Printer-friendly version

Yesterday, I locked myself out of my Android phone with the Application MobiLock. MobiLock is designed to lock your phone down to only a set of allowed apps and nothing else. It's fine when you want to hand your phone to someone you know for an extended period of time for a particular purpose. The starter version is free.

I had used this app to leave my phone as a remote for my ChromeCast so that our babysitter could watch some shows while we're gone. I set the PIN, gave it to her and unlocked it, when I got home. Nice and easy.

However, MobiLock will not go out of its way to ask you about your Password before activating. As soon as that app icon is pushed, it will lock down, using the PIN you set whenever. Rebooting won't help you, MobiLock sits tight on your phone. I could not get out of it or access my root filesystem to remove the app. Google Play store no longer lets you remotely uninstall apps. I was on the verge of flashing my phone with Odin, relying on the last backup from TItanium Backup.

Luckily, I had some recollection of the principles behind the code I set. I used Python to print me out a list of likely PINs, ordered by likelihood. Then I started brute-forcing it. Luckily, the "access denied" is quick to come and inline. Also, it is possible to just delete the last digit, type a new one and check again. This way, I tried about 1.5 combinations per second, with brief pauses for striking through combinations.

After a few hours, I finally got it unlocked. I was happy to have used only a 4-digit and pattern-esque PIN.

So, with that: If you only use MobiLock privately … make sure you can easily brute-force it with some patience.