Video:

This attack works against Pattern Lock, PIN, Password, and Face Unlock. There is no way to secure your phone against your home screen being accessed.

Notes

HOWTO

1. Lock the device with a "secure" pattern, PIN, or password.
2. Activate the screen.
3. Press "Emergency Call".
4. Press the "ICE" button on the bottom left.
5. Hold down the physical home key for a few seconds and then release.
6. The phone's home screen will be displayed - briefly.
7. While the home screen is displayed, click on an app or a widget.
8. The app or widget will launch.
9. If the widget is "direct dial" the phone will start ringing.

Limited Scope

It's true, this attack is of limited value. That's one of the reasons why I've disclosed it.

Making a call relies on the phone having a direct dial widget on the home screen.

Running the apps is also of limited use - they go into the background immediately. If the app performs an action on launch (like recording from the microphone, switching on the flash, playing music, interacting with a server) that action will occur.

There is also the privacy concern that an attacker could see what apps you have installed on your homescreen - or see your calendar / emails if you use a widget which displays them.

Rapidly tapping the home button will - depending on your launcher - allow you to see what is on every home screen. Using an external video camera you should be able to clearly see all the user's calender & email widgets if they have enabled them.

Target

I've only tried this on one class of handset. Galaxy Note II N7100. Running 4.1.2 - the latest UK variant. The two devices both ran the stock launcher and lock screen. One device was rooted - the other was factory fresh.

I have not tested on any other devices.

Defending Yourself

This attack works against Pattern Lock, PIN, Password, and Face Unlock. There is no way to secure your phone against your home screen being accessed.

Your options are:

• Do not use direct dial widgets on your homescreen.
• Remove any calendar or email widgets which may show sensitive information from your homescreens.
• Ensure that any apps which you do have on your homescreens do not automatically cost you money or act maliciously when launched.
• Use an app locker to prompt for a password when apps are launched.
• Changing to a different launcher will not protect you.
• Using a 3rd party lock screen will not protect you if it accesses the emergency dialer.

Responsible Disclosure

Samsung don't have a dedicated responsible disclosure team. Nor do they offer a bug bounty. The nearest I've found is this unlisted email address.

Nico Golde

@iamnion

i don't find this anywhere publicly, but actually #samsung's mobile devision has a #security point of contact by now: m.security@samsung.com

---

I spoke to several external security people, and Samsung relationship managers within the industry, who have raised the issue directly with Samsung. I also tried emailing Samsung directly. I know that people within Samsung have been made aware of this bug.

Despite that, five days later, and Samsung's security team have not made any contact with me to discuss this bug or its disclosure.
I wonder if this is typical of Samsung's attitude towards their customers and the industry in general? Do they believe that if they ignore problems, they will disappear?

Conclusion

Samsung have a really poor record on Android security. Avoid purchasing their phones at all costs.