Yesterday, BGR discovered a major security flaw with the security lock feature on the, yet to be released, AT&T branded version of the Samsung Galaxy S II. The “simple pin” or “swipe unlock pattern” options on the device both allow anyone to bypass those lock features using a simple workaround. Both these features would normally lock people out of an Android device unless they knew the exact password or unlock pattern. We have not been able to test this out ourselves, but have seen many videos online attesting to this issue and will provide one below after the break.
The workaround flaw that allows you to bypass the PIN or unlock pattern is enabled by simply taping the lock button to wake the display and then let the screen time out and go black on it own. When you tap the lock button again, you are brought to the homescreen swipe and into the home screen and the unlock screen is gone and the phone can be accessed with no PIN or pattern.
Samsung has recently responded saying that:
“Samsung and AT&T are aware of the user interface issue on the Galaxy S II with AT&T. Currently, when using a security screen lock on the device, the default setting is for a screen timeout. If a user presses the power button on the device after the timeout period it will always require a password. If a user presses the power button on the phone before the timeout period, the device requests a password – but the password is not actually necessary to unlock it.
Samsung and AT&T are investigating a permanent solution. In the meantime, owners of the Galaxy S II can remedy the situation by re-setting their time-out screen to the “immediately” setting. This is done by going to the Settings ->Location and Security->Screen unlock settings->Timeout->Immediately.”