CVE-2024-13916 is a medium-severity vulnerability affecting the "com.pri.applock" application pre-installed on Kruger&Matz smartphones. This app provides functionality to encrypt other applications using a user-defined PIN or biometric authentication. The vulnerability arises from an exposed content provider, "com.android.providers.settings.fingerprint.PriFpShareProvider", which has a public query() method accessible without any Android system permissions. This design flaw allows any malicious application installed on the device to query this content provider and exfiltrate the PIN code used for app encryption. The vulnerability was confirmed in version 13 (version code 33) of the app, with no authentication or user interaction required to exploit it. The CVSS 4.0 score is 6.9 (medium severity), reflecting the local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality (VC:H) but no impact on integrity or availability. The vulnerability exposes sensitive authentication secrets, potentially allowing attackers to bypass app-level encryption and access protected applications and data on the device. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to user privacy and device security. An application update addressing this issue was released in April 2025. The vulnerability is categorized under CWE-497, indicating exposure of sensitive system information to an unauthorized control sphere due to improper access control on the content provider interface.

For European organizations, especially those whose employees use Kruger&Matz smartphones or distribute these devices internally, this vulnerability could lead to unauthorized access to sensitive corporate applications protected by the app locker. Attackers could stealthily extract PIN codes without user knowledge, bypassing encryption and gaining access to confidential business data, communications, or credentials stored within locked apps. This could result in data breaches, intellectual property theft, and compromise of personal data subject to GDPR regulations, leading to regulatory penalties and reputational damage. The vulnerability's exploitation does not require user interaction or elevated privileges, increasing the risk of automated or stealthy attacks via malicious apps. Organizations relying on mobile device management (MDM) solutions should be aware that this vulnerability undermines app-level security controls, potentially requiring additional compensating controls. The lack of impact on device integrity or availability limits the threat to confidentiality, but the exposure of authentication secrets is critical in environments with sensitive data. Given the medium severity, the risk is non-trivial and warrants prompt remediation to maintain compliance and security posture.

1. Immediate update of the "com.pri.applock" application to the patched version released in April 2025 on all affected Kruger&Matz devices to close the exposed content provider access. 2. Restrict installation of untrusted or unknown applications on corporate devices to reduce the risk of malicious apps exploiting this vulnerability. 3. Employ mobile threat defense (MTD) solutions capable of detecting suspicious inter-app communication or unauthorized access attempts to content providers. 4. Use device-level encryption and strong authentication mechanisms beyond app-level PINs or biometrics to protect sensitive data. 5. Implement strict application whitelisting and sandboxing policies to limit the capabilities of installed applications. 6. Conduct regular security audits and vulnerability assessments on mobile devices used within the organization. 7. Educate users about the risks of installing apps from untrusted sources and the importance of applying updates promptly. 8. Monitor device logs and network traffic for unusual activity that may indicate exploitation attempts. 9. Coordinate with Kruger&Matz support or vendors for timely security advisories and patches. 10. Consider alternative secure app locking solutions with verified security postures if the device ecosystem allows.