iOS 4 Lock Screen Security Flaw Grants Access to Contacts
By Mike Keller
MacRumors reported today a security flaw in iOS 4.1 that would allow someone to bypass the 4-digit passcode lock in order to access the Phone app. While the home screen and other apps appear to remain secure, access to the Phone app is no small prize, granting the unauthorized user the ability to view or edit contacts and voicemails, as well as make non-emergency calls. You can also apparently start Voice Control to play music or *gasp* ask what time it is.
The passcode bypass bug can be reproduced by the following method: touch the Emergency Call button on the Enter Passcode screen. On the Emergency Call screen, dial a non-emergency number (such as ‘#’). Hit the call button immediately followed by the hold/lock button on the top of the phone.
The test video was done on a jailbroken iPhone 4 with iOS 4.1, though I’ve successfully reproduced the bug myself on a non-jailbroken iPhone 4. Forum posts have confirmed it also affects iPhone 3G and 3GS, as well as iOS 4.0.
Some might remember a similar bug in iOS 2.0.1 that allowed a user to simply double-tap the home button in the emergency call screen to access the Favorites list, which could easily link to the SMS, Maps, or Safari apps.
Hopefully the press this bug is receiving will lead to a speedy fix from Apple.