CVE-2019-15615

Vulnerability

The Nextcloud Android App version 3.9.0 contains a vulnerability where a faulty check of the system time allows the lock protection to be bypassed. By setting the device's system clock to a time in the past, the application incorrectly evaluates the time-based lockout, enabling unauthorized access without proper authentication [1].

Exploitation

An attacker with physical access to the device or the ability to modify the system time can exploit this flaw. The steps involve changing the system time to an earlier date and then opening the Nextcloud app, which then fails to enforce the lock screen protection due to the incorrect time check [1].

Impact

Successful exploitation results in a bypass of the app's lock mechanism, granting the attacker access to the Nextcloud account and its associated files and data without authentication. This compromises the confidentiality of user data stored in the Nextcloud app [1].

Mitigation

Upgrade to a patched version of the Nextcloud Android App (3.9.1 or later). The fix was released on 2020-02-04. Users should update the app through the Google Play Store or other distribution channels. No workaround is available for version 3.9.0 [1].