Any Android Lollipop device that is not using the latest build of the mobile operating system is vulnerable to having its lock screen bypassed by inputting a long string of characters as password. The bypass was discovered by researchers from the University of Texas this week and can be applied to any Android 5 device that does not have the latest security updates, released last week.
“A vulnerability exists in Android 5.x <= 5.1.1 (before build LMY48M) that allows an attacker to crash the lockscreen and gain full access to a locked device, even if encryption is enabled on the device,” the researchers wrote on the University of Texas blog. “By manipulating a sufficiently large string in the password field when the camera app is active, an attacker is able to destabilize the lockscreen, causing it to crash to the home screen.”
The Texas researchers also included a proof-of-concept video, tested using a Nexus 4 with an Android 5.1.1 factory image:
Google has patched the flaw, but in the meantime it is advised that Android Lollipop users that do not have the latest updates use either a PIN or pattern lock, since neither are vulnerable to the above exploit.
Thank you The Register for providing us with this information.