Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Major security flaw lets anyone bypass Samsung Galaxy S II security

That is a pretty big flaw for users that use the security feature.

If the phone was stolen, I am pretty sure the their might stumble upon that bypass.

But, many users, including those with iPhones don't use the lock screen security feature so this is often irrelevant.
 
MojoDojo said:
It looks like Samsung copied nearly everything from Apple's iPhone... except the ability to secure your phone!

http://www.bgr.com/2011/09/30/major...ypass-att-samsung-galaxy-s-ii-security-video/
Click to expand...


http://www.tuaw.com/2010/10/26/ios-4-1-security-bug-bypass-passcode-entry-and-access-phone-ph/

oh_snap+vw.gif
 
KingCrimson said:
Sounds like FUD, I won't even click that link.
Click to expand...

well read it, watch the video and honestly it is not that bad. Lets face it not many really use lock codes on their phone or pretty much tell anyone their code.

It appears to only be the AT&T model and samsung is already working on the fix. Over all this is a very very minor bug that will more than likely be fixed by say the end of October. Giving them a month because that gives them a week fix and test it internally and then AT&T being AT&T 3 weeks to bother approving it.

It is mostly fud but over all a very very minor bug that will be fixed quickly only effecting AT&T Galaxy S which leads me to believe that it is something AT&T required Samsung to add to the phone that causing this problem.
 
yg17 said:
http://www.tuaw.com/2010/10/26/ios-4-1-security-bug-bypass-passcode-entry-and-access-phone-ph/

Image
Click to expand...

If you've done the "trick" properly, you should now have full access to the iPhone's Phone app, including contacts, keypad, and calling history. What's more: tapping "Share Contact" and the camera icon will give you access to the Photos app. That's the extent of your access -- hitting the home button doesn't do anything at all -- but it's bad enough.
Click to expand...

That was also a major issue but it isn't as bad as this issue impacting samsung.
 
munkery said:

That was also a major issue but it isn't as bad as this issue impacting samsung.
Click to expand...

and goes back to fact like I pointed out that it will be patch in by the end of Oct and only effects AT&T.
Safe to say that time wise that this bug will be there a much short time span that the Apple bug.

Mix that with the OTA update and notifications it will be by far better and faster than Apple fixing its bug and getting it patched. I am willing to bet that 99% of them will be patched compared to the much slower update rate for iOS.
 
Rodimus Prime said:
Safe to say that time wise that this bug will be there a much short time span that the Apple bug.
Click to expand...

It should be fixed faster, this flaw actually provides total access to the device.

There was no significant data exposure with the iOS flaw. In reality, that iOS flaw was FUD.

This samsung flaw has some real security implications.

But, it makes no difference if users aren't using the feature. This is true of any phone.
 
Correct me if I'm wrong, but this phone isn't even available to the general public yet - making it a non-issue for now.
 
It seems it's only limited to the AT&T version. I can't get my SGS II to do it for love nor money. :eek::cool::p
 
Last edited:
ChazUK said:
It seems it's only limited to the AT&T version. I can't get my SGS II to do it for love not money. :eek::cool::p
Click to expand...
Correct as well. I tried it with my 3 Android phones, 2 of which are Samsung, and none of them do it. It appears that something AT&T did when modifying the phone for their use screwed it up.
 
r.j.s said:
Correct me if I'm wrong, but this phone isn't even available to the general public yet - making it a non-issue for now.
Click to expand...

True. It goes on sale Sunday and it will be a fast fix.

munkery said:
It should be fixed faster, this flaw actually provides total access to the device.

There was no significant data exposure with the iOS flaw. In reality, that iOS flaw was FUD.

This samsung flaw has some real security implications.

But, it makes no difference if users aren't using the feature. This is true of any phone.
Click to expand...
Well lets look at it honestly. A vast majority of people do not use pin codes on there phones at all. The Android lock screen has a much much higher usage rate than the iPhone pin code screen because it is easier to use. Now Pin code is by far more secure than the dot screen but also much more incontinent to use.

As for the bug itself I bet it can be fixed with 2-3 lines of code. I am willing to bet it is a Boolean variable that is not getting changed correctly. On start up it is correct but after it is entered once it getting changed to my guess True and then failing to get changed back to false.
Heck it could be as simple as the setter is screwed up.

Either way it is going to be a very quick fix and most of the time will be spent in getting approval form AT&T
 
Does AT&T offer any services that other carriers don't provide that would require AT&T to be able to bypass the lock?

Is there anything different about AT&T's update process or syncing than android phones from other carriers?

It could be related to not having to unlock the phone each time it is synced to the user's computer.
 
munkery said:
Does AT&T offer any services that other carriers don't provide that would require AT&T to be able to bypass the lock?

Is there anything different about AT&T's update process or syncing than android phones from other carriers?

It could be related to not having to unlock the phone each time it is synced to the user's computer.
Click to expand...
No, they simply screwed up when cooking their version of the OS for the phone. Nothing more. As others have said, it is a simple fix, and I would expect an OTA update shortly. Possibly even before Sunday's release.
 
munkery said:
Does AT&T offer any services that other carriers don't provide that would require AT&T to be able to bypass the lock?

Is there anything different about AT&T's update process or syncing than android phones from other carriers?

It could be related to not having to unlock the phone each time it is synced to the user's computer.
Click to expand...

Just AT&T rom got messed up. It could be in AT&T radio stack, or how AT&T talks back when tethering, or custom AT&T apps baked into the Rom. Very simple bug.
If you have done enough coding and testing you can easily see how this type of bug slips threw. It in an area that is not heavily tested and a simple Boolean variable got screwed up and heck it could be as simple as a bracket needs to be up or down 1 line of code. Or a line was commented out during testing and forgot to be uncommented afterwards by the dev.

I know I have done it multiple times on asignments when I was coding that a simple error like what I am talking happened all because of minor line of code and normally always happen during debugging testing tracking down one bug screwing up another part by simple forgetting. Mind you it is caught in the final run threw but generally it was on a key part of the program. Quick fix. This one is in one of those areas that just would not be caught during standard testing and was missed.

Heck I would not be surprised at all if it is not already fixed and in internal testing for a role out next week.
 
Rodimus Prime said:
The Android lock screen has a much much higher usage rate than the iPhone pin code screen because it is easier to use.
Click to expand...

Link to source for this speculation?

In reality, most users don't need lock screen security except to prevent someone from making calls from the device if stolen.

Users in environments where this type of security is required have to use character based passwords on these devices.

And, this issue doesn't affect these samsung phones that are using character based passwords.

In terms of a review of both iOS and Android security, this is already well known.

Screen Shot 2011-09-30 at 2.01.20 PM.png

http://www.symantec.com/content/en/us/about/media/pdfs/symc_mobile_device_security_june2011.pdf
 
Rodimus Prime said:
Heck I would not be surprised at all if it is not already fixed and in internal testing for a role out next week.
Click to expand...

It's still wrong that it slipped out into reviewers hands. It highlights one of the perils of letting carriers ****** with firmware, something Apple simply won't do.
 
munkery said:
Link to source for this speculation?
Click to expand...

Come one basic logic should tell you that it is true. Look at people unlocking there phones in public and make a note.
You will see people who have android phones using the dote pattern unlock code much more often than say an iPhone user using their pin unlock code.

It is simple much much easier to use.

Take a note and look around. I am willing to bet a lot more people will noticed what I stated than not.

Dote unlock code is going to have a much higher usage rate than the pin code.
 
Android has a much bigger security issue than the one presented by the OP.

This flaw affects all Android devices.

The two Android vulnerabilities, which have been reported to Google but not yet patched, shown in this video are:

- A permission escalation allowing the installation of applications with arbitrary permissions without user approval.

- A privilege escalation targeting Android’s Linux kernel that allows an unprivileged application to gain root access.
Click to expand...

http://blog.duosecurity.com/2011/09/android-vulnerabilities-and-source-barcelona/
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back