CVE-2020-25047

Vulnerability

On Samsung mobile devices running Android P(9.0) and Q(10.0) released in China and India, the S Secure application fails to enforce the intended password requirement for a locked application [1]. This flaw affects the software versions distributed in those specific regional markets, as identified by Samsung IDs SVE-2020-16746 and SVE-2020-16764 (August 2020).

Exploitation

An attacker with physical access to an unlocked device or the ability to launch the S Secure application can bypass the password prompt that is meant to restrict access to secured apps. No special network position or authentication is required beyond having the device in hand and being able to interact with the S Secure interface.

Impact

Successful exploitation allows the attacker to access the protected application content without providing the correct password. This defeats the confidentiality and access control provided by S Secure, potentially exposing sensitive data (e.g., private photos, messages, files) that the user intended to keep locked.

Mitigation

Samsung has not provided details of a fixed version in the available references [1]. Users should ensure their devices are updated with the latest security patches from Samsung, which may address this issue. No workaround is described in the references; the vendor's security update page [1] should be monitored for future releases.