Skip to main content

SpSoft AppLock CVE-2025-68712

MEDIUM
Improper Authorization (CWE-285)
2026-05-27 cve@mitre.org
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 28, 2026 - 17:28 vuln.today
CVSS changed
May 28, 2026 - 17:22 NVD
5.5 (MEDIUM)
CVE Published
May 27, 2026 - 17:16 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 17:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

SpSoft AppLock (com.sp.protector.free) 7.9.40 for Android allows a local attacker with physical access to bypass fingerprint or PIN authentication. Although the app integrates Android's biometric mechanisms, the lock is implemented with a custom overlay that fails to consistently enforce authentication. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can exit the lock interface without re-authentication and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.

AnalysisAI

Authentication bypass in SpSoft AppLock 7.9.40 for Android allows a local attacker with physical device access to circumvent fingerprint or PIN protection and access locked applications such as Chrome. The flaw stems from the app's reliance on a custom UI overlay rather than enforcing authentication at a deeper system level - cascading interface navigation triggered via advertisement or browser intents exposes routes that allow the attacker to exit the lock screen without re-authenticating. No public exploitation (CISA KEV) has been confirmed, but a researcher-published proof-of-concept exists on GitHub, and EPSS is low at 0.04% (11th percentile), consistent with the physical-access requirement limiting opportunistic exploitation.

Technical ContextAI

SpSoft AppLock (package ID com.sp.protector.free, version 7.9.40) implements per-application locking on Android by rendering a custom overlay window over protected apps. Although the application integrates Android's biometric framework for fingerprint and PIN authentication, the access control decision (CWE-285: Improper Authorization) is not enforced at the Android system or activity-manager level but within the overlay's own UI state machine. This architecture creates a bypass surface: Android Intents - particularly those originating from advertisement SDKs or external browser navigation - can trigger Activity or Fragment transitions that the overlay does not intercept or re-authenticate. The result is that the authorization check is effectively skipped when navigation is driven by these exposed routes rather than through the app's primary lock UI. CWE-285 precisely describes this flaw: the software does not correctly perform authorization, allowing principals to access resources or perform actions they should not be permitted to perform.

Affected ProductsAI

SpSoft AppLock version 7.9.40 for Android (package com.sp.protector.free) is the confirmed affected version per the CVE description. The application is distributed via the Google Play Store at https://play.google.com/store/apps/details?id=com.sp.protector.free. No CPE string is provided in the available data. Whether earlier versions of the application share the same UI overlay architecture and are similarly affected is not confirmed in available sources - only 7.9.40 is explicitly named. No vendor advisory has been identified.

RemediationAI

No vendor-released patch or patched version has been identified at time of analysis - no vendor advisory exists in the referenced materials, and the only fix-related information is the researcher's GitHub disclosure at https://github.com/actuator/com.sp.protector.free/blob/main/CVE-2025-68712. Users requiring per-application locking on Android should consider uninstalling SpSoft AppLock 7.9.40 and replacing it with Android's native app locking features available on supported OEM firmware (e.g., Samsung Secure Folder, or screen-pinning via Android Settings), which enforce authentication at the OS level rather than via an interceptable overlay. As a compensating control, enabling full-device encryption and a strong device lock screen PIN reduces the window for physical-access exploitation, since device access is a prerequisite to triggering this bypass. If the application must remain installed, restricting physical access to the device and disabling in-app advertisement features (if configurable) may partially reduce the exposed intent-based navigation paths, though these mitigations do not address the root cause. Users should monitor the Google Play listing and vendor communications for a patched release.

More in Chrome

View all
CVE-2015-5122 CRITICAL POC
9.8 Jul 14

Use-after-free vulnerability in the DisplayObject class in the ActionScript 3 (AS3) implementation in Adobe Flash Player

CVE-2016-5198 HIGH POC
8.8 Jan 19

V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac

CVE-2017-5070 HIGH POC
8.8 Oct 27

Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, a

CVE-2016-1646 HIGH POC
8.8 Mar 29

The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, do

CVE-2013-0758 CRITICAL POC
9.3 Jan 13

Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb

CVE-2017-5030 HIGH POC
8.8 Apr 24

Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.

CVE-2012-3993 CRITICAL POC
9.3 Oct 10

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi

CVE-2017-3823 HIGH POC
8.8 Feb 01

An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta

CVE-2014-8636 HIGH POC
7.5 Jan 14

The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with

CVE-2013-0757 CRITICAL POC
9.3 Jan 13

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi

CVE-2014-1510 CRITICAL POC
9.8 Mar 19

The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se

CVE-2015-5123 CRITICAL
9.8 Jul 14

Use-after-free vulnerability in the BitmapData class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13

Share

CVE-2025-68712 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy