PSA: The AT&T Galaxy S II Has A Pretty Terrible Security Flaw [Update: Confirmed By Samsung!]

The AT&T Galaxy S II is a lot of things. It’s fast. It’s thin. It’s pretty damn nice to look at. But secure? Yeah, not really.

In what seems to be an almost inexcusable oversight, it appears that the pattern lock (the thing that keeps prying eyes from prying) on AT&T’s version of the Samsung Galaxy S II is… pretty much useless.

The guys over at BGR noticed the loophole, and caught it on video below.

How it works is almost absurd: you turn on the device’s display, and the unlock pattern screen should show up (assuming that you have a pattern set, of course.) The trick? Do nothing. The screen will fade to black after a moment. Turn the display back on — and bam: you’re in, no pattern-based unlock required. The one small catch is that someone will have had to unlock the device the proper way once since power up.

This flaw does not seem to affect Sprint’s Galaxy S II variant, the Epic Touch 4G.

On the upside, these things don’t actually ship to the general populace until October 2nd. While there’s some chance that Samsung noticed this issue and fixed it between shipping the review units and shipping the retail hardware (Samsung’s only response is that they’re “investigating”), such last minute patches rarely, if ever, occur. If the retail units exhibit this same behavior, expect it to be a few days to a few weeks before a patch is made available.

Update: A few e-mails and at least one commenter below raged on me and claimed that this couldn’t be real (gotta love that a device that isn’t even out yet has devout fanboys) — but Samsung and AT&T themselves have just confirmed that there is a flaw and that they are “investigating a permanent solution”. See their comment and their suggested temporary fix below:

Samsung and AT&T are aware of the user interface issue on the Galaxy S II with AT&T. Currently, when using a security screen lock on the device, the default setting is for a screen timeout. If a user presses the power button on the device after the timeout period it will always require a password. If a user presses the power button on the phone before the timeout period, the device requests a password – but the password is not actually necessary to unlock it.

Samsung and AT&T are investigating a permanent solution. In the meantime, owners of the Galaxy S II can remedy the situation by re-setting their time-out screen to the “immediately” setting. This is done by going to the Settings->Location and Security->Screen unlock settings->Timeout->Immediately.