SpSoft AppLock CVE-2025-68712
MEDIUMSeverity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
SpSoft AppLock (com.sp.protector.free) 7.9.40 for Android allows a local attacker with physical access to bypass fingerprint or PIN authentication. Although the app integrates Android's biometric mechanisms, the lock is implemented with a custom overlay that fails to consistently enforce authentication. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can exit the lock interface without re-authentication and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.
AnalysisAI
Authentication bypass in SpSoft AppLock 7.9.40 for Android allows a local attacker with physical device access to circumvent fingerprint or PIN protection and access locked applications such as Chrome. The flaw stems from the app's reliance on a custom UI overlay rather than enforcing authentication at a deeper system level - cascading interface navigation triggered via advertisement or browser intents exposes routes that allow the attacker to exit the lock screen without re-authenticating. No public exploitation (CISA KEV) has been confirmed, but a researcher-published proof-of-concept exists on GitHub, and EPSS is low at 0.04% (11th percentile), consistent with the physical-access requirement limiting opportunistic exploitation.
Technical ContextAI
SpSoft AppLock (package ID com.sp.protector.free, version 7.9.40) implements per-application locking on Android by rendering a custom overlay window over protected apps. Although the application integrates Android's biometric framework for fingerprint and PIN authentication, the access control decision (CWE-285: Improper Authorization) is not enforced at the Android system or activity-manager level but within the overlay's own UI state machine. This architecture creates a bypass surface: Android Intents - particularly those originating from advertisement SDKs or external browser navigation - can trigger Activity or Fragment transitions that the overlay does not intercept or re-authenticate. The result is that the authorization check is effectively skipped when navigation is driven by these exposed routes rather than through the app's primary lock UI. CWE-285 precisely describes this flaw: the software does not correctly perform authorization, allowing principals to access resources or perform actions they should not be permitted to perform.
Affected ProductsAI
SpSoft AppLock version 7.9.40 for Android (package com.sp.protector.free) is the confirmed affected version per the CVE description. The application is distributed via the Google Play Store at https://play.google.com/store/apps/details?id=com.sp.protector.free. No CPE string is provided in the available data. Whether earlier versions of the application share the same UI overlay architecture and are similarly affected is not confirmed in available sources - only 7.9.40 is explicitly named. No vendor advisory has been identified.
RemediationAI
No vendor-released patch or patched version has been identified at time of analysis - no vendor advisory exists in the referenced materials, and the only fix-related information is the researcher's GitHub disclosure at https://github.com/actuator/com.sp.protector.free/blob/main/CVE-2025-68712. Users requiring per-application locking on Android should consider uninstalling SpSoft AppLock 7.9.40 and replacing it with Android's native app locking features available on supported OEM firmware (e.g., Samsung Secure Folder, or screen-pinning via Android Settings), which enforce authentication at the OS level rather than via an interceptable overlay. As a compensating control, enabling full-device encryption and a strong device lock screen PIN reduces the window for physical-access exploitation, since device access is a prerequisite to triggering this bypass. If the application must remain installed, restricting physical access to the device and disabling in-app advertisement features (if configurable) may partially reduce the exposed intent-based navigation paths, though these mitigations do not address the root cause. Users should monitor the Google Play listing and vendor communications for a patched release.
Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player
V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac
Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13
Same weakness CWE-285 – Improper Authorization
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today