[bluocms]

How come the security model is so basic?

I even think they should dismiss modal by id instead of type.

As this is a highly sensitive part, I think stacking lock screens on top of the unlocked menu leaves the door open for many bugs that could unlock your device.

The unlocked menu should be locked at all times, and use a flag to monitor if it’s locked/unlocked, and only flip the flag when you unlock with biometrics or with password.

If the flag is locked, then the whole screen is black and can’t have any interactivity via touch, mouse, kw…

This way is more robust, so even if you manage to bypass the stack of lock screens, you end up with main menu locked.

[Apreche]

I was also thinking they should only dismiss by ID instead of type.

The other question is, why would background tasks be permitted to call dismiss at all? I can imagine a scenario where you get a malware app installed using whatever method. Then when you get physical access to the phone, you send a notification to the malware app. The malware app in the background calls dismiss on every possible type several times to unlock any possible security screens.

There should be some sort of lock/flag/semaphore that is held by the current top level security screen. Dismiss should only be callable by whatever process has a hold of that. Dismiss calls from anyone else should not only be denied, but processes that make such calls should be blocked, quarantined, marked as suspicious, etc.

[lupire]

If an non-system app can call dismiss at all, it's already game over.

[Apreche]

Oh, of course.

[qwertox]

I was thinking that if I would have to code this, at least once this issue would cross my mind, the question of "what happens when there are multiple screens stacked" and how it should get handled properly. This is what meetings are there for, to discuss such issues.

It almost sounds intentional, but at the very least like a very sluggish approach to security.

[ballenf]

I think an even better approach would be to have the concept of fixed tiers of locking combined with evicting the decryption key for any Lock Screen above the basic PIN.

And you can only move down one tier of unlocking at a time. Unlocking SIM PIN moves you down one tier to phone PIN screen.

[qwertox]

I'd go for one screen with a queue of prioritized unlocking tasks which need to be completed successfully one after the other. These tasks could get the chance to hand over a fragment which the screen embeds and presents to the user, in order to properly modularize the tasks.

[bluocms]

And this is something I come up on the spot. Engineers should think about like their life depends on it, this is a major security flaw.

Even more robust would be to switch that flag off by using the password or derived password from biometrics.

[system2]

It is android.

[woojoo666]

To be fair, we only know the source of the bug since it's open source. With iOS, we have no idea how bad the code is behind the scenes