Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: Android: pattern security lock vs. 4 characters PIN from a security side
From: Tyler Oderkirk <tyl.erod.e.rkirk () gmail com>
Date: Wed, 15 Sep 2010 22:16:28 -0400

On Tue, Sep 14, 2010 at 2:27 PM, Sven Aluoor <aluoor () gmail com> wrote:
Is "pattern security lock" more secure than a strong 4 characters PIN
(I used it on iPhone)?

sven,

i haven't seen any serious analysis of android's "pattern" password
scheme but your question made me think of this story:
http://phandroid.com/2010/01/11/motorola-droid-lock-screen-flaw-allows-full-phone-entry/

the story and comments refer to three interesting vulnerabilities:

1. hitting "back" on android during an incoming call grants access to
the home screen (fixed by now i'm sure)
2. cancelling an "emergency" (e.g. 911) call on blackberry dismisses
the password prompt (unconfirmed, from the comments)
3. emulating a "multimedia cradle" by placing a small magnet near the
back of an android will unlock it (unconfirmed, from the comments)

lastly, i've seen a friend's up-to-date blackberry fail to obscure his
password as he types it under a certain condition.

because smartphones are relatively new technology i suspect that many
such trivial password-bypass vulnerabilities remain.

an aside for the software engineers: pc-based screensavers have had a
bumpy ride too. jamie zawinski (jwz) of netscape/xemacs fame wrote
xscreensaver. it's the default screensaver on many of the big linux
distributions. he wrote some insightful notes on the practical
application of 'the principle of least privilege' in the *nix world at
http://www.jwz.org/xscreensaver/versus-xlock.html

take it easy,

-tyler

-- 
"Perfection is achieved, not when there is nothing left to add, but
when there is nothing left to remove."
    - Antoine de Saint-Exupéry
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]