Android 5.0 Lollipop security flaw

hughtrimble

hughtrimble

hughtrimble

Soldato
Joined
22 Jan 2014
Posts
3,872
Device: Nexus 4
Android Lollipop 5.0 downloaded from Google's update prompt

The new lock screen allows you to swipe down once to access the quick settings, such as Wifi, Mobile data, Aeroplane mode etc. without entering any form of password (my device is encrypted and has a pin code).

This allows anyone with physical access to turn off mobile data and WiFi connections, meaning AVG's software (Google's own Android Device Manager cannot either, despite saying 'successfully sent') cannot access your device remotely.

This makes it impossible for you to access the security features if your device goes walkies, such as location, lock, shout etc. (I've not tried the remote wipe, but I assume given it cannot access the other features, this will not work either).

I also have an app installed that means you cannot turn off the device from the lock screen (the traditional method of holding the power button) to prevent a potential thief from doing essentially what this flaw allows them to do i.e. shut off all ability to remotely connect to the device to prevent the owner from bricking it.

I'd be interested to know if anyone else has found this is the case with their device?
 
Last edited:
Also reported here it seems: https://code.google.com/p/android/issues/detail?id=79403

Lollipop merged the notification panel with the lockscreen. While the notifications themselves ask for the password when they are tried to open, the quick settings have no such option. In fact, every other setting can be toggled on a secure lockscreen. This is a serious security risk in the event of the device being stolen.
Click to expand...
 
A lot of people will see it as a convenient feature, not a security flaw.

The user should definitely have the option to disable access to quick settings on the lock screen. iOS & Windows phone have similar features.
 
KIA said:
A lot of people will see it as a convenient feature, not a security flaw.

The user should definitely have the option to disable access to quick settings on the lock screen. iOS & Windows phone have similar features.
Click to expand...

I suppose they might. The option should be there, as you say, to require the device be unlocked for certain critical actions such as that.

I also just found that the password sent by the Android Device Manager was only implemented after I restarted the phone, despite my accessing the device with mobile data on after the command had been sent but before restarting it. Write down your passwords once sent through the Android Device Manager just in case therefore!
 
I'm not happy about this at all. I'd rather have the security (my number one priority) than have the ability to save a few seconds with pointless lockscreen settings.

By the way, what app do you have that stops the phone from being turned off from the lockscreen?
 
G-MAN2004 said:
I'm not happy about this at all. I'd rather have the security (my number one priority) than have the ability to save a few seconds with pointless lockscreen settings.
Click to expand...

Agreed.

Although as was pointed out to me (I felt rather dim for not thinking of it earlier!) if they have any clue they'll just pop the sim card out to prevent any kind of remote locking/tracking/wiping etc.

Unless the command can be sent on the next sim that's inserted? I'm not clued-up on how these things actually function.
 
hughtrimble said:
Agreed.

Although as was pointed out to me (I felt rather dim for not thinking of it earlier!) if they have any clue they'll just pop the sim card out to prevent any kind of remote locking/tracking/wiping etc.

Unless the command can be sent on the next sim that's inserted? I'm not clued-up on how these things actually function.
Click to expand...

eh, wut? it's linked to your google account, not the sim card. any sim inserted (on network unlocked i guess) will cause it to wipe etc. hell, i wouldn't be surprised if it could go through any roamed wifi connection (pending you haven't disabled using wifi networks for google services even with wifi disabled).
 
twist3d0n3 said:
eh, wut? it's linked to your google account, not the sim card.
Click to expand...

But surely the removal of the SIM means the shut down/wipe/locate command cannot be received?

If they pop in a new SIM only then will you be able to send the command.

EDIT: just seen you added more in since the first quote. I wonder if the command requires a connection at the point in time you send it, or whether it'll be held back until a connection is made? I.e. would you have to wait and manually resend when they insert a new SIM or would the command essentially be 'pending' until the new SIM is inserted?
 
Last edited:
hughtrimble said:
But surely the removal of the SIM means the shut down/wipe/locate command cannot be received?

If they pop in a new SIM only then will you be able to send the command.

EDIT: just seen you added more in since the first quote. I wonder if the command requires a connection at the point in time you send it, or whether it'll be held back until a connection is made? I.e. would you have to wait and manually resend when they insert a new SIM or would the command essentially be 'pending' until the new SIM is inserted?
Click to expand...

take your sim out, then from google dashboard send a wipe command, put sim in and see ;)
 
You must log in or register to reply here.
Back
Top Bottom