Prepare
- Enable “Device credentials” lock via the settings. (I’m using fingerprint in my case)
- Test if this works by closing the app and open it again.
- If this works close the app again, do a force close to make sure the application is closed.
The next steps need to be done quickly right after each other.
- Make sure you are able to quickly start the Nextcloud app, i put mine on the homescreen.
- Now quickly open the app and press backspace and open the app and press backspace, do this a few times right after each other until you see a flash of the folder list.
- After you have seen this folder tree flash, you can start the application without any credentials.
Note: This only happens when doing this fast, else this won’t work.
I added a adb logcat output of the nextcloud process i started during my test.
Impact
The impact is that someone without the correct credentials but an unlocked phone is still able to login to the Nextcloud app and see all the files of the user.