Samsung’s Galaxy Note 2 is one fine looking tablet, and no doubt it has sold millions across the globe (and will continue to do so, at least until the Galaxy Note 3 or its successor is released), but having a great design is not all there is to a smartphone. Terence Eden has discovered a security flaw in the homescreen, allowing you to run apps as well as dial numbers even when the Galaxy Note 2 which runs on Android 4.1.2 Jelly Bean is locked.
This particular attack is super effective (in Pokemon parlance) against Pattern Lock, PIN, Password, and Face Unlock, without any known method, according to Mr. Eden, to prevent your homescreen from being accessed. Being on Santa’s naughty list this year is going to be easy as long as you follow the following steps, taken verbatim from Mr. Eden’s blog.
1. Lock the device with a "secure" pattern, PIN, or password.
2. Activate the screen.
3. Press "Emergency Call".
4. Press the "ICE" button on the bottom left.
5. Hold down the physical home key for a few seconds and then release.
6. The phone's home screen will be displayed - briefly.
7. While the home screen is displayed, click on an app or a widget.
8. The app or widget will launch.
9. If the widget is "direct dial" the phone will start ringing.
Of course, this attack is not that “destructive” when you think about it, whether it is making a phone call depending on a direct dial widget’s availability on the homescreen or to allow the attacker to check out what kind of apps that you have there, but still, a security vulnerability or risk such as this should not be there in the first place.
So far, Mr. Eden has given this method a go on the Galaxy Note 2 (N7100) which runs on Android 4.1.2 Jelly Bean (the most recent UK variant), so can anyone else out there tell us if a different Galaxy Note 2 on other firmware versions is also vulnerable?
The video that you see above will show you how the homescreen security flaw happens in a step-by-step account, and there is no way for one to photoshop this at all. Still, I am quite confident that this does not mean Samsung's Galaxy Note 2 is going to see a notable drop in sales figures anytime soon, but if you are a paranoid android about data security on your smartphone or phablet, this would most probably shake your confidence in the Galaxy Note 2, that you might just strike it off from your list of potential phablet purchases.
What Can I Do?
Well, there are some steps that you can take to avoid falling victim to this exploit short of not using a Galaxy Note 2 with Android 4.1.2 Jelly Bean, of course. First of all, quit using direct dial widgets on your homescreen, and do away with any calendar or email widgets which might display information for your eyes only from your homescreen. Other than that make sure that apps on your homescreen will not cost you money automatically, or function in a malicious manner when launched. It is also a good idea to fall back on an app locker that will prompt for a password whenever an app is launched.