Pinterest Stumbleupon Whatsapp
Ads by Google

Android is now the most popular mobile operating system in the world by some distance. One billion devices were shipped in 2014 (800 million more than second-place Apple), and it controls 82 percent of the market.

That’s great news for Google, but also means it’s disastrous when bugs and flaws are found – the problems can affect a huge percent of the planet’s population.

Unfortunately, a new Android security flaw was found earlier this week by researchers at the University of Texas.

We take a look at what it is and what you can do about it.

What’s The Problem?

A modern Android phone has three ways to secure its lockscreen; a PIN code, a pattern, or a password. The new flaw concerns users who choose to use a password.

The researchers explained the vulnerability in a post on the university’s website, saying “By manipulating a sufficiently large string in the password field when the camera app is active, an attacker is able to destabilize the lock-screen, causing it to crash to the home-screen“.

Ads by Google

texas-hack

In practice, that means a would-be hacker can gain access to your phone, contacts, private app information, cloud storage spaces, and a lot more personal data, all without needing to perform any clever back-end tricks. Even a normal tech-savvy person who found a lost phone on the street could break their way in.

The hack works by entering a random series of characters into the phone’s “Emergency Call” dial pad, and then repeatedly pressing the camera’s “Take Photo” button. It will cause the lock-screen to fail, with the phone ultimately rebooting itself to a user’s home-screen.

Once there, a hacker would have full access to the device, regardless of whether or not the file-system is encrypted – it means they could even enable developer access to the device.

You can see the hack demonstrated in the video below:

Are You At Risk?

Luckily, the flaw is not present on every single version of Android – you’ll only be affected if you have an Android Lollipop device 8 Ways Upgrading to Android Lollipop Makes Your Phone More Secure 8 Ways Upgrading to Android Lollipop Makes Your Phone More Secure Our smartphones are full of sensitive information, so how can we keep ourselves safe? With Android Lollipop, which packs a big punch in the security arena, bringing in features that improve security across the board. Read More that’s running version 5.0 to 5.1.1.

As mentioned, the hack also only works if you’re using password protection. Those using PIN numbers or patterns are safe.

While those two criteria undoubtedly limit the number of people who are affected, a side-effect is that it probably targets the most security-conscious users – those who believe that a long password is more secure than PIN or pattern. Under normal circumstances they are correct, but this loophole proves that nothing is ever as secure as you think it is.

What Can You Do?

The most important thing is to protect your lock-screen Improve Your Android Lock Screen Security With These 5 Tips Improve Your Android Lock Screen Security With These 5 Tips You're perhaps reading this thinking "hah, no thanks MakeUseOf, my Android is secured with a lock screen pattern – my phone is impregnable!" Read More as soon as possible.

The vulnerability has been fixed in the LMY48M Android 5.1.1 build which was released by Google last week. At the moment it’s only available for the Nexus 4, 5, 6, 7, 9, and 10.

Even though it’s available, several users have reported that they have not yet received their over-the-air update. If that’s the case, you can head directly to googlesource.com and download the new build manually.

If you don’t own a Nexus or you’ve not yet received an over-the-air update, you should at least change your lock-screen login credentials to a PIN number instead.

Why Should You Choose a PIN over a Pattern?

Android lock patterns (ALPs) have been in place since 2008 and are used by lots of people, but a researcher has recently suggested they are no more safe than all-too-obvious passwords Dissecting the 25 Worst Passwords in the World [Weird & Wonderful Web] Dissecting the 25 Worst Passwords in the World [Weird & Wonderful Web] There are many simple ways to create easy to remember, but difficult to break passwords. But not everyone gets it. As this list of the weakest passwords prove, it is a large tribe. Read More such as “password”, “12345678”, and “qwertyuiop”.

The researcher in question was Marte Løge, a 2015 graduate from the Norwegian University of Science and Technology. She discovered that a staggering 44 percent of ALPs started in the top left-hand corner and a mammoth 77 percent of them started in one of the four corners.

She also found that most ALPs contained just five “nodes”, despite users being allowed to select up to nine. This meant the possible number of combinations was reduced from 389,112 to a mere 7,152. If an ALP only contained four nodes, this dropped down even further to just 1,624.

“Humans are predictable,” she said. “We see the same aspects used when creating a pattern locks as those used in PIN codes and alphanumeric passwords.”

If you insist on using ALPs, you need to make sure you keep your pattern complicated and you should avoid recreating initials of loved ones or pets. Her research claimed that by using such initials, attackers would have a one-in-ten chance of guessing the ALP within 100 guesses.

Check out some of the most common ALPs in the image below, if you’re using one of them you should change it immediately.

patterns-android

Choose a Sensible PIN

It means the safest way to secure your Android device is by using a PIN code, but there are still some basic security guidelines you should adhere to.

For example, make sure you use a different code to that which you use for your bank card or any other logins which require a PIN. In the same way that using the same password for all your online accounts increases your vulnerability, using the same PIN multiple times reduces the system’s effectiveness with each duplication. Additionally, avoid anniversaries, birthdays, and repetitive numbers.

Microsoft are also on-board with the idea; they recently recommended that Windows 10 users should use a PIN code to log in to their machine. Their logo is that whereas a cracked password Why Usernames & Passwords Are A Thing Of The Past, And How To Cope With This Why Usernames & Passwords Are A Thing Of The Past, And How To Cope With This With every other hacked database and credit card scandal that occurs, it becomes more evident that we can't rely on passwords for much longer. But if not passwords, what else is there? Read More would give a hacker access to your entire Microsoft Account, a cracked PIN would only let them entire that individual device.

Have You Protected Yourself?

Are you one of the vulnerable users? What steps have you taken to protect yourself 7 Security Behaviors You Should Be Using to Stay Safe 7 Security Behaviors You Should Be Using to Stay Safe Being aware of online threats is half the battle. Complement that with using the right tools and behaviors, and you should be good. We've compiled everything you need to stay safe. Read More ?

Does this breach make you worry about the safety of Android? What other breaches are out there? Given the fragmentation of the operating system there are surely others just waiting to be discovered.

Perhaps you’ve found some other novel or unique authorisation methods?

As ever, we’d love to hear from you. You can let us know your thoughts and opinions in the comments below.

  1. David C Cardillo
    September 18, 2015 at 5:15 pm

    pattern lock is the 2nd most insecure "lock." it only keeps out casual snooping. All one has to do is plug it into a computer and they're in.

    (most insecure is, perhaps ironically, facial recognition. Refuse to unlock your phone for unwarranted search, and while you're handcuffed the cops hold your phone to your face. Anyone can print, say, your facebook profile photo and hold it in front of the camera and they're in. How this is even a "feature" is baffling. )

Leave a Reply

Your email address will not be published. Required fields are marked *