CVE-2025-68708

Vulnerability

CVE-2025-68708 affects SailingLab AppLock (com.alpha.applock) version 4.3.8 for Android. The application implements its PIN lock as a software overlay rather than using Android's secure authentication APIs (e.g., KeyguardManager or biometric prompt). This overlay can be circumvented by navigating cascading interface flows that expose insecure routes to advertisement or browser intents, allowing an attacker to evade the lockscreen verification and directly access protected apps such as Chrome [1][2][3].

Exploitation

An attacker with physical access to the device can exploit the vulnerability by triggering an insecure intent via a browser or an advertisement displayed within the overlay. By carefully following the exposed interface navigation, the attacker can dismiss or bypass the AppLock overlay without providing the correct PIN, thereby gaining access to the underlying protected application [2][3]. No additional authentication, special privileges, or user interaction beyond physical possession of the unlocked screen is required.

Impact

Successful exploitation results in unauthorized access to any app locked by AppLock, including sensitive applications like Chrome, messaging apps, and system apps such as Gallery and Settings. This leads to information disclosure (e.g., viewing private messages, photos, browsing history) and privilege escalation, as the attacker can operate the protected app with the same permissions as the legitimate user [1][2].

Mitigation

As of the publication date (2026-05-26), no official fix has been released by SailingLab. Users should uninstall version 4.3.8 and switch to an alternative app locker that relies on Android's built-in secure authentication mechanisms. The vendor's Google Play page [1] does not mention a patched version. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date. Notify the vendor and monitor their page for future updates.