1
Solved

Security bug: Full access to Tasker without lock code from home screen icon

Lock code protection is not functioning properly in Tasker and security is compromised:

1. Tasker is lock code protected

2. Long-pressing Tasker icon on the phone's Home screen opens a popup with options such as Settings, Run Log, Edit Task.

3. Tapping Edit Task, for example, takes the user straight to the editable Tasker task with no lock code prompts

4. Now, selecting Cancel from the task takes the user to the task list, i.e. giving an unauthorized user full access to do whatever (s)he wants with Tasker

Follow

4 replies

Votes Newest Oldest

Great, thanks! :D

AP

EDIT: Arrgh, my bad... After installing the test apk, I had indeed set the password but forgot to tick "Lock On Startup". So yes, I can confirm your fix appears to be working! 

To make 100% sure I have the test apk installed, I just uninstalled Tasker and re-installed the test apk, this time on another phone (S8):

- Password is NEVER asked, when short-tapping the home screen shortcut to enter Tasker. It doesn't matter whether Tasker was previously exited via back button or Tasker menu's exit. If password is set, password is only asked after trying to access Preferences (inside Tasker).

- When long-tapping the shortcut and tapping the "Edit Task" option, password is ALWAYS asked, whether or not password is actually set in Preferences. If password is not set, leaving the prompt blank and choosing "OK" takes the user to the edit view as expected - but obviously password shouldn't be asked if it is not set.

Hopefully this can be sorted out. I've currently had to hide the Tasker shortcut and on top of that block Nova Settings so that the user can't unhide Tasker to access it freely.

AP

Thanks! Tested the apk on Android 8.0.0 (Galaxy S7).

There appears to be a new bug:

- Single-tapping on the home screen shortcut, Tasker is launched without password prompt, even when password is set. Password prompt only appears when trying to access Preferences. Same thing happens when re-launching previously exited Tasker from phone's recent apps drawer: no password prompt appears.

Long-tapping on the shortcut and its popup options now behaves like this:

- "Task Edit: xxx" correctly prompts for password BUT password prompt appears even when no password is set - i.e. if Tasker is not password-protected, Tasker can't be accessed via this route at all

- "Run Log": no password prompt is shown. However, if Tasker was previously exited, Tasker can't be accessed via Run Log's back arrow, so I guess password isn't needed.

- "Settings": password prompt shows up.

Other observations (not specific to this test apk version):

- Exiting Tasker using phone's home button doesn't really exit Tasker, whereas using phone's back button does. Is this as designed? I.e., "exiting" Tasker via home button leaves Tasker active and Tasker can be subsequently re-launched without password. Back button functions like Tasker's "Exit" option (i.e. app is properly exited) and I'm not sure if home button should behave likewise. I know I have sometimes accidentally left Tasker accessible, when I thought I had exited Tasker but had actually just "hidden" Tasker with home button.  

Hi. I could not reproduce the issues you describe. When it didn't prompt you with the password was it maybe because you exited with the home button instead of the back button?

I'm not sure if that's by design or not (I didn't implement it, the previous developer did), but I think it has always worked that way :)

Thanks for the report. Think I've fixed it in this version. Can you give it a try?

Topic is closed for comments