SailingLab AppLock CVE-2025-68708
LOWCVSS VectorNVD
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionNVD
SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can evade lockscreen verification and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.
AnalysisAI
PIN lock bypass in SailingLab AppLock 4.3.8 for Android exposes protected applications to anyone with brief physical device access. The root cause is architectural: the lock is implemented as a screen overlay rather than through Android's secure authentication APIs, meaning the underlying apps remain accessible via exposed intent routes triggered through advertisement or browser interactions. An attacker with physical access can navigate cascading UI flows to dismiss or circumvent the overlay entirely, gaining access to locked apps such as Chrome, resulting in information disclosure and unintended privilege escalation. No public exploit is confirmed in CISA KEV, but a researcher disclosure is publicly available on GitHub, and EPSS is negligible at 0.04% (11th percentile), consistent with the physical-access-only attack vector.
Technical ContextAI
SailingLab AppLock (package com.alpha.applock, version 4.3.8) implements its locking mechanism as an Android WindowManager overlay drawn atop target applications rather than using Android's sanctioned security surfaces such as KeyguardManager, BiometricPrompt, or DevicePolicyManager. CWE-288 (Authentication Bypass Using an Alternate Path or Channel) precisely describes this root cause: the overlay layer can be bypassed by triggering exposed Android Activity or Intent routes - specifically via advertisement intents or browser deep-links - that navigate around the overlay without ever invoking the PIN verification code path. Android's intent system allows third-party apps and browser navigations to launch registered Activity components; if those components are exported or reachable through advertisement SDKs embedded in AppLock, an attacker can redirect the UI flow to a state where the overlay is absent. The CPE entry is listed as n/a in the NVD, meaning the product is not formally catalogued in the National Vulnerability Database's product dictionary, which reduces automated detection coverage for asset inventory tools.
RemediationAI
No vendor-released patch has been identified at time of analysis; no fixed version number is available from the provided intelligence sources. Users should check the Google Play listing (https://play.google.com/store/apps/details?id=com.alpha.applock) for any updates released after version 4.3.8. As a compensating control, users requiring app-level locking should migrate to Android's built-in screen pinning or device administrator features, or use app-locking solutions that integrate with BiometricPrompt and KeyguardManager APIs rather than overlay-based approaches - the trade-off is reduced feature flexibility but a fundamentally more secure authentication path. Disabling the AppLock overlay for individual apps via the app's own settings eliminates the false sense of security without relying on the bypass-prone overlay. On corporate-managed devices, MDM-enforced app restrictions or Android Enterprise work profiles should replace third-party overlay lockers entirely. The researcher disclosure is available at https://github.com/actuator/com.alpha.applock/blob/main/CVE-2025-68708 for technical detail.
More from same product – last 7 days
SQL injection in Open ISES Tickets before 3.44.2 allows attackers controlling or impersonating an InstaMapper or Google
SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config
TLS certificate verification bypass in Open ISES Tickets before 3.44.2 allows network-positioned attackers to intercept
Hardcoded Google Maps API key exposure in Open ISES Tickets before v3.44.2 enables any party with read access to the pub
Open ISES Tickets exposes a hardcoded Google Maps API key committed directly to its public GitHub source repository in t
Share
External POC / Exploit Code
Leaving vuln.today