CVE-2019-20533

Vulnerability

The S Secure app on Samsung mobile devices with Android N(7.x), O(8.x), and P(9.0) (released in China or India) fails to enforce password authentication when launching masked (hidden) apps. This allows bypass of the intended security restriction that should require the user's password before revealing or launching apps hidden via the Secure Folder feature. The Samsung ID is SVE-2019-13996 (December 2019) [1].

Exploitation

An attacker with physical access to an unlocked device, or a malicious app running in the background with minimal permissions, can launch masked apps through the S Secure interface without being prompted for the user's password. No additional authentication or user interaction beyond device unlock is required [1].

Impact

Successful exploitation leads to unauthorized access to hidden applications and their data, bypassing the intended protection of the Secure Folder mechanism. This undermines user privacy and data confidentiality that the feature was designed to protect [1].

Mitigation

The vulnerability was addressed in a Samsung Security Update released in December 2019. Users should ensure their device has received and installed this update. No workaround is mentioned in the available references [1].