Number of passcode attempts is not persisted, allowing easier brute-force attacks #178

mgod · 2018-06-04T21:12:48Z

At the moment, in the AppLockActivity, mAttempts does not get saved if the activity is killed. This means if you're trying to limit the number of passcode attempts in onPinFailure to some small number n, an attacker can bypass this by trying n-1 pin codes, then killing the app and trying n-1 more passcodes.

This should be pretty easy to work around by managing my own count of pin attempts that is persisted, but it seems like this should be built into the library. I'm happy to open a PR for this if it makes sense.

The text was updated successfully, but these errors were encountered:

mgod mentioned this issue Jul 9, 2018

Persist number of login attempts to prevent brute-force attack #182

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Number of passcode attempts is not persisted, allowing easier brute-force attacks #178

Number of passcode attempts is not persisted, allowing easier brute-force attacks #178

mgod commented Jun 4, 2018

Number of passcode attempts is not persisted, allowing easier brute-force attacks #178

Number of passcode attempts is not persisted, allowing easier brute-force attacks #178

Comments

mgod commented Jun 4, 2018