A new bug in the Android mobile OS version 4.3 (a.k.a. “Jellybean”) opens the door for app-based security lock bypass, a security team has found.
According to Germany-based Curesec, the vulnerability essentially enables any rogue app at any time to remove all existing device locks activated by a user. Android devices can implement several locks, like PIN, password, gesture and even facial recognition to lock and unlock a device. Before a user can change these settings, the device asks the user for confirmation of the previous lock (i.e., if a user wants to change the PIN or remove it, he or she must enter the existing code).
But the bug, which exists on the “com.android.settings.ChooseLockGeneric” class, allows the user to modify the type of lock mechanism the device should have, Curesec noted in a
forensic analysis.