Schneier on Security
A blog covering security and security technology.
« Dropped USB Sticks in Parking Lot as Actual Attack Vector |
| Hacking BMW's Remote Keyless Entry System »
July 12, 2012
All-or-Nothing Access Control for Mobile Phones
This paper looks at access control for mobile phones. Basically, it's all or nothing: either you have a password that protects everything, or you have no password and protect nothing. The authors argue that there should be more user choice: some applications should be available immediately without a password, and the rest should require a password. This makes a lot of sense to me. Also, if only important applications required a password, people would be more likely to choose strong passwords.
Abstract: Most mobile phones and tablets support only two access control device states: locked and unlocked. We investigated how well allornothing device access control meets the need of users by interviewing 20 participants who had both a smartphone and tablet. We find all-or-nothing device access control to be a remarkably poor fit with users' preferences. On both phones and tablets, participants wanted roughly half their applications to be available even when their device was locked and half protected by authentication. We also solicited participants' interest in new access control mechanisms designed specifically to facilitate device sharing. Fourteen participants out of 20 preferred these controls to existing security locks alone. Finally, we gauged participants' interest in using face and voice biometrics to authenticate to their mobile phone and tablets; participants were surprisingly receptive to biometrics, given that they were also aware of security and reliability limitations.
Posted on July 12, 2012 at 12:59 PM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"Also, if only important applications required a password, people would be more likely to choose strong passwords."
Not the people I know. They reuse the same 6-10 character purely numerical or purely alphabetical sequence for every website, no matter the importance of the data.
Apple has gone a little ways towards this. You can use the camera on an iPhone without entering the password.
I think this is just to provide faster snapshots when your dog or baby does something funny.
My Android phone has a pattern lock, but still allows an emergency call to be made by someone who doesn't know the pattern. So it isn't *quite* all or nothing.
You can also answer the phone without a passcode and set alerts to show up on a locked screen based on application in IOS
iOS has parental controls are available. They might not be a match to every user requirement, but they're certainly more than "all or nothing"
Yeah, that would be really nice. I see all these cool lock screen customizations for Android, but you either have to enter a password to see the lock screen (which just doubles the amount of time it takes to get into the phone) or not have a password at all (which leaves all your data free to anyone who picks up your phone.
@Joe Buck: I know on my last BlackBerry, you very annoyingly couldn't turn *off* the ability to make an emergency call. That was a feature I really wanted after the third time I got woken up in the middle of the night by a 911 operator calling me after my toddler had found my phone and done the only thing he could possibly do (besides attempting to brute-force my password and bricking the BB after 10 fails)
My son's older and wiser now, but adding the capability of more granular security settings always seems like a good thing.
I saw some Bada phone which allowed some operations (like playing games) but required password for access to "personal" data like logs or contact list. Don't remember in details how they defined personal.
With Visidon Applock for Android, available in Google Play for free, you can use face recognition with the applications you choose to protect
Guess they wouldn't like WhisperCore full phone encryption in the off state, and a 20 character (the max on Android) lock screen then, LOL. It's security, just do it, or pay the piper...but I get it, 'we' think differently. I have a podcast app (BeyondPod) that can sit on top of the lock screen. I think that is an even better choice: pick the apps you want to be unprotected, not the other way around...they'll choose poorly.
Aren't these guys pretty much stating the obvious ?
The problem I see here is not so much the lack of apps/add-ons that provide more granular access control to Android, iOS, BBOS, Symbian et al, but rather its users being blissfully unaware of their existence, features and the many good reasons to have them. As in the case of the girl in our bar yesterday evening who just had her iPhone stolen and had zero idea of complex passwords, Find my iPhone, remote wipe, iCloud/iTunes backups etc. etc.
@lazlo - the ability to make emergency calls is critical and should *NEVER* be disabled. I'm worried that a child is left unsupervised for long enough that they can find a mobile and make a call. What else could they have been doing in that time? Electric sockets, medicines and sharp objects spring to mind - and if you can keep them out of the child's reach then why not your phone?
Safety vs. Convenience is a tradeoff just like it is with security. If I don't want the emergency dialer capability, then I should be able to disable it. The only time my phone's emergency dial option would probably ever see legitimate use is if I became incapacitated and a Good Samaritan™ tries to use my phone to get help. It's my phone, my choice.
I'll start believing that ACLs make sense (and this is what we are really talking about) when someone demonstrates (1) an every-user-friendly mechanism for deploying them and (2) that people will care enough to edit them.
Technologists have been promulgating & deploying ACLs for decades, but AFAICS they are still not widely used.
It's nothing really new. I bought a fairly cheap Samsung phone (may its soul rest in peace) around 5 years ago that required a reasonably long PIN to access the messages, contacts list and some other stuff even when the phone was in standby mode.
There were no proper I/O ports on it, so bruteforcing the device would have been extremely difficult. Other important stuff was provided by applications that were password-protected, and also difficult to copy from the phone's internal storage.
It's all about how you configure the device, and deciding beforehand what kind of data should be stored on it.
I'm worried that a child is left unsupervised for long enough that they can find a mobile and make a call.
I'm guessing you haven't got children of your own. They are faster and sneakier than you think. And cell phones aren't dangerous objects we child-proof in the same way we child-proof household dangers.
That all being said, you're correct that the ability to make emergency calls should always be available.
Just like with desktop apps, mobile apps should have the ability to be additionally protected beyond just the security of the device. Whether this is password or biometric, some apps (like notes I have that have some sensitive info) should be additionally protected. Since most phones have scan capability and have a camera, why not have biometric (fingerprint or picture) security? It may not be foolproof, but it's a lot better than nothing, and would probably be better than the mobile passwords that are not usually as complex as desktop passwords.
"may its soul rest in peace"
I like that. Nice one :)
Oh yes please! My office email requires a pin on my entire phone. So everytime I want to check the weather, my personal email, text my wife, play a game or generally do the other 99% of things on my phone that doesn't involve the office email I am still forced to enter the pin.
I would be more than happy to enter a pin for just the office email.
"may its soul rest in peace"
I like that because I think you meant:
Samsung made in Korea, Capital is Seoul, sounds like Soul --> may its soul rest in peace ...
I am currently using APG (Andriod Privacy Guard) and the K-9 email client for email encryption on my Samsung smart phone. The combination works just fine. However, messages have to be encrypted in-line. The APG application does not support PGP/MIME.
Looking on the Web.. it would appear that the APG app is no longer being developed. Has anyone an update regarding this??
I hadn't thought of the Seoul thing. Well spotted.
I wrote a speculation piece a couple of years back, about how - once you get to a point of having ubiquitous wireless networking with decent bandwidth - you'd actually be better off having a smartphone form-factor thin client rather than something with local storage; this led to an idea of building smartphone functions on top of a full-blown Solaris Trusted Extensions environment, so that different sets of contract entries could be made available to different apps, bluejacking could be prevented by Bell-LaPadula and relative labelling of Bluetooth, VoIP and contacts apps, etc. Sandboxing capabilities are doing a fair job of standing in place of full labelling (with privilege and RBAC on top), but I note that various apps I use already implement their own secondary authentication mechanisms (in the form of another password, which has to be typed at app launch time).
I see the merit of voice recognition for entering a password hands-free (especially when looking to return a missed call while driving), but I can also see speech reconition technologies getting tied in knots when being asked to recognise a "traditional" strong password; if 'phone vendors set their password mechanisms to do the "correct horse battery staple" thing, that would be further real progress.
@ Dave Walker
I see your points. I don't think a full-blown Trusted Solaris type thing is the right approach. Academic moved away from that type of stuff toward capability systems & desings that use fast microkernels. We have stuff like that on the market. We have complementary stuff in academia that can be combined with it to make a more effective solution. I think that's the direction we should go in.
To me, the monolithic approach many phones are using IS the problem, as it undercuts easier approaches to privilege management.
Just as a sort of FYI: My phone has a password, but allowed me to use the camera without entering it. This was very nice as entering a password on this thing is a real pain just to take a quick picture.
Now, my phone is "upgraded" to the ice cream sandwich and that feature is gone. I sure miss it.
Ruimaninfo's Application Protection - for Droid 2.2+ - does a decent job, IMHO, of protecting individual apps and other functions, like Settings. (Not to mention the price is right!)
its not that hard. Just make a nice, fun app with good graphics and the smartphone is your oyster.
My samsung Galaxy S3 actually has the ability to make 'emergency calls' without entering the password. The list of emergency numbers have to pre-programmed though, but still useful to have.
theme: convenience always trumps security
Keyless entry using your phone.
put all your eggs in one basket.
1.)you are on the train
2.)you discover your phone is stolen
3.)difficult to get to your home
with keyless entry
4.)difficult to contact someone to
protect your home
5.)social network shows your address
6.)keyless entry app makes it easy to enter your home without fear of alerting suspicion.
7.)criminal is wearing an 'official
looking uniform' and says he is an
agent given the phone
8.)neighbor tries to contact you and you are incommunicado on the train/remote location.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..