Bypassing App Lock (Pattern/Passcode/Fingerprint lock | Android) (oC-SA-2020-003)

Aug 3, 2020

  • Platform: Mobile Clients
  • Versions:
  • Date: 8/3/2020
  • Risk: low
  • CVSS v3 Base Score: 3.9
  • CVSS v3 Vector: AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
  • CWE ID: CWE-312
  • CWE Name: Cleartext Storage of Sensitive Information

Description

Given an attacker has physical access, creating a backup of the ownCloud Android app via adb provides access to the app preferences file.
Contained in the file were settings related to the app lock feature such as the pincode/pattern and if the respective lock is active. An attacker could change the values and restore the backup to the device which allows the attacker to circumvent the lock.

Affected

– ownCloud Android App version < 2.15

Action taken

Disallow back up of app data