The fact that this type of vulnerability exists in 2010 just blows my mind. There is an extremely simple method to bypass authentication on the Motorola Droid by simply calling the phone and hitting the back button. Yes, that's it. Doesn't matter if you've protected the phone with a security pattern, or even if you've exhausted your maximum number of attempts at guessing the right pattern. A simple phone call along with the back button will get you into the device. No password or security pattern required. The phone is pretty much wide open to anyone with physical access to the device.
Upon discovering this, I was pretty sure that SOMEONE else had to realize this was possible. Turns out several people in Android forums claim to have reported it to Google, but still no fix.
So, who is ready to start rolling Android phones into the enterprise? I didn't think so.
-Jack
3 comments:
another thought i've had but haven't had a chance to follow up on: the emergency call button does some kind of a lookup to determine if you're attempting to dial an emergency number or not. it'd be interesting to see where that information is being queried from.
A friend with Android 2.1 says he can't repro this. What version did you use?
It looks like Android 2.1 (cyanogenmod) on the Nexus One also does not suffer from this problem. Sounds like a Motorolla Droid problem. Since that phone has already been rooted, I would expect that there would be a community fix to this.
Post a Comment