Android is currently the most popular mobile operating system in the world. It shipped one billion devices in 2014 (800 million more than second-place Apple), and it controls 82 percent of the market.
This is great news for Google, but it also means that catastrophes, when bugs and flaws are discovered, can affect a huge percentage of the world’s population.
Unfortunately, researchers at the University of Texas discovered a new Android security flaw earlier this week.
We’ll take a look at what it is and what you can do about it.
What is the problem?
A modern Android phone has three ways to secure its lock screen; PIN, pattern or password. A new disadvantage concerns users who choose to use a password.
The researchers explained the vulnerability in a post on the university’s website, saying: » By manipulating a large enough string in the password field while the camera app is active, an attacker can destabilize the lock screen, causing it to crash into the house. screen «.
In practice, this means that a potential hacker can get access to your phone, contacts, private app information, cloud storage, and many other personal data, all without having to perform any clever tricks. Even a normal tech-savvy person who found a lost phone on the street could break through.
The hack works by typing a random series of characters on the phone’s «Emergency Call» keypad and then repeatedly tapping the «Take Photo» button on the camera. This will crash the lock screen and the phone will eventually reboot to the user’s home screen.
Once there, the hacker will have full access to the device, whether the file system is encrypted or not, meaning they can even allow developer access to the device.
You can see the hack demonstrated in the video below:
Are you in danger?
Luckily, this flaw isn’t present on all versions of Android — it will only affect you if you have an Android Lollipop device. which works from version 5.0 to 5.1.1.
As mentioned, hacking also only works if you use password protection. Those who use PIN codes or patterns are safe.
While these two criteria undoubtedly limit the number of people this affects, the side effect is that it is likely to target the most security-conscious users — those who think a long password is more secure than a PIN or pattern. Under normal circumstances, they are correct, but this loophole proves that nothing is as safe as you think.
What can you do?
The most important thing is to protect your lock screen. As soon as possible.
The vulnerability was fixed in the LMY48M Android 5.1.1 build that was released by Google last week. At the moment it is only available for Nexus 4, 5, 6, 7, 9 and 10.
Even though it’s available, several users have reported that they haven’t received the update over the air yet. If so, you can go straight to googlesource.com and download the new build manually.
If you don’t have a Nexus or haven’t gotten the update over the air yet, you should at a minimum change your lock screen login credentials to a PIN instead.
Why should you choose PIN over pattern?
Android Lock Patterns (ALP) have been around since 2008 and are used by many people, but a researcher recently suggested that they are no more secure than overly obvious passwords. such as «password», «12345678» and «qwertyuiop».
The researcher was Marte Løge, a graduate of the Norwegian University of Science and Technology in 2015. She found that a staggering 44 percent of ALP started in the top left corner, and a mammoth 77 percent started in one of the four corners.
She also found that most ALPs only contain five «nodes», even though users are allowed to select up to nine. This meant that the possible number of combinations was reduced from 389,112 to 7,152. If the ALP contained only four nodes, this was further reduced to 1624.
“People are predictable,” she said. «We see the same aspects as when creating pattern locks that are used in PIN codes and alphanumeric passwords.»
If you insist on using ALP, you need to make sure you keep your template complex, and you should avoid recreating the initials of loved ones or pets. Her research showed that when using such initials, attackers have a one in ten chance of guessing the ALP within 100 guesses.
Check out some of the more common ALPs in the image below, if you are using one of them you should change it immediately.
Choose a Smart PIN
This means that the most secure way to secure your Android device is to use a PIN, but there are still some basic security guidelines you should follow.
For example, make sure you are using a different code than the one you use for your bank card or any other logins that require a PIN. In the same way that using the same password for all your online accounts increases your vulnerability, using the same PIN reduces the effectiveness of the system several times over every time you duplicate it. Also, avoid anniversaries, birthdays, and duplicate numbers.
