Uh-oh, it looks like some versions of the brand new Samsung Galaxy S II might be going out the door to customers next week with a serious security flaw that leaves locked phones wide open.
BGR reports that their test model of the AT&T Galaxy S II would let them past the locked screen without entering the code. The trick? After waking the phone up it prompts you for your preset pattern code. Wait for the screen to go black, wake it up again, and voila—full access to the phone. The flaw only happens if the phone has been unlocked since the last power up, and it doesn't happen to Sprint versions of the Galaxy S II.
It's it important to note that this is only a test model of the the Galaxy S II, and that Samsung might have fixed the flaw on the phones that are about to ship next week. It's unclear whether Samsung knew about the bug before today, but if they're just finding out, it could be a while before there's a fix. Samsung is reportedly "investigating." We've reached out for comment, and we'll update when we hear back. The video above shows the flaw in action. [BGR via TechCrunch]
UPDATE 1: Below is Samsung's official statement on this:
Samsung and AT&T are aware of the user interface issue on the Galaxy S II with AT&T. Currently, when using a security screen lock on the device, the default setting is for a screen timeout. If a user presses the power button on the device after the timeout period it will always require a password. If a user presses the power button on the phone before the timeout period, the device requests a password – but the password is not actually necessary to unlock it.
Samsung and AT&T are investigating a permanent solution. In the meantime, owners of the Galaxy S II can remedy the situation by re-setting their time-out screen to the "immediately" setting. This is done by going to the Settings->Location and Security->Screen unlock settings->Timeout->Immediately.
Okay, we did some more digging, and just to be clear here, there is no security risk. Here's the deal:
When you set your Galaxy S II to require a password, the default time before you're required to enter it is five minutes. You can make that longer or shorter, as you like. The bug is that the unlock screen appears before it's required. So, you can dismiss that screen without doing inputting your pattern if it's within the five minute window you set that doesn't require a password. After the five minutes is up it will require you to enter the password correctly, just like it should.
So, it looks like there's a dangerous security flaw, but actually it's a bug where a screen pops up before it's supposed to. In other words, you shouldn't worry about this, and you may enjoy your Galaxy S II in peace. Samsung is working on correcting the bug, though, just so it's not confusing. And if you want, you can set it to require a password immediately, and then you'll never see this issue at all (though you will be punching in your password a lot). -BR