Android: App lock easily bypassed

GitMate.io thinks possibly related issues are https://github.com/nextcloud/android/issues/2430 (Fingerprint lock can be easily bypassed), https://github.com/nextcloud/android/issues/2155 (App access.), https://github.com/nextcloud/android/issues/3754 (App locking timeout/grace period), https://github.com/nextcloud/android/issues/2529 (App crash), and https://github.com/nextcloud/android/issues/2921 (Pin code bypassed).

Same issue as above however can reproduce much more simply and consistently.

Steps to reproduce

With pin/fingerprint enabled

Open app
Immediate close app when asked for authentication
Reopen app
Access to files

Environment data
Android version: 9
Device model: Pixel
Stock or customized system: Stock
Nextcloud app version: 3.5.0
Nextcloud server version: 14.0.8

Correct me if I'm wrong, but this only happens if you quickly re-open the Nextcloud app, correct? If you wait 20 seconds before reopening the app, the lock should show up. There is a grace period there of a few seconds so that the app doesnt prompt you for a pin if you're just quickly switching back and forth. I believe that's whats tricking you here but if not then please let us know.

Negative. This works for me without ever actually authenticating. I can close all open apps. Restart my phone. Open the app where it'll prompt me for authentication, quickly close the app and reopen it and I'll bypass any authentication. All without ever authenticating.

ardevd, I'm aware of the 20 second timeout, but that's not what is happening. The Nextcloud app is in locked status. And without unlocking the app (by entering my fingerprint/phone lock/pin/etc), do the bypass as shown in video, then it will be unlocked on its own.

I have noticed that you have to exit the app and restart it fairly quickly for the bypass to work... maybe all within a second or so. But without fail, even after restart, if you exit the app and restart it quick enough the authentication screen is bypassed.

Thanks for the feedback. I can also reproduce it now albeit not reliably. It usually prompts for credentials but not always. I'll look into this asap.

For the record, the current lock timeout is 5 seconds.

private static final int PASS_CODE_TIMEOUT = 5000;

Can you confirm that this issue only happens when you kill the app first?

Yea, won't work if you simply minimize it. Have to swipe the app closed and re-open it in like half a second.

I think I've found the bug. I'll update you on my findings. Thanks again for reporting the issue.

Don't need to kill the app. Just tried it right now, pressed back/launch/back/launch, it's unlocked. I showed killing the app in the video just in case, to show it fully running from scratch.

@nxtiak thats because when you're hitting the back button when the activity stack only contains one entry you kill the app :)

At any rate, I've found the bug and now I just need to figure out how to fix it.

@stucamp @nxtiak Ive created a pull request with a proposed fix. Can you guys give it a try and see if you can bypass the lock screen? It seems to work for me.

Can't on my actual pixel (as it's my actual phone!), but have emulated the phone and could replicate with Google Play version... Cloned the repo, made your proposed changes, and ran in emulated Google Pixel with Android 9 and was no longer able to replicate the bypass.

@stucamp thanks for testing.

The app lock is pretty basic to be honest. Ideally your locally synced files and the remote API token would be encrypted and only decrypted when authenticating with PIN and the PIN being part of the encryption key.

However, the current implementation does nothing to that effect. As a simple measure to prevent nosy buddies to browse your files when they borrow your phone for a sec I suppose it should do the trick once that PR is merged.

Just to be sure... then uninstalled the modified version... reinstalled the Google Play version and was again able to bypass... looks like it's working as intended to me!

The app lock is pretty basic to be honest. Ideally your locally synced files and the remote API token would be encrypted and only decrypted when authenticating with PIN and the PIN being part of the encryption key.

The scope of app protection is not to protect the downloaded files as they can accessed directly via file system, but to prevent other people to mess with data on server (delete, move, add comments, share files, …)

But of course you are right, it should be not get bypassed.
I have a look at your fix @ardevd now.

Has this fix been published to the Play Store yet?
My Nextcloud app just updated, now version 3.6.0. I'm still able to bypass authentication.

My PR has not been accepted yet so no. Still pending

This request did not receive an update in the last 4 weeks. Please take a look again and update the issue with new details, otherwise the issue will be automatically closed in 2 weeks. Thank you!

bump.

You can test the new pass procetion on beta program or tomorrow with final 3.6.1.

Just downloaded 3.6.1 looks like it's fixed, thank you. Closing this now.