Bypass of application specific PIN

Aug 10, 2020

Bypass of application specific PIN

Platform: Mobile Clients

Versions: Android 1.9.1,

Date: 4/7/2016

Risk level: Medium

CVSS v3 Base Score: 5.9 (AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

CWE: Authentication Bypass Issues (CWE-592)

Description

The ownCloud Android application does support setting a PIN that has to be provided before the application can be opened. An attacker may remove the PIN by clearing the application data via the Android system settings. By doing that the application information would be removed while the authentication information would still stay on the system.

Thus an adversary with local access could bypass the PIN functionality. One should note that physical access often implies a high risk and encrypting the device as well as setting an additional PIN code on the device is highly recommended.

Affected Software

  • ownCloud Mobile < Android 1.9.1 (CVE assignment pending)

Action Taken

The passcode will also be required by the application after removing the application data.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Christian Schuerer-Waldheim – Vulnerability discovery and disclosure.

Your secure file platform

Boost your productivity and enable collaboration within your organization. 

Install Server

The backbone of secure file sharing

Start Online

Our software as a service solution. Hosted securely in Germany.
Ready in a glimpse.

Download Mobile Apps

Bring your productivity game to the next level. Download our Android or iOS app from the app stores.