Skype Android Lockscreen Bypass

2013-07-02T00:00:00
ID PACKETSTORM:122254
Type packetstorm
Reporter Pulser on XDA
Modified 2013-07-02T00:00:00

Description

                                        
                                            `Tested with Skype version 3.2.0.6673 (released 1st July 2013) on various  
Android devices (Sony Xperia Z, Samsung Galaxy Note 2, Huawei Premia 4G  
  
The Skype for Android application appears to have a bug which permits the  
Android inbuilt lockscreen (ie. pattern, PIN, password) to be bypassed  
relatively easily, if the device is logged into Skype, and the "attacker"  
is able to call the "victim" on Skype.  
  
This can be reproduced as follows with 2 Skype accounts, and 2 separate  
devices to use with Skype. The target phone is presumed to have an Android  
lockscreen configured and in use, and to be locked during the test.  
  
1. Initiate a Skype call to the target device, which will cause it to  
wake, ring, and display a prompt on the screen to answer or reject the call  
2. Accept the call from the target device using the green answer button  
on the screen  
3. End the call from the initiating device (ie. the device used to call  
the target phone)  
4. The target device will end the call, and should display the  
lockscreen.  
5. Turn off the screen of the target device using the power key, and  
turn it on again  
6. The lockscreen will now be bypassed. It will remain bypassed until  
the device is rebooted  
  
Similar to (ironically enough):  
http://arstechnica.com/security/2013/04/crital-app-flaw-bypasses-screen-lock-on-up-to-100-million-android-phones/.  
Seems that internet based calling apps might well be "unlucky".  
  
Thanks to Emilio López for originally bringing this to my attention  
`