Droid security flaw makes lock screen a mere inconvenience for evil-doers
By Chris Ziegler 
posted January 11th 2010 3:49PM
posted January 11th 2010 3:49PM
You might recall Apple having a hard time keeping its lock screen locked at one point, and it looks like we've got a common theme brewing here now that Android's suffering from the same drama. Turns out that Android 2.0.1 -- the build currently deployed on the Droid -- suffers from a flaw whereby you can back out to a locked phone's home screen simply by pressing the Back button after accepting an incoming call. Of course, you'd either have to know a phone's number or wait for a call to actually take advantage of this, but we'd argue that it's a pretty low barrier of entry. The bright side of the story, we suppose, is that the phone goes back to being locked as soon as the call ends, but then again it doesn't take much time to peep your juicy emails. Google's aware of the issue, so we're thinking this'll make it into the Droid's next software update; we don't have a launch window for that just yet, so in the meantime... you know, just make sure no one ever calls you and you should be good to go.
big whoop wanna fight about it?
@va jj The Android Army is insecure in more ways than one.
@(Unverified)
Ruh-roh....
@(Unverified)
Awesome thanks for the tip Engadget!
On my way to steal some unknowing persons droid right now!
Got any other news of how exactly I can screw someone over?? Please detail every step for me.
Thanks!!
I just tried this with my Droid and it works.
@airmikee
Yep! Droid does!
@airmikee
This isn't only on the DROID. This has always worked on my HTC Dream. It's probably on a lot more devices.
@airmikee
Yeah mine too. The worst part is, if you lost your phone or it was stolen, theres a pretty good chance that you're gonna call it to find it
@hexoDAT64
There's a likely way to get it to ring:
1) Call 911...since most lock screens allow you to do so.
2) Breath a couple of times when they answer and then hang up.
3) Wait for them to callback, which the almost certainly will.
4) Accept the call and press the "back" button to gain access to the phone.
5) Apologize to the 911 dispatcher, tell them everything is okay, and that you/your child/your dog dialed by mistake.
6) Profit.
@airmikee
Surprising. I would think they catch this kind of a thing during beta/UI/security testing.
@airmikee This is fixed in Android 2.1, My friend still has 2.0.1 and we bypassed his lock screen, I have 2.1 (See this if you want it: http://www.droidforums.net/forum/droid-hacks/10247-how-install-2-1-easy-way.html) and it did not bypass my lock screen.
people use the lock screens? wow.
You do realize some people actually leave their houses and go into the outside world, right?
@therockr92 I leave my house quite a lot with my phone in hand. I know where my phone is at ALL times. I protect it almost more than I protect my wallet. What's your point about going outside again?
You know Engadget, if you didn't report this it is most likely no one would ever have found out, therefore not giving those evil doers a chance
@PATRICKmcnicholl Would you rather think your information is secure when it isn't, or know about the vulnerability and take appropriate steps to secure your information?
@paddad21
Methinks your sarcasm detector is malfunctioning.
Sticking it in a car dock unlocks it as well - seems like a far easier method.
@PeterJames
I was just thinking the same, this should be fixed first!
if you're concerned with this (hello business users), take a look at Wavesecure on the Market. They have won awards thru the ADC in the past.
Basically they can do a couple of things here to mitigate this for you.
First, you can remotely lock your screen with a message to give someone who finds it like call xxx.xxx.xxxx or two, remotely detonate teh thing.
@MekoSuka
aaand - The Droid is the first phone to not be allowed onboard any airplanes...
@Phen
Yes, language like that would certainly have me detained, or worse --deported!
@MekoSuka
if you're concerned with this (hello business users), take a look at RIM Blackberry.
This is not the DROID you are looking for.
@Arch Angel
Is that all ya got?
Lame.
@brown like dookie
Since 6 Jan, WaveSecure users in the US will not be charged for international SMSes. You can follow us on Facebook at http://www.facebook.com/wavesecure and Twitter at http://www.twitter.com/wavesecure for the latest updates.
Thanks,
cheewee
Team WaveSecure
http://www.wavesecure.com
I see the flaw and have recreated it but even taking ones phone would not gain one access to the contents as you would lack the phone number. Having to have the physical phone and know the phone number is quite a task to find out. If someone was willing to go through that, they would probably have a better way of infiltrating your phone.
I don't lock my Droid because you have to unlock it after the screen timeouts and if I am in the middle of a drawn out text conversation, it's a hassle. Is there a way I have missed to set the lock time (such as 30 min. or an hour)?
Love my Droid, BTW.
@Vol
Settings -> Sound & Display -> Scroll to bottom for Screen timeout
@airmikee You don't want the screen on for an hour eating batter. I just want to lock the phone down after that time of inactivity. The Blackberry's have this feature.
@Vol I seriously want this feature too. Windows Mobile phones have it. Only lock the screen after a period of inactivity - a grace period, if you will. I would LOVE it if Android added this feature.
Oh, and please give us PIN-based security as an option. Gestures are neat, but they're a pain if you've got cold, dry hands, and they tend to leave an oily reminder of your "password" on the screen in some conditions.
Ok. So, the Droid has been marketed, like the iPhone, as a consumer phone, not a business device. Like the iPhone, there may be demand for it to increase enterprise features, but that isn't the "Sweet spot" they were aiming for.
But I've confirmed that this works - and it is a concern. I'm not sure if I would have liked to known or had it kept a little more secret than an Endgadget article. One thing is for sure, before this article hit, I had a lot more "security through obscurity" on my Droid than I do now. Gonna give it "6 of 1, half a dozen of the other" on if this article helps or hurts.
Finally, @Phen - what is this about Droid not being allowed onboard ANY airplanes? Can you include a link? I did a Google search and came up empty.
@PiddlyD Nevermind, Phen. Figured it out in the context of your original post.
@PiddlyD
Hey did you see that someone wrote gullible on the ceiling?
@vainmicah haha
@vainmicah LOL... I have my moments. :)
This has been a problem for Motorola for a while. I have an old RAZR v3 where the screen lock (when you power-on the phone) works roughly 75% of the time. Of that 75%, about 50% of the time you can bypass it completely by flipping the phone closed right after power-on or hitting "END" or "Back".
@natefrog
This is, as others have said, a problem with Android, not Motorola since other, non-Motorola, phones have the same problem.
@Steve B
And all I'm pointing out is that Motorola isn't a stranger to these sorts of things.
I hate when people lock their phones. I've found iPhones and such before, and it's really frustrating when the phone is locked and you can't dig through their contacts/facebook to try and contact the person.
I'll never have mine locked, because I have nothing "private" on it, and if someone finds my phone perhaps they'll call my parents and actually return it.
@Bush2012 For Android, at least, there's an app (Contact Owner) that will allow you to put contact and ICE information on the lock screen. I assume there are similar apps for other smartphones.
@mschiffe ICE? I didn't know that Android is used by Immigrations and Customs Enforcement!
@HurricaneDC Nah-- it just burns out the brain of anyone who tries to break into the phone.
http://en.wikipedia.org/wiki/Intrusion_Countermeasures_Electronics
While I realize that some of your more recent emails are stored on the phone, you can't load anything past about 10-15 conversations. This is due to the fact that you cannot use data AND make a phone call at the same time on Verizon's network. So, maybe that kinda works out for the better in the end? Nah, not really.
PS Proud owner of the Droid. And how did it take this long for people to figure this out? I've been pushing the home button on my Droid during phone calls since I got it. So this isn't really a huge find. Especially because I think its in the manual.
Hrm.. my phone never leaves my side. I only lost my last Blackberry once, and that's cause it fell out the car door while getting in. Not really an issue for me. Also I'm not tiger woods and cheating on my lady so I don't need to worry about people peeping at my conversations.
@Anticrawl you also evidently don't work for something that requires a secret (or higher) clearance. Those kinds of folks tend to get some pretty sensitive info on their devices.
@Anticrawl
I work at a biomedical research center so yes I do handle sensitive data but only certain bits come to my phone and it certainly isn't coming via unsecure email/sms lol, silly point to make my friend. We have our own software for Android/Blackberry/Winmo developed in house.
@HurricaneDC
Plus as I said I keep my phone by me at all times, if you are in a position that requires you to keep a few secrets you shouldn't be the type who misplaces things easily.
Dear Google,
Please add a paid app store in Canada.
Thanks,
Guy who has a (mostly) useless phone...
@inevercheckthis
Mostly useless? I've downloaded 77 apps since I got my Android phone a little over a month ago and only *one* of them was a paid app. There is a free app for just about anything you can imagine.
I understand it's frustrating to be locked out of the paid app store but get real.
"you know, just make sure no one ever calls you and you should be good to go."
Check! I'm safe. :D
...
:(