Bypassing Four digit Pin lock Of Mobile App

Hi Everyone,

This post is about a simple vulnerability by Which I am able to bypass the 4 Digit Pin lock on android app.


So android app let you set a 4 digit pin. This pin is secure your account from the intruders.Evertime you open the app , you have to enter the 4 digit pin in order to access the account.
And there is also rate limiting on place that if you try to brute force the pin it logs you out and then in order to access the account you have to sign in again.
But by a simple vulnerability I can bypass the 4 digit pin.

How I am able to Bypass it

So the exploit is very simple here.
You have to remember a things that after entering wrong pin 5 times it will log you out.
Now lets start since you have the physical access of the device.
Configure Burp to intercept all the traffic from you mobile device. Now open the app it will ask you for the password.

When you open the app a request like this will pass through the burp 

The pin is not entered at this time.

Now enter the wrong pin since as i mentioned you have 5 chances to enter the pin.
so if you enter a wrong pin.
You will see a response like this 

You Can easily see that the pin is mentioned in the response.
I can easily bypass the 4 digit pin countermeasure and can access the private info like credit card info , Gift cards purchased and many other things.

P.S: My device is not rooted and I never perform tests on a rooted device. Since rooting a device removes the most important security feature of the android.

Hope you enjoyed it let me know your thinking about this in comments.

Reported to security team on January 19 2016
No response from the team.
Disclosed on March 27 2016

Jitendra Kumar Singh (Team Computer- Korner)

Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!