Android Lock Screen Bypass
So far I have tried out 5 Android devices here in the UK (test device, personal phone, and those of friends). They all lack the same feature – if you forget your PIN or pattern code, there doesn’t seem to be a way to reset it. You are effectively locked out of your device. Searching online I see that some people are able to reset it after a certain number of attempts by entering their GMail credentials, but I am unable to do so on mine or others I have tried.
We now have the fantastic web based Android Market, and I wrote about a few minor security findings here. One of the common responses I saw to articles talking about the threat of malware distribution was that when remotely installed, an application doesn’t automatically run and the user would have to manually launch the malware. This is not actually correct, and to demonstrate I decided to create a legitimate utility which can be deployed to a locked phone, executed remotely, and set to disable the lock screen. This will yield access to a locked device so that the user may go in and backup their data.
How it works
Quite simple really. Android sends out a number of broadcast messages which an application can receive, such as SMS received or WiFi disconnected. An application has to register its receiver to receive broadcast messages and this can be done at run time, or for some messages, at install time. When a relevant message comes in it is sent to the application and if the application is not running it will be started automatically.
After testing out various broadcast messages the best one I found for the purpose of this utility was
android.intent.action.PACKAGE_ADDED. This exists in all APIs since version 1 and is triggered when an application is installed. So to get the application to execute remotely, we first deploy it from the Android Market, then deploy any other application which will cause the first one to launch.
Once launched it is just a matter of calling the
disableKeyguard() method in
KeyguardManager. This is a legitimate API to enable applications to disable the screen lock when, say, an incoming phone call is detected. After finishing the call the app ought to enable the screen lock again, but we just keep it disabled.