I have discovered another security flaw in Samsung Android phones. It is possible to completely disable the lock screen and get access to any app - even when the phone is "securely" locked with a pattern, PIN, password, or face detection. Unlike another recently released flaw, this doesn't rely quite so heavily on ultra-precise timing.
This does not occur on stock Android from Google. This flaw only seems to be present on Samsung's version of Android. I have only tested it on a Galaxy Note II running 4.1.2 - I believe it should work on Samsung Galaxy SIII. It may work on other devices from Samsung.
My test phone was running 4.1.2 with the Touchwiz launcher from Samsung.
Defending Against This Attack
Until Samsung release a patch, the only way this can be defended against is by completely removing the Samsung firmware and replacing it with a 3rd party ROM. This ROM for the Galaxy S III claims to have fixed the problem.
I'm sure there will be ROMs for other Galaxy devices in due course.
UPDATE 2013-03-20T16:54:12+00:00
YouTube user "bicecream88" has alerted me to a way to partially defend against this attack.
By disabling your screen animations, it is possible to reduce the amount of time the screen is displayed.
Settings -> Developer Options -> Window animation scale -> off
Repeat for Transition animation scale and Animator duration scale.
The vulnerability is still present - but you need to be a lot quicker in order to exploit it.
Responsible Disclosure
I reported this flaw to Samsung in late February. They are working on a patch which they assure me will be released shortly.
I have delayed public disclosure of this vulnerability. I also asked if they wanted me to delay publication until a patch was ready - however they declined this offer.
If you discover a security issue with Samsung's mobile products, I strongly encourage you to email m.security AT samsung.com
They will provide their PGP public key if you wish to ensure your communications with them are secure.
Thanks also to David Rogers, Marc Rogers, Alec Muffett, and Glyn Wintle for their wisdom and advice around the subject of responsible disclosure. Any faults with this disclosure are mine and mine alone.
Here's a rather nifty security flaw I discovered on Samsung's Android 4.1.2. It allows you - in limited circumstances - to run apps and dial numbers even when the device is locked.
This attack works against Pattern Lock, PIN, Password, and Face Unlock. There is no way to secure your phone against your home screen being accessed.
Notes
HOWTO
Lock the device with a "secure" pattern, PIN, or password.
Activate the screen.
Press "Emergency Call".
Press the "ICE" button on the bottom left.
Hold down the physical home key for a few seconds and then release.
The phone's home screen will be displayed - briefly.
While the home screen is displayed, click on an app or a widget.
The app or widget will launch.
If the widget is "direct dial" the phone will start ringing.
Limited Scope
It's true, this attack is of limited value. That's one of the reasons why I've disclosed it.
Making a call relies on the phone having a direct dial widget on the home screen.
Running the apps is also of limited use - they go into the background immediately. If the app performs an action on launch (like recording from the microphone, switching on the flash, playing music, interacting with a server) that action will occur.
There is also the privacy concern that an attacker could see what apps you have installed on your homescreen - or see your calendar / emails if you use a widget which displays them.
Rapidly tapping the home button will - depending on your launcher - allow you to see what is on every home screen. Using an external video camera you should be able to clearly see all the user's calender & email widgets if they have enabled them.
Target
I've only tried this on one class of handset. Galaxy Note II N7100. Running 4.1.2 - the latest UK variant.
The two devices both ran the stock launcher and lock screen.
One device was rooted - the other was factory fresh.
I have not tested on any other devices.
Defending Yourself
This attack works against Pattern Lock, PIN, Password, and Face Unlock. There is no way to secure your phone against your home screen being accessed.
Your options are:
Do not use direct dial widgets on your homescreen.
Remove any calendar or email widgets which may show sensitive information from your homescreens.
Ensure that any apps which you do have on your homescreens do not automatically cost you money or act maliciously when launched.
Use an app locker to prompt for a password when apps are launched.
Changing to a different launcher will not protect you.
Using a 3rd party lock screen will not protect you if it accesses the emergency dialer.
Responsible Disclosure
Samsung don't have a dedicated responsible disclosure team. Nor do they offer a bug bounty.
The nearest I've found is this unlisted email address.
i don't find this anywhere publicly, but actually #samsung's mobile devision has a #security point of contact by now: samsung.com">m.security@samsung.com
I spoke to several external security people, and Samsung relationship managers within the industry, who have raised the issue directly with Samsung. I also tried emailing Samsung directly. I know that people within Samsung have been made aware of this bug.
Despite that, five days later, and Samsung's security team have not made any contact with me to discuss this bug or its disclosure.
I wonder if this is typical of Samsung's attitude towards their customers and the industry in general? Do they believe that if they ignore problems, they will disappear?
So, I ranted and raved on my blog and in the press. Samsung wouldn't respond to me - either through customer support or through their PR team. Nice way to treat a paying customer, guys!
There is an OTA update for the Galaxy Note II - taking it to 4.1.2. Sadly this isn't yet being pushed out via all UK carriers (including O2, who I work for).
As far as I can tell, the update does fix the bug. I've only been trying it for an hour - but it seems that copying no longer crashes the device.
There are a bunch of other minor changes which you can see in this video.
So, this is the fairly quick and simple way to upgrade your GN2.
Get The Firmware
The site SamFirmware lists just about every available firmware for Samsung devices.
Caution! you have no way of knowing what that file does. It does not come from an official source. If it makes your phone explode, or fills it with state sponsored malware - that's just too bad.
I mean, would it kill Samsung to list their official firmwares on their site?
Stick the file on your phone
I used my microSD card. The file is over 1GB, so make sure you have plenty of room.
Upgrade
The easiest way to install ROMs on your phone is to use Mobile Odin. It's an Android app which takes care of all the hard work for you. Run it, point it at the update file, and off it goes. Costs less than £4 which is very reasonable.
Choose "Open File" and select the zip.
The app will ask you a few questions and then start the upgrade.
Pace up and down nervously
The whole process takes less than five minutes. But there's always a risk with something like this that it will spontaneously combust.
All being well, the phone will spring back to like with an upgraded OS and a clipboard that doesn't crash the entire phone.
I still don't understand why Samsung insist on treating their customers this way - but at least the issue is now fixed.
After posting about using the Galaxy Note II for a full day of work, someone asked me why I didn't just plug in a proper keyboard and mouse to it.
To be honest, I'd never even considered that as a possibility! In order to plug in USB peripherals to an Android device, you'll need a USB-OTG adapter (OTG stands for On The Go). One end plugs into your Android's charging port, the other end is just a regular USB port.
Seventy pence. That includes the cost of shipping! Being the spendaholic that I am, I briskly ordered two!
I thought that these would be hideously expensive and, knowing Samsung, require some proprietary software or cabling. I was wrong!
I grabbed a USB hub, plugged in a spare keyboard and mouse, plugged them into the adapter, and shoved it into the phone. After a second to think about it, the Note popped up this screen.
Of course, Samsung have no concept of decent user communication. What they mean is that they've disabled SwiftKey - my default keyboard - and enabled the standard keyboard. As an aside, when you unplug the USB keyboard, the standard keyboard stays, you have to manually switch it to your preferred keyboard.
As you can see at the top, the mouse was automatically detected. A pointer icon appeared and I was able to click and scroll as much as I wanted. Right click didn't seem to work, and I couldn't find an easy way to remap the buttons of my Evoluent mouse - but at least it didn't spend ages looking for drivers like Windows does!
I found an old 256MB USB flash drive, as soon as I plugged it in, it auto mounted, and opened the default fie manager. Although, in typical Samsung quality, it opened to the wrong location. A quick dive back up the filesystem, and I was able to access it without issue.
The drive was FAT32 formatted. I was able to read, create, and delete files without issue.
The only real downside, is that there's no way to charge your phone while using the USB peripherals. I could get a powered USB hub and see if it leaches power back into the device - the same way it does on a Raspberry Pi - but I'm rather afraid of blowing something up.
All in all, I'm mightily impressed. For less than a quid I can finally do long form typing on my phone.
The next challenge - can I hook it up to my MakeyMakey?
So, time to put the Samsung Galaxy Note II through its paces. I've had the phone for a couple of months and been really pleased with it. But I sensed that I hadn't really used it in anger. I decided to spend the whole day trying to do my work only using the GN2. And, to make the challenge more exciting - no recharges!
Let's kick things off!
To help with my blogging, I used the official WordPress for Android app. It's pretty good, but a bit fiddly to add photos and formatting. Good if you're posting a quick update or just a single media item.
First thing's first, I knocked on the power saving mode. I didn't want the battery to conk out half way through the day. I attached to WiFi and made sure the radio was in GSM mode - no need for 3G. As I wasn't going to be playing videos or 3D games, I was quite happy to dial the CPU down.
I'd already killed or uninstalled the crap-ware which Samsung shovels on to their phones - so I didn't have many background processes running.
One thing I will say about the GN2 is that it is as stable as any phone I've ever used. Mine has been running solidly for over a month without being restarted. It's still just as smooth and fast as when I first turned it on.
For all the typing I do in my day-to-day work, nothing beats SwiftKey. Its predictive text is uncanny - making typing spectacularly efficient. I wish I had it for my desktop.
I often need to SSH into Linux boxes to fiddle with them. Enter ConnectBot - a rock solid SSH program. Works well over 3G and even copes with 2G. I can even set up shortcuts on my homescreen for specific servers.
Before I knew it, I'd been working for an hour and a half. Time to check the battery stats.
Ten percent gone. I didn't have the screen on constantly, but I was using it more than usual. Conservatively, that's 15 hours of battery life when using the phone fairly solidly.
The day wouldn't be complete without reading and writing too much email! The GN2's Outlook email client is really poor. It flickers horribly, scrolling is jerky, and it doesn't do server-side searching very well (which, to be fair, may be our IT setup).
That said, the landscape mode is really useful. It also has "Do Not Disturb" hours - so I don't get any work email alerts after 1700 or before 0900.
Come lunchtime and I'd been using the phone for a couple of voice calls - weird, I know! I'd spent around 45 minutes talking on the phone - it's pretty clear that has a big impact on the battery.
But, still, two-thirds of the battery left. Nice!
For getting files on and off remote machines, I used Turbo Client - FTP/SCP. Not the greatest interface in the world, but very fast at shifting files to and from my GN2.
Samsung gives every purchaser of the GN2 48GB of free DropBox space. That meant I was able to access all my work documents from The Clown.
Editing them was a bit trickier. Reading and writing Word Documents is a bit of a chore - even with Office Suite Pro 6. Luckily, I don't have to work with Excel spreadsheets. It was tolerable, but not especially pleasant..
I couldn't get on to the work Intranet (although I suppose I could have installed a VPN if I was desperate) but I was able to access some internal tools like Yammer and chat with the team on IRC.
I got to the end of the day, with all my emails answered, files edited, and phone calls made. But how did the phone do?
A full eight hour day with - as you can see - the phone in fairly constant use. With 50% battery to spare I could do another full day without a recharge!
Caveats
The day wasn't without problems - some are Samsung's problem, some are mine.
I couldn't find a decent code editor. Luckily I could get away with a day without slinging code. I tried DroidEdit which some people rave about, but I didn't get on with.
Flipping back and forth between the web and email is a bit of a pain, and I found copying and pasting to be a hit-and-miss affair. It mostly worked, but occasionally seemed to skip a character which I could have sworn I selected.
I was able to get the split-screen functionality working - but it really is of limited use.
For watching a video and reading the web it's fine.
For anything else, not so good.
Once the keyboard is open, it obliterates half the screen - so is useless in that scenario.
Chrome as a browser is excellent - it coped well with every page I threw at it. A few web pages which weren't optimised for touch were tricky to use. Those that rely on hovering a mouse over a link to reveal a menu didn't work so well.
Samsung's software is fairly crappy. I had to replace their atrocious "TouchWiz" interface with HoloLauncher which is far less cartoony.
Worse than that, the Samsung software is terribly unstable. On first boot, I was constantly plagued by their CloudAgent crashing.
In the end, I disabled 27 pieces of pre-installed rubbish which Samsung had unilaterally decided their customer would want. All of which seemed to run in the background sucking up RAM and battery life.
I also killed some default Google processes - such as their movie service and Google Plus.
The much vaunted "S-Pen" is pretty useless. It's very sensitive, which makes drawing a pain as it thinks the pen is on the screen when it's hovering a few centimetres above. Worst of all, the pen can be used to navigate on screen but doesn't work on the physical buttons below the screen. That's incredibly annoying if you're trying to navigate solely with the S-Pen and then have to switch to your fingers to pull up a menu or go back a page.
In terms of hardware, the Galaxy Note 2 is second to none. For battery life alone, it beats all other devices. The screen is gorgeous - going back to a Galaxy Nexus or, worse, an iPhone is painful. It's like surfing the web while looking through a postage stamp.
What lets down Samsung again and again is their software. TouchWiz is slow and ugly, their default services crash repeatedly, the bloatware is poorly thought through (why do I need multiple app stores with duplicate content?), and their custom user interface is replete with poorly translated English. And don't get me started on the abomination which is Kies - their half-arsed media manager which doesn't work in Linux.
Samsung - please stop trying to write software! Your hardware is excellent and compliments Android perfectly.
Despite Samsung's best efforts, the Galaxy Note 2 is a superb device. The screen is big enough to type on comfortably for long periods, the battery is a real work horse, and the app ecosystem is strong enough to cope with a wide variety of tasks.
