2

Imagine the following case. Some lock screen application installed and configured on Android phone. Some pin or password set up. The app configured to be auto run after boot.

I checked this on Android 10. After phone reboot there is time window when OS loaded but lock screen app is not yet run. During this time phone is unlocked and can be normally used. In this period it is possible to just remove lock screen application and reboot without it and phone will be unlocked. When the lock screen app is started the screen gets locked (the time window is about 30 secs - 1 minute). I made 3 mins video with illustration of this behavior.

Is it possible to fix this because as I see all similar apps have such vulnerability? Or only stock Android screen lock setting is recommended to be used as reliable phone security lock?

I assume that this should be fixed on OS level by means of:

  • Setting/option that will allow user to enter to the system after its reboot (swipe slider on first boot screen) only after all apps in the system will be run (when system and all its apps are fully started).

Am I right that such setting now is not exist? Are there some custom work arounds? Is it possible to prohibit removing some app (the lock screen app) or at least to hide it shortcut from desktop?

Update 1. I have checked with another lock screen app ("Lock screen passcode" by "kunkun apps") on clean Android 7 on "Nexus 5" emulator. Got the same result. 5-mins video with illustration is here.

Anton Samokat
  • 542
  • 1
  • 6
  • 15
  • 1
    your description looks like a HUGE bug in Android, which very, very should be reported and fixed, but... I doubt it exists. Would advice to check that in this 30sec-1min window you can really do any operation (like removing anoything), I very doubt... Even if some logs suggesting that device isn't secure or locking `Activity` is starting some time later doesn't mean that device isn't secure – snachmsm Nov 02 '22 at 20:16
  • 1
    @snachmsm I made 3 mins video with illustration of this - https://www.youtube.com/watch?v=YiE-beNGRp8 - yes, it is possible to remove anything during this time window. I think this is not Android bug because stock lock screen does not have such problem. This seems is a huge security hole of all such screen lock apps developers of which had not considered current Android's architecture. – Anton Samokat Nov 02 '22 at 20:57
  • 1
    have you checked with other OS modifications? not MUI, but e.g. Samsung, Huawei, maybe some "clean" mods like Pixel/Nokia/Sony? imho this should be reported somewhere, but not shure where: Android or MIUI team – snachmsm Nov 03 '22 at 09:49
  • 1
    @snachmsm No, by now I checked only on Android with MUI. The first place to report about this bug is this 'lock screen' app with which this problem was revealed. To Android/MUI team we can also try to report this bug but most likely they say something about not proper understanding Android architecture and will recommend to use stock lock screen functionality. Also we can try to request to implement feature with some option that will allow to fix this bug. I will report when I have time. I will keep this question updated. – Anton Samokat Nov 03 '22 at 21:12
  • 1
    please check at first on different Android distributions, blindly I would blame MIUI (particular, older version?), just basing on my experience... there is a chance for some wrong implementation in one or two apps (still, this "mistake" shouldn't be possible, so Android bug), but if this occurs in many of them - popular, long-living in store and trusted - I would blame OS – snachmsm Nov 03 '22 at 22:39
  • @snachmsm I have checked with another lock screen app ("Lock screen passcode" by "kunkun apps") on clean Android 7 on "Nexus 5" emulator. Got the same result. 5-mins video with illustration is here - https://www.youtube.com/watch?v=atxGLInYgmM Did not check on 10-13 Android versions because the behavior on them must be the same but their emulators took more resources and work slowly. – Anton Samokat Nov 05 '22 at 21:58
  • 1
    Conclusion: all similar apps have such security hole. Need to try to request from Android team feature to cover it. They can refuse saying that stock lock screen must be used instead of others. But we should try, at least to report the problem. – Anton Samokat Nov 05 '22 at 21:58
  • 1
    @snachmsm I have reported about this issue to Android support team. I will not share the link to the issue since I created it just in case as confidential. – Anton Samokat Nov 23 '22 at 16:12

0 Answers0