[Security Issue] Avoid to activate secure lock screen with profiles !

  1. Rowman
    Honeycomb Aug 14, 2014

    Rowman , Aug 14, 2014 :
    If you manage your lock screen with profiles it is possible to swipe down a secure lockscreen (with pin!)

    What you need to reproduce the bug:
    • 1 Profile to enable secure lockscreen (trigger disconnect from wifi)
    • 1 Profile to enable insecure lockscreen(trigger connect to wifi)
    1) Connect to your wfi to enable the insecure lockscreen profile
    2) Turn you display off
    3) Disconnect from wifi (dont turn the display back on - you need to leave home or unplug the router)
    4) turn the display back on and you will be able to swipe down the lock screen with enabled pin

    Happened a few times that i left my home and used my phone in the city for the first time and it was possible to swipe down the lock screen.

    Bugreport: https://jira.cyanogenmod.org/browse/BACON-631

  2. romyv
    Froyo Nov 26, 2014

    romyv , Nov 26, 2014 :
    Confirmed here as well.

    The first time you use your phone in the new profile mode, the lock screen maintains the previous profile's setting.

    Eg. first time using it away from "home" (wifi disconnect trigger), lock screen is still unlocked. No pin/pattern asked for unlock. Profile shows the new "away" profile being active. Subsequent unlocks will have the lock screen enforced.

    Also - when returning "home" (connect to wifi trigger), lock screen still enforces pin/pattern/etc. After you unlock it once, future unlocks won't prompt for pin. Active profile does show "home".

    Seen recommendations in these forums for Tasker. While it appears to be a great tool (for many other features), it seems a bit overkill for solving just this particular problem. Does anyone know of a native solution so that lockscreen does indeed kick in properly when disconnecting from home wifi?

  3. Adapting
    Ice Cream Sandwich Nov 26, 2014

  4. fedexpress
    Gingerbread Dec 4, 2014

  5. fkrone
    Froyo Dec 4, 2014

    fkrone , Dec 4, 2014 :
    Secure lockscreen: pattern or pin unlock
    Insecure lockscreen: swipe down to unlock (no pattern or pin required)

  6. Grinning
    Cupcake May 27, 2015

    Grinning , May 27, 2015 :
    You can also swipe down twice on the lockscreen to access the profile chooser and then select an insecure profile. Lock screen. Double tap awake. Hey hey no secure lock

  7. JonathanWhiteman
    Cupcake Jul 9, 2015

    JonathanWhiteman , Jul 9, 2015 :
    this is true - if you have one insecure profile your phone is unlocked all the time. It will appear locked but you only have to change the profile (no pin required) and voila! Unlocked again. Changing from a secure to an insecure profile without requiring security verification is a design flaw. One that nobody seems to notice or care about though...

  8. Rowman
    Honeycomb Jul 9, 2015

    Rowman , Jul 9, 2015 :
    Or switch to a guest account without a pin and change the Profile to insecure
    Voilà unlocked

  9. tweazle
    Gingerbread Oct 26, 2015

    tweazle , Oct 26, 2015 :
    From the guest screen the Settings/Profiles seems to be missing. As far as I can tell this won't work.
    Still looking for a solution to the lock screen password that I never set up. Right now I am locked out and can only access the phone via the guest account.

  10. shrenil19
    Jelly Bean Oct 26, 2015

    shrenil19 , Oct 26, 2015 :
    Oh come on its not that big of a deal. Just re select the correct profile and it goes back to normal. I swear people complaining here about tiny things like this jeez

  11. tweazle
    Gingerbread Oct 26, 2015

    tweazle , Oct 26, 2015 :
    "Profile" is nowhere to be seen under the settings menu of the Guest account.

  12. tweazle
    Gingerbread Oct 26, 2015

    tweazle , Oct 26, 2015 :
    I am locked out of my normal account so entering a new profile is not possible. I am being asked for a password that I never created in the first place. The guest account has access but no menu to alter the profile.

  13. tweazle
    Gingerbread Oct 26, 2015

    tweazle , Oct 26, 2015 :
    I've just learned that the Profile is select-able from the power down/reboot menu. I chose the default profile which was insecure and voila, back in. But not on the locked user I had to be in Guest mode to see the profile on the boot menu.

    This left me thinking that there is still a shortfall with Android Device Recovery in that Google can't overwrite an existing screenlock. They have several methods to prove ownership of the device so they should be able to do that?
    Last edited: Oct 26, 2015