Able to circumvent new authentication (Android 2.2.1)

There is a bug in 2.2.1 (20201) version of the Curve app which has some security concerns.

If you have fingerprint auth on (I have not tested this with it off, as I use it on, and have accidentally found this!) you are presented with the screen to enter your fingerprint.

I have a Xiaomi Mi A1 (Android P) which has physical buttons (running apps, home, back). If you hit the apps button (to view all open apps) while at this screen and then hit it again, it will ignore the authentication and simply log you in.

I have not tested this with software buttons.

6 Likes

I have just tested this, the same bug is there when using software buttons.

Well spotted @stevenhp1987 - if I launch Curve then click app switcher then back on Curve I’m in without using fingerprint.

@Curve_Ivo
@diego_curve

1 Like

This also works to bypass the PIN as well as fingerprint

2 Likes

Yep … Is the same here in a Xperia XZ …
Also i’ve noticed that when i close the app and i open it again (during an certing amount of time) the app will enter without need of insert the fingerptint …

Thank you to you all for bringing this to our attention. I have raised this with our Android team today and I will follow up with any feedback/information as soon as I can.

3 Likes

@stevenhp1987 if you close the app and leave it for a longer period of time before reopening, are you promoted to sign in using your fingerprint?

Hi all,

I have spoken with our team and understand the issue to be as follows:

When you use your fingerprint/passcode to access the app this triggers a 5-minute session that allows you to access the app without needing to use your fingerprint/enter the passcode, when it is running in the background.

If the app is hard closed & reopened you should be prompted to enter PIN or fingerprint authorisation.

1 Like

If I access the app in this manner (circumventing login) it will not ask for login if I force close the app and run it again.

It will ask after a few hours though (and again, is circumvent-able).

3 Likes

Same security loophole also on my android, works perfectly every time.
No fingerprint / pin ever needed with switching apps

1 Like

Not quite right, @Curve_Ivo. Yes you get re-prompted however as has been posted if you then tap the ‘recent apps’ button, and click on Curve again it totally bypasses the login. Just tried it just now, first time accessing Curve today and into it fine without scanning fingerprint.

2 Likes

Thanks @ediflyer - I think misunderstood the steps being taken here. I will flag this to our QA and Android team respectively.

2 Likes

This is a major security flaw that was posted publicly six days ago…

Really should be a priority to fix this.

Our team have identified the issue are are working on it as we speak. A fix will be deployed when the required work has been completed.

2 Likes

Well, not such a major risk because it’s a new feature and before it was able to access it without anz authentication.

2 Likes

You’re confusing feature set with security. By providing the security feature, there’s a risk - even an assumption - that people will rely on it, when they previously didn’t.

Once there is a breach, you potentially have a worse situation than if you never had the feature.

That is a feature but to align the apps, this will change with the next release.

We were aware of the bug before release but went ahead as this if anything has improved security. As @Lucas has pointed out previously there hadn’t been any access control to the Android app.

The fix is planned for our current sprint and should be released with v2.2.3. I’ll keep you updated on the progress.

@stevenhp1987 That’s right, the Android app currently does not ask for a new authentication within 5 minutes of opening the app previously.

As I have explained in my other post, we are are aware of the issue and working on the fix. :slight_smile:

Thank you for keeping us on our toes and raising the issue. Please keep doing that :clap: it is highly appreciated. :medal_military:

1 Like

I’m still surprised by the decision to release this.

Customers relying on the access control right now are at increased risk from anyone who knows about the bug.

You can’t simply say that any access control is better than none, even if buggy!

1 Like