Android's Smart Lock Won't Ask You For a Password Until You Set Your Phone Down

jfruh writes Nothing confronts you with how addicted you are to your phone more than constantly taking it out of your pocket and entering your passcode over and over again to unlock. But without fanfare, Google is releasing an Android update that might solve the problem: a "smart lock" that can figure out if your phone has been set down since the last time you unlocked it. As long as it stays on your person, you won't need to re-enter your password.

Sooo ..

[OzPeter]

If your are carrying your unlocked phone, and you get mugged and hand over your phone, then the mugger now doesn't have to enter a passcode until he/she puts it down.

Q. If your Android phone is unlocked, how easy is it to change the passcode?

Re:

[Plumpaquatsch]

You worry too much. With two factor authentication in place there's no chance the theif will be able to get the verification code!

So? That means he can't get your data "in the cloud" - but the phone is his to use

Re:

[David_W]

You may have been "Woosh!"ed here... doesn't two-factor auth usually send the verification code to your phone?

Re:

[Michael Casavant]

Depends on which method you use: SMS based, yes. Google Authenticator (well, they already have access to your phone), no. Yubikey, no.

Re:

[sexconker]

99% of all Google Authenticator use is via the app on the fucking phone.

Re:

[hsmith]

Especially now that Google uses your SMS as your two factor. So, even if the phone was locked - all you have to do is pop the SIM in another phone and boom, you have the persons 2nd factor.

Re:

[Hank the Lion]

If you put the SIM in another phone (and, thus, cycle power of the SIM) you will have to enter the PIN code before it will register.

Re:Sooo ..

[Thanshin]

It's rather worse if it gets stolen from your pocket.

What situation would make you hand over your phone but not your pass?

Re: Sooo ..

[Melbourne Pete]

I was moving at speed in a tuk tuk in Phnom Penh when my phone was stolen out of my hands by two guys on a scooter. Not sure how likely that is for most people, but you did ask.

Re: Sooo ..

[Anonymous Coward]

I've seen phones snatched out of people's hands by passing cyclists a good number of times where I live.

Phone theft may sound rare, but it isn't uncommon, and thieves know that they can just grab the phone, stuff it in a tinfoil envelope, let it sit for a week or two until the battery dies, disassemble it, then sell the screen, case, and other parts for a good amount of cash. Same thing happens with bicycles. The thieves know not to sell the bike. Instead, they disassemble it, then haul the pieces to another city or state to sell. That Shimano Dura-Ace shifting set doesn't have any serial numbers, and a lot of cyclists will buy it without asking any questions if the price is right.

Re:

[Obfuscant]

and thieves know that they can just grab the phone, stuff it in a tinfoil envelope, let it sit for a week or two until the battery dies, disassemble it, then sell the screen, case, and other parts for a good amount of cash. Same thing happens with bicycles.

I've heard that the batteries in a bike take much longer to run down, and it's hard to find a tinfoil bag big enough. But done right, yes, it's very effective.

Re:

[mjwx]

Phone theft may sound rare, but it isn't uncommon, and thieves know that they can just grab the phone, stuff it in a tinfoil envelope, let it sit for a week or two until the battery dies, disassemble it, then sell the screen, case, and other parts for a good amount of cash.

If they're going to sell the phone for parts, why wait for the battery to die? Beyond this, why not simply just remove the SIM card instead. Like a lot of ./ers you're over-thinking things to the point where you've completely ignored th

Re:

[Obfuscant]

If they're going to sell the phone for parts, why wait for the battery to die? Beyond this, why not simply just remove the SIM card instead.

If the phone has a battery you can remove it. No need to wait. But some phones don't have removable batteries. And many phones don't have SIM cards. If you just put the phone in your pocket and take it home to dismantle it, PING, you're it. Go to Jail. If you put it in a bag before you get home, you know it can't ping no matter what it is.

You're assuming the criminals are smart enough to know what a SIM is or know which phones have and have not removable batteries, or they will know for sure that the pho

Re: Sooo ..

[Afty0r]

This is one of the most common forms of phone theft these days - not the traditional "violent mugging" but the most basic form of physical robbery - grab it quickly out of someone's unsuspecting hand as they walk down the street focussed on their phone and not the world around them. Then run or bike away. I haven't known someone have their phone stolen in a "mugging-style" robbery in many years, but I personally know of four people (in London) who have had their phone stolen by this method recently.

Re: Sooo ..

[gnasher719]

This is one of the most common forms of phone theft these days - not the traditional "violent mugging" but the most basic form of physical robbery - grab it quickly out of someone's unsuspecting hand as they walk down the street focussed on their phone and not the world around them. Then run or bike away. I haven't known someone have their phone stolen in a "mugging-style" robbery in many years, but I personally know of four people (in London) who have had their phone stolen by this method recently.

It's all about risk and reward. The maximum reward is the same: One phone. The risk is much bigger for a violent crime. It takes longer. Someone might come and help the victim. The police might actually care and come after a thief who draws a knife or hits someone. The punishment is a lot higher, armed robbery + assault instead of theft.

Re:

[ottothecow]

Although anyone who is mugging you is probably going to take your phone too. At least most of the crime reports I see say something like "suspect demanded victim's phone and wallet before fleeing the scene"

Re:

[mjwx]

I was moving at speed in a tuk tuk in Phnom Penh when my phone was stolen out of my hands by two guys on a scooter. Not sure how likely that is for most people, but you did ask.

Its not exactly a secret that Cambodia is a poor nation with lots of opportunistic theives, what made you think it was safe to play with your smartphone in public.

I've lived in Thailand and the Philippines which are pretty much the same, using a phone in the open is practically asking for it to be stolen.

Re:

[Plumpaquatsch]

It's rather worse if it gets stolen from your pocket.

What situation would make you hand over your phone but not your pass?

Snap and run?

Re:

[Thanshin]

That's not a mugging. Without violence it's not mugging, it's just theft.

You don't "hand over" something to someone who snaps it from your hands.

My point being that if the guy has a knife/gun on you and tells you "give me that phone", he could just as well say "password?".

However, they don't really care, as stolen phones are sold en masse to people who don't need the pass to resell them.

Re:

[F.Ultra]

Of course he could say "hand over the password" but the difference is that I could refuse to do so. With this new locking scheme I no longer have that option. Yes I might be stupid to not hand over the password at gun point, but at least I have the choice.

Re:

[Anonymous Coward]

Or you could just give the wrong one. I seriously doubt a mugger is going to stick around to try unlocking it with the password you just gave him in the middle of a mugging. Never mind that he would have to take his eyes off you to do so.

Just give him a really long complicated fake passcode and you can be even more sure.

Oh boy. If there's anything RISKIER than giving legal advise on slashdot, it's giving this kind actual life-threatening advise. Grain of salt recommended.
Who will save you when the mugger DOES stay with you for the 3 seconds it takes to test your lie? Don't try to be a dead smart-alec. That's not how ATM pin muggings work, right? The mugger is not going to use pen and paper to write it down.

Re:

[F.Ultra]

What if you store some classified information on the phone that you know is secured by the password as long as the phone is locked. In that case you have no problem handing over the phone but might have a problem handing over the password.

Or for whatever reason you might have, the important point here is that with the phone locked, YOU have a choice of giving away the password or not. With the phone unlocked you no longer have that choice. That's simply a fact of life and not the same as saying that this is

Re:

[Plumpaquatsch]

That's not a mugging. Without violence it's not mugging, it's just theft.

You don't "hand over" something to someone who snaps it from your hands.

My point being that if the guy has a knife/gun on you and tells you "give me that phone", he could just as well say "password?".

Or he could just take it, and commit a lesser crime that takes less time and thus has a lower chance to get caught.

Re:

[kenshin33]

there's an app I saw on F-droid, that checks the device's accelerometer and locks it if it detects a sudden violent movement (snatched, falling ... etc) and locks it right away. It is availabale of course in google's play store. Pluck Lock [google.com] (there are plenty others
with that said this smart lock thing is very very bad -IMHO which is why I deactivated it completely-, it makes locking the phone a joke.

Re:Sooo ..

[amck]

Typically the power button automatically locks the phone, making it trivial to lock the phone in a hurry.

Re:

[gl4ss]

it also functions as the keylock/screenlock shortcut, so it's not going to be any use for this. otherwise the usability would be pretty poor, as you do want the screen to turn off and lock from input when you place the phone in your pocket, unless you enjoy random stuff happening.

this lock is separate from that. meaning that you can just open the screen and start doing whatever it was you were doing.

now, with these phones it would be nice to have separate real lock button.

Re:

[swillden]

you do want the screen to turn off and lock from input when you place the phone in your pocket, unless you enjoy random stuff happening.

The proximity sensor (same one that prevents you from hitting buttons with your cheek while talking on the phone) should turn the screen off and disable input without locking the screen when it senses your leg/hip.

Re:

[kenshin33]

except that polling it continuously will keep the device from going to sleep (have an impact on battery life).

Re:

[swillden]

except that polling it continuously will keep the device from going to sleep (have an impact on battery life).

It doesn't seem to have a significant impact, AFAICT. I haven't benchmarked with and without, but at leas on my Nexus 6 I didn't observe any obvious decrease in battery life when I turned it on.

Re:

[kenshin33]

I did notice partial a lot of wacklocks (Betterbattery stats) while keeping the phone in my pocket (Nexus 5, with Ambient display on and proximity check on).

Re:Sooo ..

[beh]

So, if a pickpocket picks it from your trouser pocket while you're walking along the street you quickly and easily dash after him to press the lock button on the phone while he's trying to make a getaway?

Re:

[sexconker]

Typically the power button automatically locks the phone, making it trivial to lock the phone in a hurry.

The whole fucking point of this feature is to "lock" the phone but not really lock it until the gyros determine the phone has been set down.
Letting the phone time or hitting the power button will "soft lock" the phone. You won't need a pin/face/password to wake it up until the gyros determine the phone has been set down.

Android Unlocking Sucks

[billstewart]

When I'm talking on the phone, the timer for the screen-lock should NOT be running. I frequently have calls that last more than 15 minutes, often set the phone down and use headphones during the call, and it's really annoying that after I hang up, the phone's locked. (If somebody else calls me when me phone's locked, locking when the call's done is fine, but not when I'm the one who made the call or the phone was unlocked when the call came in.)

I'm running 4.4.2 on a Samsung. The phone is provided by $DA

Re:Sooo ..

[XxtraLarGe]

Q. If your Android phone is unlocked, how easy is it to change the passcode?

You have to enter the old passcode before entering a new one, same thing to disable it altogether.

Re:

[TuringTest]

Q. If your Android phone is unlocked, how easy is it to change the passcode?

You have to enter the old passcode before entering a new one, same thing to disable it altogether.

But it's more than enough time to access all the services to which you're logged in in your browser, and possibly change your password in them.

Re:Sooo ..

[TuringTest]

So, you've never encountered a site with a "I've forgotten my password" option that sends you a mail to log in?

Anyway, it's bad enough that a thief can access all data in the logged in service even if they can't change the password.

Re:

[TuringTest]

Most of those will send an email link to the email address you had already registered with them.

And thus comes the danger of having all your logged-in email addresses accessible to whomever steals you phone, which was my original point.

Re:

[barlevg]

I assume this feature is optional. If not, there's always Cyanogenmod!

Re:

[Anonymous Coward]

There are six methods for locking your screen on my version of Android, and it is old enough to not have this Smart Lock. Which is to say, it is unclear why you go straight to Cyanogenmod before even knowing what exists in the OS as is.

Re:

[Timothy Hartman]

Only reason I can think to stick with your stock firmware is that you have to (not available for phone, on a CDMA network where you need to update with a proprietary software item that doesn't work on third party firmwares). I have seven unlock options on my GS3 and prefer to use the "None" option.

Re:

[jareth-0205]

Only reason I can think to stick with your stock firmware is that you have to (not available for phone, on a CDMA network where you need to update with a proprietary software item that doesn't work on third party firmwares). I have seven unlock options on my GS3 and prefer to use the "None" option.

Well off the top of my head I could add 'stock tends to be more reliable' and 'it's faff / risk of bricking your phone to replace the firmware'...

Re:

[AmiMoJo]

I imagine the feature is smarter than TFA suggests. Phones can easily tell if they are in your pocket or bag with the same proximity sensor they use to disable the screen when you hold them to your ear. This feature probably works like a smart watch, turning the screen on when you raise the phone up to look at it if it has been in your hand since last unlocked.

They do mention that the smart unlocking feature also supports location awareness. No need for a password if the phone is connected to your home wifi

Re:

[Anonymous Coward]

FTFA, the device displays this message when the feature is activated:

“If you unlock your device and hand it to someone else, your device also stays unlocked as long as the other person continues to hold or carry it,”

Re:

[brunes69]

Couple of mitigations

- You can disable this feature if you want

- You can also enable SmartLock which will lock the phone as soon as it gets out of range of another bluetooth device (smart watch or key fob)

- Use android device manager to lock and/or remote wipe the phone as soon as possible after the theft. My wife has the ability to lock and remote wipe my phone from her phone using Android Device Manager, and I can do the same to hers.. you should set this up.

- You could simply hold the power button in wh

Re:

[mlts]

Those are some good suggestions. I might add a few myself:

1: If your device is rooted, you can separate the password that unlocks the /data partition from the PIN that unlocks the screen. This way, you have 4-5 digits that are quickly typed in... but if a thief decides to reboot the phone or power it off, they are facing the 20-30+ character passphrase... and most newer Android ROMs only allow 30 guesses before they do an erase.

2: Enable encryption of the /data partition. This is worth mentioning.

3: T

Re:

[brunes69]

Do you have any links to how to do #1? I have never heard of this before.

Re:

[mlts]

http://goo.gl/z8ti3D [goo.gl]

From a root command line, you can do:

vdc cryptfs changepw newpass

(where newpass is your new password for the dm-crypt volume... which is your /data partition.)

There is also apps that do this as well, but you need root.

Of course, when you change your screen lock PIN, it will change the boot password, but that is a given.

Re:Sooo ..

[jbmartin6]

you should set this up

Why the hell would I want to give your wife the ability to erase my phone?

Re:

[mu51c10rd]

Why the hell would I want to give your wife the ability to erase my phone?

To remove the evidence?

Re:

[OhSoLaMeow]

you should set this up

Why the hell would I want to give your wife the ability to erase my phone?

Just in case the OP finds out about you and his wife.

Re:

[mjwx]

Couple of mitigations

Which wont do a damn thing to prevent theft.

The thief wants the hardware (which is valuable) not your personal information (which, lets face it, is completely worthless).

The first thing a thief is going to do is sell it to someone who will first reset it to factory settings so they can sell it. Your data actually makes the device worth less than a blank one.

I dont even have a password on my Android phone. The absolute worst thing a thief can do is spam from my Gmail account a

Re:

[Obfuscant]

The thief wants the hardware (which is valuable) not your personal information (which, lets face it, is completely worthless).

Uhhh, what? People bank using their phones. They have online accounts for all kinds of things. Personal data is used to commit identity theft. They SHOULDN'T let the phone browser remember passwords for places like Amazon, but they DO.

The data may be worthless to the street kid snatching the phone, but to others it can have a lot of value.

For my latest phone, I'd say the equation you propose is exactly backwards. The phone cost $40. Were I to have actually put personal account data on it, I could be out

Re:

[Eloking]

If your are carrying your unlocked phone, and you get mugged and hand over your phone, then the mugger now doesn't have to enter a passcode until he/she puts it down.

My thought exactly!

The only way to avoid entering your password too often but force it when an unauthorized person want to access your cellphone is if the cellphone can "efficiently" recognize you. The closest tech I've heard about this is Microsoft new Windows Hello system : http://tech.slashdot.org/story... [slashdot.org]

Re:

[JTsyo]

Forget thieves, how about when cops take your phone.

Re:

[swillden]

I've been using this feature for a few months now (I work for Google) and I think on balance it significantly improves my security. It means that I can set my phone to lock instantly on display timeout, with a one-minute timeout, lock instantly on power button press, and use a long, complex password... and not be inconvenienced by having to constantly re-enter a long password. This is a security win, because if I did have to enter a long password two dozen times per day, I wouldn't do it; I'd choose a simpl

Re:

[swillden]

I wonder if I can create a Tasker profile to automate that

Uh, no, this can't work. Security settings changes require password authentication, and there probably isn't an app API to change them anyway (for good reasons).

Re:

[GIL_Dude]

I've been using the bluetooth trusted device for several days now with a Microsoft Band device and it seems to work pretty well. I generally only need to use my pass code unlock once a day or so. As you said, the idea is that a thief (or border agent or police) can see it as unlocked and leave and it will lock right away when it gets out of BT range. Seems like a decent security usability trade off, but of course it isn't secure enough for everyone. Fortunately we have knobs and levers like this that allow

Re:

[shadowrat]

If your are carrying your unlocked phone, and you get mugged and hand over your phone, then the mugger now doesn't have to enter a passcode until he/she puts it down.

What phone does protect against this? AFAIK all phones will remain unlocked as long as you keep using them. If a mugger grabs any phone right out of your hand, they are going to have access to your email long enough to change key passwords and get all your info.

Re:

[exomondo]

If your are carrying your unlocked phone, and you get mugged and hand over your phone, then the mugger now doesn't have to enter a passcode until he/she puts it down.

So just drop it.

No Thanks

[dreamchaser]

I'd rather make my own security decisions. I don't need the 'AI' in my phone deciding if it's me or not.

Re:

[lesincompetent]

For as much as i can agree with you please note that we already delegate much of our security to some kind of 'AI'.
Don't need to be grumpy about it.

Re:

[dreamchaser]

Grumpy? Not at all. You wouldn't want to see that; nobody does :)

It's just an example of a solution looking for a problem and thus opening the doors to more potential problems.

Re:No Thanks

[bill_mcgonigle]

It's just an example of a solution looking for a problem

Is your claim that nobody is frustrated by having to frequently re-enter a passcode? You do realize that most people's "solution" to this problem is to have no passcode at all, right?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[jbmartin6]

An excellent exercise in risk management, illustrating how security measure are only appropriate when viewed in context with risk. If there's no risk, there is no value in security measures.

Re:

[Ed Tice]

Indeed. Most of us just aren't that important. In another post, I suggested a security measure that might work. In most cases, if you get out of a bad situation with only the loss of a piece of small electronics, you made out wonderfully. A low-tech security measure that would work would be to have a hole (like some laptops do) where you can attach a lock. Then you could handcuff the phone to your wrist. I don't suggest this. I once considered getting one of those brief cases that handcuff to your wr

Re:

[gnasher719]

Worse, once the person who robs me sees that I don't have anything of value, they might get so upset that they beat the snot out of me!

Just saying: If someone threatens to hit you, there may not be clear case who is stronger, but handing over your phone is less risky, and you might get hurt even if you win a fight, so you avoid it.

But once attacked, you obviously fight back with all you have, and that may not be good news for the attacker. Average desperate druggie is not in good physical shape.

Re:

[Billly Gates]

As opposed to A I now that considers you a new person every15 seconds?

Very very annoying as my corporate policy is to lock my phone if I want access to their email. I unlock 4 to 5 times an hour!

Why opposed to this option?

Re:

[Nukenbar]

I seriously doubt that it is compulsory. I bet you can also turn it off like most new features.

Re:

[amRadioHed]

Obviously this is off by default, no one is trying to make any security decisions for you.

Re:

[doconnor]

They'll have to enter current the code to disable to feature or change the passcode, just like you do now.

umm

[Anonymous Coward]

So the locking in the pocket is stop pocket dialing.... Most of us want that feature.

Re:

[masterofthumbs]

Lock the phone as in require a password to unlock. My phone is "locked" in my pocket but not with a password, its a slide to unlock kind of thing.

horrible idea

[slashmydots]

So in other words, you'll be pocket dialing EVERYONE because now you don't have the lock screen to protect you.

Re:

[tawt]

You still have the lock screen, it's just not pin/swipe protected. You'd have to be doing some serious moves to swipe the lock screen away while it's in your pocket

Re:

[0123456]

Ditto. I had a passcode on my phone until I realized it enabled the retarded 'DIAL 9/11 WITH YOUR ASS!' feature.

Re:

[Anonymous Coward]

Oh no. Someone made an optional feature I don't like!

Re:

[richy freeway]

because half of the "apps" are malware

Thankfully, I only have the other half installed.

Re:

[BronsCon]

Don't install the flashlight that needs access to your SD card and the internet and you'll be alright.

How comforting

[sTERNKERN]

"It can also recognize faces and remain unlocked when it sees a trusted face." I would choose that 2 seconds entering my pass over facial recognition anytime.

False security

[Overzeetop]

If it only takes you 2 seconds to enter your passcode, your passcode is insufficiently secure.

Re:

[PPH]

"Was this the face that launched a thousand apps?"

On the Nexus anyway this is disabled by default

[Chrisq]

On the Nexus (and possibly other phones) this is disabled by default. You need to go to Settings->Security then "Trusted Agents" in "advanced". It will then be enabled but still won't do anything until you go to "Smart lock" in the Settings->Security "Screen Security" section and enable one or more of "trusted places", "trusted devices", "trusted faces", and "on body detection". I think the "Trusted devices" will be useful to stop it locking when in my car and attached to the hands free.

Re:

[Solandri]

Smart lock is actually too lenient. It'll auto-unlock if it's in a trusted location or connected to a trusted device (e.g. bluetooth headset). The apps which provided similar functionality in Jelly Bean did it right. The first time you used the phone when connected to a trusted device or in a trusted location, you had to unlock it. After that, the app kept the phone unlocked until it left the trusted place or disconnected from the trusted device.

Lollipop's smart lock will auto-unlock the moment the t

Re:

[BronsCon]

Not so. In fact, you can tap the unlocked lock icon on the lock screen to re-lock the phone, even if you're in a trusted location or connected to a trusted device. Leaving, then returning to that location does, in fact, not automatically unlock the phone; you still have to unlock it once, and you can still re-lock it if you so choose. I don't use trusted devices (the only one I'd use is my smartwatch, which someone can just steal along with my phone), so I can't speak for whether those auto-unlock or not, b

Re:

[jrumney]

Trusted devices is useful for avoiding the driver distraction issue of having to enter my password when I want to read and post to Slashdot while I drive. Having it recognize my Home and Work Wifi networks would be far more useful than this body motion detection.

good idea

[johnsmith2708]

I think, it is a good idea, from google, because, I have a lot of troubles with my phone in the pocket

Great Compromise Solution

[Ed Tice]

Already most of the comments indicate that this is less secure than having to reenter a pass code after a half a second of inactivity. Different users have different levels of security needs. My guess is that most people don't even need a pass code. It really doesn't provide security against anything other than casual eavesdropping. If you have *real* security needs, you have to have tamper-reactive devices. What *would* be a good solution (probably effective against all but state actors) would be a wa

This is more secure for most people

[Overzeetop]

I might actually consider a passcode if I had this feature. As it is, I don't have a passcode on my phone because it's too big of a hassle. Any passcode which is sufficiently secure will be simultaneously too complex to enter every time you unlock your phone. I struggle with this using my password manager. I had to simplify my master password just to make it usable on my phone since typing in a 24 character password with upper/lower/numerical/specials on a phone is annoying at best. I'm back down to a 10 ch

Re:

[jbmartin6]

Very true, I just went through this with my bank. They just switched everyone over to username/password only, and I had to downgrade my password so I could use it on the phone. I did the same with my home wifi passphrase. I wonder how much of the recent 'failure of passwords' is due to the limitations of password entry on mobile devices.

I solved this problem 3 years ago with

[DRAGONWEEZEL]

Tasker and Secure settings.

Tasker keeps my phone unlocked IFF I'm at home, or in my car. Once my phone leaves those areas, it automatically locks, it's super easy to program, and super easy to use (since I don't have to do anything at all).

I also have tasker shut the phone down at 7% energy if I don't push a special notification button, this way if I need to make a call, I still have enough juice to power up, and get 20 min. of talk time.

Re:

[GuldKalle]

So I just need to hold your phone outside your house to unlock it?

I'd really like a variation of this where I only had to enter my password once when I get home, and then it stays unlocked until I leave the house again.

I see

[nospam007]

Hands up! And don't drop your phone!

Just a stopgap

[GrahamJ]

Until every phone has a fingerprint sensor.