funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Access vulnerability on Android tablet

From: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rmslade () shaw ca>
Date: Tue, 3 Dec 2013 12:50:01 -0800
I made my first ever "Black Friday" purchase last week.  Staples (for those outside 
North America, this is a "big box" office supplies store with a large computer and 
tech section) had a door-crasher special of a Digital2 brand 7" tablet, running 
Android 4.1, marked down from $250 to $70.  We had to go past a Staples on an 
errand, so I stopped in and got it.

I don't quite regret getting it: particular at that price it is probably worth it.  I may 
do a review of its shortcomings at some point.  (Low memory, poor storage 
management, slow performance, limited battery, incompatible with some apps, 
poor file management options, many functions irregular.)  However, I came across 
something this morning that indicates a weakness.

One of the oddities is that there is no indication of charging or battery unless the 
tablet is on.  So, while charging, I had the tablet on to check the battery level.  
The indicator icons are on the lower right of the screen on this model, and, in 
order to get more details on the charge, I touched that area.  But I had forgotten 
to unlock the device.

https://twitter.com/rslade/status/407966375596929024/photo/1/large

Lo and behold, it brought up the quick indicator list anyway, and, along with it, the 
notifications.  Prodding at this, I found that I couldn't get into the settings menu 
proper, but I could access any of the notification messages.  And, once into any of 
those apps I had full access.

(This sounds similar to a number of lock-screen vulnerabilities that I've heard of 
on various Android and iOS versions and devices, but it seemed to be simpler and 
more direct than most.)

======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
My son is not brilliant; he's not genius. Anyone that has any
computer knowledge could have done what Jeff did. It doesn't take
a level of genius to do this.
  - mother of teen charged with modifying a virus - got *that* right
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: