Protect Yourself Against the Android Lock Screen Flaw

On the heels of Android's Stagefright flaw, for which Google issued a patch that may leave some devices vulnerable, researchers at the University of Texas have discovered another Android security flaw, this time with the lock screen. This so-called lock screen flaw gives hackers a way to access your locked phone with knowing your password.

For a hacker to gain access to your data in this way, they have to have physical access to your device; your device must run the Lollipop OS, and you must use a password to unlock your screen. Here's how a hacker could breach your smartphone and how you can protect yourself while you wait for Google or your carrier to issue the security patch to your device.

The information below should apply no matter who made your Android phone: Samsung, Google, Huawei, Xiaomi, etc.

How the Hack Works

The big difference between this flaw and Stagefright is that would-be hackers must have your phone on hand. The Stagefright breach occurs via a corrupted multimedia message that you don’t even have to open. (See our guide to protecting your device from Stagefright.)

Once a hacker gets their hands on your smartphone, they can attempt to bypass your lock screen by opening the camera app and then typing in a too-long password. In some cases, this will cause the lock screen to crash and then display your home screen. Thus, the hacker can access all of your apps and private information. The good news? Google reports that it hasn't detected the usage of this exploit yet, but that doesn't mean you shouldn't protect yourself.

How to Protect Your Device

If your smartphone runs Lollipop and you use a password to unlock your phone, you could be vulnerable if your phone gets out of your hands. Google is already rolling out a fix for Nexus users since it can send updates directly to these devices. However, everyone else will have to wait for their manufacturer or carrier to prepare and send out their updates, which could take weeks.

So what can you do in the meantime? First, keep an eye on your device. Be sure you always have it in your possession or locked somewhere safe. You should also change the unlock method on your smartphone to either a pin number or an unlock pattern, neither of which are vulnerable to this security flaw. It's also worth enabling the Android Device Manager, which can track the location of your phone, and allow you to lock it, erase data, or make it ring if you think you left it nearby. Additionally, HTC, Motorola, and Samsung each offer tracking services, and there are also some third-party apps available.

If you're tired of waiting weeks and weeks to receive critical OS and security updates, consider rooting your phone. When you root your phone, you get more control over it, and you can download updates without waiting for your carrier or manufacturer; for instance, the second Stagefright security patch from Google (which I still haven't received) and the lock screen fix. Be sure to look at the pros and cons of rooting first.

Security Updates

Speaking of security updates, Google is now pushing monthly security updates to Nexus and Pixels users and sharing those updates with its partners. So if you have a non-Google phone from LG, Samsung or another manufacturer, you should be able to receive these updates from them or from your wireless carrier. Once you get a security update, download as soon as possible. It's easiest to let it update overnight or when you're not going to use it for a long period of time. Be sure it's plugged in too.

Mobile security is just as important as desktop security, so make sure you're following our Android security tips and your device should be safe from would-be hackers.