Lockscreen bypass discovered in AOSP (07/DEC/23)

Backwards876

https://www.bitdefender.com/blog/hotforsecurity/new-android-lock-screen-bypass-vulnerability-exposed/

https://securityaffairs.com/155588/hacking/android-14-13-lock-screen-bypass.html

There has been a partial lockscreen bypass discovered in android. The bypass allows an attacker to access "sensitive data stored in people’s Google accounts. The bug [...] lets attackers with physical access to a device bypass the lock screen and access personal data, including photos, browsing history, and contacts."

Will this be something grapheneos is immune to due to some hardening im unaware of? Or is this an upstream issue that will require AOSP itself to fix? I don't see any explicit way GOS counters this exploit.

From what I've read, the attack vector of this is limited to only google maps and the scope off access is only peoples data within their google accounts. Im assuming this means the issue is non existent for people without GSF or google maps.

TL,DR; Google maps on lockscreen exploit allows attacker with physical access to look at some of your google account data w/o passcode

flighty_sloth

Backwards876 From watching the video it looks like the exploit requires using google assistant too which gos doesn't have by default, even after installing google play store.

23Sha-ger

He published a video:
https://www.dailymotion.com/video/k3yQxFazN98ppizI4wA

I don't see how this could be "exploited" without Google Assistant, which then allows to open
Google Maps in the first place.
Maybe someone can try reproduce it on stock Pixel OS, I don't see how GOS can be affected.

Backwards876

23Sha-ger I think you're missing the point- I doubt nobody on graphene OS will be using google assistant... Especially since android auto has been something that was out of the question until recently. I personally have google assistant because of this lack of android auto.

So to me and I imagine many others this is a vulnerability that not a massive threat but is still there none the less. And I'd like to know if it was possible on graphene.

vcmj

Apps can voluntarily operate when the device is locked. SDK docs

Assumedly the Assistant does something like that, so if the app is displaying data it shouldn't then I don't see why it isn't possible on GOS, albeit limited to that app's abilities (like how it's mostly Google data here). The app is supposed to handle its own security in these cases.