SailingLab AppLock Authentication Bypass Vulnerability Allowing PIN Lock Evade on Android

An authentication bypass vulnerability has been identified in SailingLab AppLock version 4.3.8 for Android. This vulnerability allows a local attacker with physical access to the device to bypass the PIN lock. The issue arises because the lock is implemented as an overlay, rather than utilizing Android's secure authentication APIs. Exploitation involves navigating through exposed interface flows, which can be accessed via advertisement or browser intents, to evade lockscreen verification and gain access to protected applications, such as Chrome. This vulnerability leads to unauthorized access to sensitive information and allows for privilege escalation.

Impact

Exploitation of this vulnerability allows for unauthorized access to applications protected by AppLock, leading to potential information disclosure and unauthorized actions within those applications. Additionally, this vulnerability could be exploited to gain elevated privileges on the device.