Mr Number for Android Screenlock Bypass Concern

mrnumber

Mr. Number is an android app that allows you to do a variety of blocking for incoming communication. I’ve been using it for several months now and am quite happy. Crowd-sourced spam detection lets you know a new number is spam usually. When a call comes in that is suspected spam, a pop-up appears with the option to close it, block the call, etc.

mrnumber-01

If your screen is locked, it still pops up over the lock. Sometimes, but not always, if you block the number and tap ‘done’, it will drop you past the screenlock to the android desktop.

mrnumber-02

I haven’t been able to figure out what causes it to happen sometimes and not the other. I asked someone more familiar with Android and he couldn’t reproduce it reliably, but he did confirm the issue. The attack scenario is that if you spoof a call to a device using a known bad number, you could conceivably bypass the screen lock. Not very practical, especially since it isn’t reliable.

[Thanks to Zach @OSVDB for pointing out I failed by not including the affected version: 1.3.1]