A Security Issue In Samsung Galaxy S7




The security of the data on my phone has always been a top priority for me. That’s why I always encrypted my phone right after buying it. In the case of my Samsung Galaxy S7 I didn’t have to do that because this phone (already running Android “M”) is encrypted by default. If you want to be even safer, it also lets you encrypt the SD card.

I was extremely happy that I finally bought a phone whose manufacturer really cares about the security and privacy of the data of the user (e.g. my phone also came with Samsung KNOX which is also an interesting security solution).

Unfortunately, a few days ago I discovered a rather serious security issue in my Samsung Galaxy S7. It’s so serious (at least for me) that I am even considering switching back to Sony Xperia Z5 Compact I had before. Here’s what I mean…

If you are interested in buying Samsung Galaxy S7, here is the link to the S7 phone I bought.

Almost Full Access To Settings When S7 Is Locked

As mentioned above, my phone is encrypted and protected with my fingerprint (and a very strong password). What’s more I set it to automatically lock after a minute of inactivity and to lock instantly with the power button. I also set it to restore factory settings after the password has been entered incorrectly 30 times.

Unfortunately,  all of this is for nothing because even when my phone is locked (and can only be unlocked by my fingerprint or password), it offers almost full access to settings. All you need to do to access them is swipe down from top of the screen (like you do with the unlocked phone). Here is how it looks.

A Serious Security Flaw In Samsung Galaxy S7

What’s even better you can also get access to all of the quick settings (not only the first four) if you swipe further.

A Serious Security Flaw In Samsung Galaxy S7

That’s still not all. You can also edit these icons (their position). All you need to do is click on EDIT, move around the icons and click DONE. Yes, we are still talking about a locked (and encrypted phone).

A Serious Security Flaw In Samsung Galaxy S7

Only moving around the icons and seeing these settings wouldn’t be the worst thing in the world if that was all you could do. Unfortunately, you can also activate and deactivate many of these functions without entering the password (i.e. without unlocking your phone). Here is the list of functions you can turn on and off if your phone is locked:




  • Always On Display
  • Sound/Vibrate/Mute
  • Airplane mode
  • Power saving
  • Flashlight 
  • Auto rotate/portrait
  • Do not disturb
  • Mobile data

It’s logical and understandable that the Flashlight is such a feature that the user should be able to activate as quickly and easily as possible. I can say the same about turning on and off Power saving or Do not disturb.

Unfortunately, I completely don’t understand the logic behind why Mobile data  is on the list of the functions which can be turned on or off with even if the phone is locked. To edit the settings of Location, for example, the phone will ask you for a password.

Turning Mobile Data On And Off In Locked S7

You need to have mobile data turned on for most of the apps to work properly. This applies especially to security apps. If you want to use Google Device Manager to remotely localize your phone and activate the alarm or wipe your phone, your phone needs to have mobile data turned on.

Imagine that your phone gets stolen and you want to see where it is. You won’t be able to do that because the thief will turn mobile data off a few seconds after he steals your phone. If you have some very sensitive data on your phone, decrypting it is more probable if the phone is turned on. If the phone is cut off from the Internet, you cannot do anything to protect your data and you completely lose the control over your device.

Below you can see the screenshot from my phone. I have just activated mobile data (without unlocking the phone) and Google Now instantly gave my some information about traffic. Yeah! 😀

serious-security-flaw-in-galaxy-s7

I was looking for a way to deactivate this option and hide all the settings when the phone is locked but I am afraid it’s not possible. I am seriously thinking about writing to Samsung and telling them about it or switching back to Sony Xperia Z5 Compact where I couldn’t do much with the phone when it was locked.

Disclaimer

I noticed (from your messages and comments) that this post has created some confusion. My intention here is not to complain about or offend Samsung as a phone manufacturer. I realize that this “flaw” is completely software-related.  I love my Samsung Galaxy S7 and I think overall that’s one of the best phones I have ever had (you can read my review of Galaxy S7 here).

However, I think this issue is quite serious and Samsung should update the official software of Samsung Galaxy S7 so that its users can choose what functions they want to be accessible without unlocking the phone.  Of course, nothing gives you 100% guarantee that you won’t lose the control of your stolen phone. The thief may as well turn the phone off or the battery may die. Nevertheless, I am sure that the inability to instantly turn the mobile data off in a locked Galaxy S7 would increase the security of data stored on it and decrease the probability of depcrypting the phone by the unwanted person.

How about you? Have you found a way to solve the above issue with Samsung Galaxy S7? Are you uncomfortable with it too?  Feel free to share your comments in the comment box below or contact me directly.

4 Comments

  1. JJ 16 May 2016
    • Olga 17 May 2016
  2. shane 28 August 2016
    • Olga 30 December 2016

Add Comment