Boy Genius Report uncovered a highly odd security flaw in the AT&T variant of the Galaxy S II today. If you use a security lock (whether pattern or pin code) and have successfully unlocked it at least once, it is now vulnerable for future unauthorized access until it’s fully turned off again. From here, all one has to do is wake the phone from standby, wait for it to fade to black (without doing the code), and then hit the button again to wake it. The normal homescreen will inexplicably pop up, even though you never entered the lock code. In other words, once you properly unlock just one time, then anyone who picks up your phone after that can go to town on your device, getting in to all of your personal information.
Admittedly all of us who are currently encountering this issue are using review units of this phone, and there is a chance that this could be fixed by the time it launches on October 2 with a downloadable update. For now, if this isn’t addressed, it’s a fairly large security hole and one that doesn’t make a whole lot of sense. Currently the issue is not impacting the Epic 4G Touch on Sprint, so this is specific to the AT&T version.
We have reached out to Samsung for a comment and will update when we hear back from them.
What do you think about this security flaw? Will it impact your decision to buy one?
Update: Samsung replied to us with, “We’ll have an answer shortly.”
Update 2: We just got word directly from Samsung’s Director of Public Relations, Kim Titus who said:
Samsung and AT&T are aware of the user interface issue on the Galaxy S II with AT&T. Currently, when using a security screen lock on the device, the default setting is for a screen timeout. If a user presses the power button on the device after the timeout period it will always require a password. If a user presses the power button on the phone before the timeout period, the device requests a password – but the password is not actually necessary to unlock it.
Samsung and AT&T are investigating a permanent solution. In the meantime, owners of the Galaxy S II can remedy the situation by re-setting their time-out screen to the “immediately” setting. This is done by going to the Settings ->Location and Security->Screen unlock settings->Timeout->Immediately.