Lock screen map allows access to sensitive data #10346

New issue

Open

opened 2025-02-25 15:52:19 +00:00 by AtmosphericIgnition · 0 comments

AtmosphericIgnition commented

2025-02-25 15:52:19 +00:00

(Migrated from github.com)

⚠ Have you searched for similar, already existing issues?

Describe the issue
When navigation is running, OM will "take over" the device's lockscreen (as it should). The issue is that pretty much all the app's functionality remains accessible on the lockscreen. As long Organic Maps is running on the lockscreen, this allows anyone with the device to:

Change Organic Maps settings
View all bookmarked locations and tracks
View your map search history
View your OpenStreetMap profile
Make edits using your OSM account

This means that if one looses their device while Organic Maps is running, anyone can see all their saved locations, tracks, and can make edits using the logged in OSM account.

Steps to reproduce

Start navigation
Lock device
Hit the star button in the bottom left corner
See all user's bookmarks, tracks without authentication

Expected behavior
Sensitive data (bookmarks, history) should not be accessible via the lockscreen with no authentication. Changing settings should not be possible without the lockscreen password. I can see the ability to make OSM edits from the lock screen being usable to some, a toggle to disable OSM edits on while the device is locked could be made. Saved places should also not be freely visible on the lock screen map, unless they are being navigated to.

System information:

Operating system and its version: Android 15 (GrapheneOS)
Organic Maps version: 2025.01.28-1-Google
Device Model: Google Pixel 8 Pro

Additional context
Other map applications limit what can be done from the lockscreen. Some only allow viewing the application, and any interaction asks for password. Some apps heavily limit access to any user data like bookmarks and other info.

⚠ Have you searched for similar, already existing issues? **Describe the issue** When navigation is running, OM will "take over" the device's lockscreen (as it should). The issue is that pretty much all the app's functionality remains accessible on the lockscreen. As long Organic Maps is running on the lockscreen, this allows anyone with the device to: Change Organic Maps settings View all bookmarked locations and tracks View your map search history View your OpenStreetMap profile Make edits using your OSM account This means that if one looses their device while Organic Maps is running, anyone can see all their saved locations, tracks, and can make edits using the logged in OSM account. **Steps to reproduce** 1. Start navigation 2. Lock device 3. Hit the star button in the bottom left corner 4. See all user's bookmarks, tracks without authentication **Expected behavior** Sensitive data (bookmarks, history) should not be accessible via the lockscreen with no authentication. Changing settings should not be possible without the lockscreen password. I can see the ability to make OSM edits from the lock screen being usable to some, a toggle to disable OSM edits on while the device is locked could be made. Saved places should also not be freely visible on the lock screen map, unless they are being navigated to. **System information:** - Operating system and its version: Android 15 (GrapheneOS) - Organic Maps version: 2025.01.28-1-Google - Device Model: Google Pixel 8 Pro **Additional context** Other map applications limit what can be done from the lockscreen. Some only allow viewing the application, and any interaction asks for password. Some apps heavily limit access to any user data like bookmarks and other info.

👍 3

This repo is archived. You cannot comment on issues.