Lockscreen Bypass

An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen. Several methods exist to accomplish this, including:

Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device’s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device’s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.^[1]^[2]
Unlock code bypass: An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing ("shoulder surfing") the device owner’s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.
Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.^[3]^[4]

ID: T1461

Sub-techniques: No sub-techniques

Tactic Type: Post-Adversary Device Access

ⓘ

Tactic: Initial Access

ⓘ

Platforms: Android, iOS

Version: 1.3

Created: 25 October 2017

Last Modified: 12 May 2026

Procedure Examples

ID	Name	Description
S1094	BRATA	BRATA can request the user unlock the device, or remotely unlock the device.^[5]
S1083	Chameleon	Chameleon has the ability to bypass the biometric prompt for unlocking an infected device, forcing the victim to use PIN authentication. To do so, Chameleon will first check specified conditions, then will use the AccessibilityEvent action to transition from biometric authentication to PIN authentication.^[6]
S1092	Escobar	Escobar can request the `DISABLE_KEYGUARD` permission to disable the device lock screen password.^[7]
S9006	VajraSpy	VajraSpy has requested for `android.permission.DISABLE_KEYGUARD` to disable the device lock screen password.^[8]

ID	Mitigation	Description
M1012	Enterprise Policy	Enterprises can provision policies to mobile devices that require a minimum complexity (length, character requirements, etc.) for the device passcode, and cause the device to wipe all data if an incorrect passcode is entered too many times. Both policies would mitigate brute-force, guessing, or shoulder surfing of the device passcode. Enterprises can also provision policies to disable biometric authentication, however, biometric authentication can help make using a longer, more complex passcode more practical because it does not need to be entered as frequently.
M1001	Security Updates	OS security updates typically contain exploit patches when disclosed.

ID	Name	Analytic ID	Analytic Description
DET0645	Detection of Lockscreen Bypass	AN1723	A lock-state transition telemetry, special access or privileged interaction capability, security-sensitive framework use, and immediate downstream activity while the user-interaction context is weak or inconsistent. This yields stronger coverage on Android than iOS.
DET0645	Detection of Lockscreen Bypass	AN1724	Defender correlates an iOS-specific reduced-confidence chain where a supervised or managed device transitions from locked or inactive state to interactive or application-active state with weak evidence of expected user authentication, often accompanied by abnormal protected posture change, trust-state change, unexpected app wake, sensor use, or immediate downstream communication. Because direct visibility into lockscreen bypass mechanics on iOS is limited, the analytic prioritizes strong device-state effects and post-unlock behavior rather than pretending to observe the exact bypass method.