't find anything about it via googling. If you have links, please share.
 
pulser_g2

pulser_g2

Admin Emeritus / Senior Recognized Developer
Nov 27, 2009
19,544
11,630
SamsungPisser said:
Does andybody know which wrong usage of the Android-API might be used here? I'm developing myself an app which switches the Screen on and shows information without the need to unlock the device. Know I'm concerned that I might use the API wrong, too. There were also such bugs in other apps in the past month, so there must be some wrong usage type. Saidly I didn't find anything about it via googling. If you have links, please share.
Click to expand...
Click to collapse

It seems to be related to the use of the permission to disable the lockscreen.

I.e. http://stackoverflow.com/questions/12021800/disable-delay-android-lock-screen-programmatically

You want to ensure you definitely disable the option once done. I suggest you create a test plan and ensure even if everything goes wrong, the lock will still get enabled again in the end.
 
pulser_g2

pulser_g2

Admin Emeritus / Senior Recognized Developer
Nov 27, 2009
19,544
11,630
c0rnholio said:
Hi egzthunder1,

I don't take your post personal. My post was not made with the intent to be a bugfix. I just want someone else who also has access to provisioned devices to confirm my observation. Additionally if my observation is correct then it should be mentioned in a security advisory that enterprise provisioned devices with an enforced password seem to not be affected by all these lockscreen bypasses. I'm just discussing here ;)
Click to expand...
Click to collapse

Hmmm that is interesting actually.

I need to see if I can replicate this by forcing provisioning manually.

I don't have an exchange server unfortunately (I use my own mail server that uses the protocol but doesn't do the complex provisioning.)

I'll have a look though as I think it supports provisioning in the configuration where it emulates Exchange. I believe this likely is a workaround for enterprise users.

This would be enough motivation actually to look at setting up proper provisioning of my devices.

Thanks for letting me know :)
 
You must log in or register to reply here.

Similar threads

D
[SOLVED]Bypass Google Account Protection after Factory Reset (Galaxy J3)
Replies
30
Views
275K
A
aswath1991
B
Huawei Y6 - FRP Bypass/Unlock - Latest (August 2017) - No PC, No OTG - Noob guide :)
Replies
13
Views
62K
N
Niecylicious
J
Android PIE VerifiedBoot Bypass: sony xperia XZ1 locked bootloader permanently rooted
Replies
28
Views
17K
cuynu
cuynu
N
yalpstore( bypass bloated Google play) questions
Replies
3
Views
9K
K
klaus-hamburg
L
BYPASS FRP all motorola new security
Replies
4
Views
7K
ptrics
ptrics

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 2
    pulser_g2
    pulser_g2
    Tested with Skype version 3.2.0.6673 (released 1st July 2013) on various
    Android devices (Sony Xperia Z, Samsung Galaxy Note 2, Huawei Premia 4G

    The Skype for Android application appears to have a bug which permits the
    Android inbuilt lockscreen (ie. pattern, PIN, password) to be bypassed
    relatively easily, if the device is logged into Skype, and the "attacker"
    is able to call the "victim" on Skype.

    This can be reproduced as follows with 2 Skype accounts, and 2 separate
    devices to use with Skype. The target phone is presumed to have an Android
    lockscreen configured and in use, and to be locked during the test.

    1. Initiate a Skype call to the target device, which will cause it to
    wake, ring, and display a prompt on the screen to answer or reject the call
    2. Accept the call from the target device using the green answer button
    on the screen
    3. End the call from the initiating device (ie. the device used to call
    the target phone)
    4. The target device will end the call, and should display the
    lockscreen.
    5. Turn off the screen of the target device using the power key, and
    turn it on again
    6. The lockscreen will now be bypassed. It will remain bypassed until
    the device is rebooted

    Similar to (ironically enough):
    http://arstechnica.com/security/201...een-lock-on-up-to-100-million-android-phones/.
    Seems that internet based calling apps might well be "unlucky".

    I suggest logging out of skype when not using it, until there is a fix.

    Thanks to Turl for originally bringing this to my attention.
    View

New posts