Thursday, August 18, 2011

Android DOTS - Locking the Screen

Android DOTS - Locking the Screen

I have received several emails following the earlier post iphones-common-password-usage-risks whether I had seen other studies or reports about security risks with the Locking the Screen (linking DOTS) feature in Android and similar featured mobile phones and what I thought.

It is impossible to read everything and many studies/report sometimes don't become available until some years after authors produce them.

My own analysis of the reports (at this stage) that I have seen thus far is that many of the comments about Locking the Screen privacy techniques generally identify that an author acknowledges the device has this privacy/security capability available and provides one method to reduce risk. Forensically speaking, authors also record the complications when the restricted access mode is activated when the device is presented for examination. These are useful comments, but are not fully supported by any indepth research to define common combination of DOTS used by users for their numerical choice of locking patterns. That is menat to be taken in context with the common choice of PINs as suggested by the post iphones-common-password-usage-risks.

The authors Aviv/Gibson/Mossop/Blaze/Smith in 2010 produced an informed and respected report on Screen Smudges that illustrated risks of pattern smudges on the mobile phone touch-screen being detected which refined earlier concerns in 2009 about smudging illustrated in posts on the Android - An Open Handset Alliance Project.

There are discussive science articles on the web about how secure are Android DOTS unlock_patterns regarding numerical choices for the locking code that, again, could provide useful material for more indepth forensic analysis and study. I could carrry on identifying material I have researched but that would merely produce, largely, similar and repetitous paragraphs of statements listing what I found available. However, risks to user touch-screen mobile phones may occur when considering entering unlock DOTS patterns, passwords and PINs and unauthorised access attacker or hackers gaze could potentially include the less troublesome methods to gain access using:

i) clandestine apps/progs (WORMs etc from download or P2P) that could record user entries on the touch-screens and storing the output [having fowarded to a memory cards etc] in a hidden file (so be aware of apps/progs on the handset - check eg file manager/root and change memory cards on a regular basis)
ii) using fingerprint tape on the touch-screen (so clean the screen regularly)
iii) shoulder-surfing the user's locking DOTS pattern (so the longer the pattern the harder it can be for the shoulder-surfer to memorise)

No comments: