Android is now the most popular mobile operating system in the world by some distance. One billion devices were shipped in 2014 (800 million more than second-place Apple), and it controls 82 percent of the market.
That’s great news for Google, but also means it’s disastrous when bugs and flaws are found – the problems can affect a huge percent of the planet’s population.
Unfortunately, a new Android security flaw was found earlier this week by researchers at the University of Texas.
We take a look at what it is and what you can do about it.
What’s The Problem?
A modern Android phone has three ways to secure its lockscreen; a PIN code, a pattern, or a password. The new flaw concerns users who choose to use a password.
The researchers explained the vulnerability in a post on the university’s website, saying “By manipulating a sufficiently large string in the password field when the camera app is active, an attacker is able to destabilize the lock-screen, causing it to crash to the home-screen“.
In practice, that means a would-be hacker can gain access to your phone, contacts, private app information, cloud storage spaces, and a lot more personal data, all without needing to perform any clever back-end tricks. Even a normal tech-savvy person who found a lost phone on the street could break their way in.
The hack works by entering a random series of characters into the phone’s “Emergency Call” dial pad, and then repeatedly pressing the camera’s “Take Photo” button. It will cause the lock-screen to fail, with the phone ultimately rebooting itself to a user’s home-screen.
Once there, a hacker would have full access to the device, regardless of whether or not the file-system is encrypted – it means they could even enable developer access to the device.
You can see the hack demonstrated in the video below:
Are You At Risk?
Luckily, the flaw is not present on every single version of Android – you’ll only be affected if you have an Android Lollipop device that’s running version 5.0 to 5.1.1.
As mentioned, the hack also only works if you’re using password protection. Those using PIN numbers or patterns are safe.
While those two criteria undoubtedly limit the number of people who are affected, a side-effect is that it probably targets the most security-conscious users – those who believe that a long password is more secure than PIN or pattern. Under normal circumstances they are correct, but this loophole proves that nothing is ever as secure as you think it is.
What Can You Do?
The most important thing is to protect your lock-screen as soon as possible.
The vulnerability has been fixed in the LMY48M Android 5.1.1 build which was released by Google last week. At the moment it’s only available for the Nexus 4, 5, 6, 7, 9, and 10.
— Eugene Kaspersky (@e_kaspersky) September 16, 2015
Even though it’s available, several users have reported that they have not yet received their over-the-air update. If that’s the case, you can head directly to googlesource.com and download the new build manually.
If you don’t own a Nexus or you’ve not yet received an over-the-air update, you should at least change your lock-screen login credentials to a PIN number instead.
Why Should You Choose a PIN over a Pattern?
Android lock patterns (ALPs) have been in place since 2008 and are used by lots of people, but a researcher has recently suggested they are no more safe than all-too-obvious passwords such as “password”, “12345678”, and “qwertyuiop”.
The researcher in question was Marte Løge, a 2015 graduate from the Norwegian University of Science and Technology. She discovered that a staggering 44 percent of ALPs started in the top left-hand corner and a mammoth 77 percent of them started in one of the four corners.
She also found that most ALPs contained just five “nodes”, despite users being allowed to select up to nine. This meant the possible number of combinations was reduced from 389,112 to a mere 7,152. If an ALP only contained four nodes, this dropped down even further to just 1,624.
“Humans are predictable,” she said. “We see the same aspects used when creating a pattern locks as those used in PIN codes and alphanumeric passwords.”
If you insist on using ALPs, you need to make sure you keep your pattern complicated and you should avoid recreating initials of loved ones or pets. Her research claimed that by using such initials, attackers would have a one-in-ten chance of guessing the ALP within 100 guesses.
Check out some of the most common ALPs in the image below, if you’re using one of them you should change it immediately.
Choose a Sensible PIN
It means the safest way to secure your Android device is by using a PIN code, but there are still some basic security guidelines you should adhere to.
For example, make sure you use a different code to that which you use for your bank card or any other logins which require a PIN. In the same way that using the same password for all your online accounts increases your vulnerability, using the same PIN multiple times reduces the system’s effectiveness with each duplication. Additionally, avoid anniversaries, birthdays, and repetitive numbers.
Microsoft are also on-board with the idea; they recently recommended that Windows 10 users should use a PIN code to log in to their machine. Their logo is that whereas a cracked password would give a hacker access to your entire Microsoft Account, a cracked PIN would only let them entire that individual device.
Have You Protected Yourself?
Are you one of the vulnerable users? What steps have you taken to protect yourself?
Does this breach make you worry about the safety of Android? What other breaches are out there? Given the fragmentation of the operating system there are surely others just waiting to be discovered.
Perhaps you’ve found some other novel or unique authorisation methods?
As ever, we’d love to hear from you. You can let us know your thoughts and opinions in the comments below.