1. Home
  2. Techniques
  3. Mobile
  4. Lockscreen Bypass

Lockscreen Bypass

An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen. Several methods exist to accomplish this, including:

  • Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device’s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device’s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.[1][2]
  • Unlock code bypass: An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing ("shoulder surfing") the device owner’s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.
  • Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.[3][4]
ID: T1461
Sub-techniques:  No sub-techniques
Tactic Type: Post-Adversary Device Access
Tactic: Initial Access
Platforms: Android, iOS
Version: 1.3
Created: 25 October 2017
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1094 BRATA

BRATA can request the user unlock the device, or remotely unlock the device.[5]
S1083 Chameleon

Chameleon has the ability to bypass the biometric prompt for unlocking an infected device, forcing the victim to use PIN authentication. To do so, Chameleon will first check specified conditions, then will use the AccessibilityEvent action to transition from biometric authentication to PIN authentication.[6]

S1092 Escobar

Escobar can request the DISABLE_KEYGUARD permission to disable the device lock screen password.[7]

Mitigations

ID Mitigation Description
M1012 Enterprise Policy

Enterprises can provision policies to mobile devices that require a minimum complexity (length, character requirements, etc.) for the device passcode, and cause the device to wipe all data if an incorrect passcode is entered too many times. Both policies would mitigate brute-force, guessing, or shoulder surfing of the device passcode. Enterprises can also provision policies to disable biometric authentication, however, biometric authentication can help make using a longer, more complex passcode more practical because it does not need to be entered as frequently.

M1001 Security Updates

OS security updates typically contain exploit patches when disclosed.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0645 Detection of Lockscreen Bypass AN1723

Mobile security products can often alert the user if their device is vulnerable to known exploits.
AN1724

Mobile security products can often alert the user if their device is vulnerable to known exploits.

References

  1. SRLabs. (n.d.). Fingerprints are not fit for secure device unlocking. Retrieved December 23, 2016.
  2. Sean Keach. (2018, February 15). Brit mates BREAK Apple’s face unlock and vow to never buy iPhone again. Retrieved September 18, 2018.
  3. Andy Greenberg. (2015, September 15). Hack Brief: Emergency Number Hack Bypasses Android Lock Screens. Retrieved December 23, 2016.
  4. Chris Brook. (2016, November 17). iOS 10 Passcode Bypass Can Access Photos, Contacts. Retrieved December 23, 2016.
  1. Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.
  2. ThreatFabric. (2023, December 21). Android Banking Trojan Chameleon can now bypass any Biometric Authentication. Retrieved July 7, 2025.
  3. B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.