It come to my attention during a personal research project that the Android Operating Systems’s security lock screen, normally secured with a password, PIN, or even biometrics on certain phones, is easily bypassed with a simple SMS message sent. The process involves using a very popular application called HANDCENT SMS, currently at version 4.5.
The exploit is easily reproducible with the following steps:
Install HANDCENT SMS from the Android Play Store
Configure “Enable popup” from the HANDCENT SMS Notification Settings
Lock the phone by letting the screen timeout or push the lock button
Send an SMS to the phone
The phone will turn on and display the message
Simply reply to the SMS
The phone is unlocked
The lock screen is disabled until the next reboot
While this vulnerability belongs in the HANDCENT SMS application, I feel that the Android Operating System should not allow an application to bypass the security mechanisms.
I tried to contact HANDCENT SMS the company twice with no success and I am now sharing this vulnerability with everyone so that proper precaution can be taken.
MMontuori
Thank God I don't use Handcent for text messaging...
Simple solution, don't use third party apps for your text messaging, lock screen, phone, etc.
Sent from my SPH-D710 using xda premium
Caveat emptor - beware Brutus' call on Ides of March
This seems to be a very common problem with all platforms. Basically, the heart of your smartphone is the ease of using it as a phone. Whether it be a system hook to placing an emergency call, SMS, incoming call, etc., your system is built around being able to respond to the phone being activated. Overlaying your system with other software only exposes those hooks and sometimes makes it easier for your system to be compromised.
And, then again there are usually always "backdoors" left open by programmers to allow themselves ease of access. . .
still an issue
I'm experiencing this issue running CM 10.1.3 (4.2.2) on my Bionic. I did not have this issue when running stock 4.1.1. Has anyone heard back from Handcent on this?
Whatsapp has this velnerability as well.
Sent from my GT-N7105 using xda app-developers app
Related
Hi, I am a grade fan of reminders.
There for I intensely use apps like "Google Keep" to remind myself to something. On my HTC Phones this works all time perfectly. Now, on my Huawei Mate 7, absolutely not. In the mean time I updated to Android 5.1.1. OTA original version (no root, nothing modified).
I also have no problem with WhatsApp or eMail notifications, just if I set an reminder to Google Keep it will not work for some reason... An other app with same kind of Problem is an app called "My Müll", which simply reminds me which garbage will be picked up next. This App also doesn't give me notifications.
Did some one have same problems? In the notification center, I ticked every field on for these apps. In app properties I allowed notifications, and I set the app to protected.
I have also the feeling, that the automatic startup of some apps is not working proper. I have tools installed to switch WiFi automatically on/off. Normally this tool starts up on Phone boot, but it works first, when I manually starts the app.
Thanks for your help!
I'm having a very, VERY difficult time getting this phone comfortably paired with my new Huawei watch. Irony of ironies, my Asus zenwatch 2 performed flawlessly for many months with the device, but since a factory reset, I can not get this to consistently stay paired with EITHER watch, leading me to believe it's an issue with the software, or the phone itself. I've got Android wear set to run with screen off, and ignoring battery optimizations, but still, many many times notifications I see received on my phone won't push to the watch, unless I open the Android wear app on my phone, at which point they forward immediately to the watch. Obviously, this is less than ideal to have to repeatedly do.
I've called Googles service number, and after very little troubleshooting they forwarded me to Huawei, who said I have to talk to the Chinese headquarters because Huawei USA doesn't service international devices. They don't have an international phone number that I've been able to find yet (Huawei USA has a wrong number listed for them.) And they haven't responded to my emails.
I've gone through many, many trial and errors trying to fix it on my own. I'd flash a custom rom if I was sure that would help, but I'm not versed in those ways, and I'd like to exhaust every other possibility before risking bricking.
I'm desperately trying to find a particular settings menu, for notification access, that emotion ui has squirrel away somewhere. I can tell it's a Huawei setting and not an android wear setting based on the aesthetics of the screen, but the only time I'm able to see this setting is when installing Android wear for the first time.
I'd like to check this setting WITHOUT having to unpair my watch and reinstall Android wear, but no amount of digging through the settings menu of emotion ui has shown me where to find it. It isn't in the notification menu, nor in permissions. Any gurus of this Android skin know where to find the notifications access settings page?
I have screenshots of the settings menu to show what I'm trying to find, but due to my post count I can't share links to them in this post, but I can pm them if that is helpful.
As an update to my situation, I discovered a slightly inelegant solution to accessing the notification access menu : I've started using an app called feel the wear to emphasize the notification vibrations, since the Huawei watch, particularly with a metal link band, is a little weak on the vibration motor. By uninstalling and reinstalling the app, it sends me to the notification access page again. The bad news, is that when my problem manifested again (after a phone restart, an event that consistently seems to be the catalyst for this) I reinstalled feel the wear, and Android wear was still enabled to have notification access.
So, to summarize, I've eliminated the following possibilities through troubleshooting that might cause the notifications to stop pushing to the watch unless I open the Android wear app on my phone (which immediately pushes the notifications to my watch.)
-notification access for Android wear
-doze settings (battery optimization is disabled for Android wear)
-Android wear has full permissions (trusted app)
-Android wear is set to auto launch, and is permitted to continue running after screen off.
Now, while I was in the notification access menu after reinstalling feel the wear, I did disable and then re-enable notification access for Android wear. This caused the watch to restart, notifications haven't delayed since that yet, but it hasn't lasted long enough for me to be comfortable that this remedies the issue.
Unpairing and repairing the watch every time this occurs isn't acceptable, is there any light to be shed on what could still be causing my problem?
Finally, if it could be any help, I'm a Tasker user, so if there is a profile I could write with a trigger when receiving a notification that might help, I have access to that utility. I tried writing one already, that, when my screen was off, would automatically open the Android wear app when receiving a notification from my three main apps that I monitor, but while the app was indeed open when I received notifications from one of those apps, it appeared that until the app was open with the screen ON, the notifications wouldn't push through, so it didn't solve my problem. Don't know if there's any action I can put in a profile that might "wake up" Android wear when I get a notification. (I hope my diligence in these Tasker pursuits illustrates the effort I've put into making this work, I adore this phone, and love Android wear, and really want them to play nicely together.)
Came across this thread while Googling for the same problem. I found a solution that while still inelegant, is better than the one you have here. I downloaded More Shortcuts. Which allows access to various settings activities that Huawei seems to hide, including Notification Access. Some of the android default stuff is there but then not functional. For example, I went to Data Usage which took me to a screen with black text on a black background, though also included a toggle and a dropdown that brings stuff up...
I tried downloading this app, but it doesn't seem to work with Nova Launcher. I'm curious to see what else I can modify
Please use the QUOTE feature when replying to me to get my attention. Thanks!
Anyone else have this issue? When receiving an SMS message, I will get the pop up notification and sound, but then the notification will disappear as if it has been dismissed. The message will still be unread in the Messaging app, but there will be no notification either on the phone or on my Android Wear device. Strange.
Same here. Anybody find a fix? Driving me crazy
There's an option in settings to check notification access.. probably you can review the applications there or check the notification settings for messages app.. Maybe an alternate messages app is overriding it
Sent from my SM-G930T using Tapatalk
I haven't found anything amiss in the notification settings.
My hangouts won't notify me like it used to (on Silent, but with LED), and I've been missing text messages/gmail as well. When I turn on the lockscreen voila! all the crap you've missed. I've flipped every setting known to man. Cleared my cache from recovery. In my frustration, it seems like the only thing left is to drop this brick out the window and get something that isn't messed up by the carrier every other firmware.
Nougat sucks for me. I had to download a samsung theme, to replace the crap they did with it. I am honestly surprised that there are so few people complaining.
Strange. I never have issues with Hangouts. It's only the Samsung Messages app that self-dismisses notifications. I've tried just using Google's Android Messages or whatever they are calling it these days and I actually like it better. Unfortunately, I frequently utilize WiFi Calling/SMS and Digits for a second line and the stock Samsung app is the only text messaging I've found app that does both. This T-Mobile integration is the same reason I switched back to Samsung from my Xperia XZ and why my next phone will probably be Samsung again unless theses features ever become usable on an unlocked phone.
Okay, slightly different problem, but weird and perplexing. Running U firmware on an AT&T A. Stock Email app on mobile data only will show a badge notification for new mail, but no notification sound or light flashing. On WIFI everything works as it should. On AT&T firmware it works fine as well either way. Hmm...
Hello,
I am disabled and unable to use the slide buttons to receive a phone call. I'm using Lenovo 7700 android marshmallow mobile phone. There are a number of apps that will allow the user to receive a call by simply putting the phone and near the year or waving in front of the phone. I'm assuming that they work by using the proximity sensor.
I installed and try to work with several different apps but none of them. Ultimately, I installed an app called easy calling. It kept on reporting that it is not getting the necessary permissions to function. So I'm wondering if there is any security permission that is needed on android marshmallow. These apps used to work for me on another phone which had android lollipop.
Actually, I have not really need an app that uses a proximity sensor. Even an app that will just allow me to tap instead of using the slide button will work. But I have not been able to find any such app.
Thank you for any inputs.
When I use facial recognition to unlock and app, after my face is recognized, before I can go into the app, I get a screen that is showing a message: "Verified. Tap confirm to continue". I am trying to get rid of that message and avoid the unnecessary extra step to press the confirm button before I can access the app. I am told by an app manufactured that it is a setting on my Samsung S22 Ultra with Android 12. But I am coming from an old Pixel phone and cannot find this setting on my new 22Ultra. Can someone direct me to the setting to turn off that extra step after facial recognition works? Thanks!
Sounds like you've installed some 3rd party app that does this. The default S22 behaviour doesn't show this message.
I can see you asked on other fourms, and they suggested things I was going to say. But it seems like some third party app is either doing this, or enforcing it.
the_scotsman said:
Sounds like you've installed some 3rd party app that does this. The default S22 behaviour doesn't show this message.
I can see you asked on other fourms, and they suggested things I was going to say. But it seems like some third party app is either doing this, or enforcing it.
Click to expand...
Click to collapse
Yes I posted on another forum but no solution there yet, just a few good suggestions that don't work. I don't have any other apps that enforce this behavior though. And I pressed support at RoboForm pretty hard about it and they insist it is not something in their app even though RoboForm is an app that it happens in. I am thinking it is when certain 3rd party apps are opened using face recognition, the Android system does not acknowledge those apps for some reason and pops up the message to do a 2nd confirmation before it will allow the apps to open. Thanks for the reply.
Have you tried unistalling Roboform to test if that fixes it?
I have found a few other apps that call up the exact same message so it is not just Roboform. I did uninstall and reinstall Roboform today for another reason and called up a health record app that does the same thing. It happened in the health app even with Roboform uninstalled.
I think we have determined that it is a system message. An app may call it up or trigger it when using face recognition but it is not generated by the app itself. If we knew what it was called then it would be easier to track it down. within Android or the Samsung settings. if it is even in the settings somewhere.
Yea, it's likely going to be a system message, that is called by certain apps in certain circumstances. But the only way you'll find it is to remove apps a few at a time until it stops appearing.
I get the same message and have looked everywhere for a setting. It doesn't exist. Pretty stupid behavior for sure.
Is there a solution? I have the same thing with Microsoft apps. So stupid..
Try: Settings, Biometrics and Security, Face Recognition, And untick: Stay on lockscreen until swipe.
For me, double tapping the screen or using the power button to wake the phone, triggers the face unlock which then quickly unlocks the phone with no other input.
Is this just one app, or all apps?