A new feature in Android keeps your passcode protected smartphone unlocked when it’s on your body — a move that reduces the hassle of typing a passcode but also leaves devices exposed to muggers.
If you’re diligent about securing your Android smartphone, you’ve probably configured the device to require a passcode as soon as you hit the power button. That’s good practice but it can get tedious if you receive loads of notifications or just feel the need to check your phone frequently.
Apple has smoothed over this process with its Touch ID fingerprint scanner, while Google, without the aid of a fingerprint scanner on all Android devices, has developed Smart Lock — a collection of authentication methods using the camera for facial recognition; GPS for location-based authentication; Bluetooth to authenticate via trusted devices such as an Android Wear watch or car; and NFC for trusted tags.
Smart Lock is not available on all versions of Android or all hardware, but where it’s supported it can cut down on passcode fatigue.
The latest addition to the Smart Lock family is motion-based authentication, which relies on the device’s accelerometer to deduce when a phone that has been unlocked, is probably being carried by the rightful owner. So if a person unlocks their phone, hits the power button and slips the phone into their pocket, it remains unlocked the next time they pull it out. That’s one less time they need to type in their passcode.
Google quietly introduced the new feature recently, which was first noticed on Nexus 4 phones running Android 5.0.1 as well as devices running Android 5.1 — the most recently updated build of Android 5.0 (Lollipop).
The feature was first reported by Android Police and appears to have been introduced via an update to Google Play Services (GPS), meaning the feature could roll out to most Android devices since it’s not tied to the core OS.
The new feature isn’t strictly designed to improve security but rather to make authentication less of a pain for those who want to protect their information from intruders who have physical access to the hardware.
In this way, the feature makes it less cumbersome to enable passcode lock — which is a good thing — but it also could render auto-locking a useless feature if a mugger nabs the hardware.
Google highlights a few caveats.
“On-body detection can't tell whose body is connected to on-body detection. If you give your device to someone else while it's unlocked, your device may stay unlocked using on-body detection. Keep in mind that on-body detection as a security feature is less secure than a pattern, PIN, or password. Someone who takes your phone while it's unlocked with on-body detection could access it,” it notes.
In other words, if you’ve enabled the feature and you get mugged for your phone, there’s a chance the device will stay unlocked.
For those that want to protect the information on their device is privy to, they could always use Android Device Manager to remotely wipe the device.
However that won't stop a thief from initiating a factory reset and subsequently claiming ownership of the hardware.
It's unclear how the feature would play out with Google’s Device Protection that came with the recently announced Android 5.1. The feature could prevent a factory reset if the device was set up with a passcode lock.
Once enabled, the device will remain locked until the user signs into their Google account. It will stay that way even if a thief or finder attempts to return the device to factory settings. The requirement of knowledge of the Google account credentials thwarts the thief who simply wants the hardware.
Android hardware that does support Device Protection will be able activate the feature remotely via Android Device Manage.
Read more: Spooked by big-name hacks, executives ignoring surge in internal security breaches
However, an early reviewof Android 5.1 by Ars Technica showed that the Nexus 6 and Nexus 9 supported Device Protection but the Nexus 5 did not.
This article is brought to you by Enex TestLab, content directors for CSO Australia.