When phone is locked and I'm inputting the PIN, there's a visual feedback on each keytouch, some sort of ripple animation around the key.
Not very secure :)
How can I disable that?
Edit:
Device - Lenovo Moto X Play, not rooted
OS - Marshmallow 6.0.1
Apps tried:
Hi Locker - Your Lock Screen - Free version pop ads on unlock - unusable
GO Locker - theme & wallpaper - Slow
Locker Master- DIY Lock Screen - Buggy
ZUI Locker-Elegant Lock Screen - Doesn't solve the initial problem
Answer
Your concern from a security point of view is very valid for these two reasons:
Password can possibly be guessed by somebody who repeatedly and closely watches you swipe pattern or key PIN by following the ripple pattern
Smudge Attack Wikipedia entry says:
A smudge attack is a method to discern the password pattern of a touchscreen device such as a cell phone or tablet computer .... The smudge attack relies on detecting the oily smudges left behind by the user's fingers .... Under proper lighting and camera settings, the finger smudges can be easily detected, and the heaviest smudges can be used to infer the most frequent user input pattern (the password). The researchers were able to break the password up to 68% of the time under proper conditions.
(emphasis supplied)
Commonly advocated counter measures against smudge attack are
Wipe the screen after every unlock, (impractical as it may sound) ;
Use a high quality oleophobic screen protector to minimise smudges, in addition to wiping after every unlock
There are two ways of mitigating security risk-using apps for un-rooted devices and other means for rooted devices
Un-rooted Devices: Since Lockscreen mechanism is a part of the core security of Android devices , apps can't interfere or modify it's functioning . These apps take the approach of asking the user to set the lockscreen security to none and then impose a lockscreen design of their choice, in effect, a layer on top of disabled lockscreen. One such app is Hi Locker which is a lock screen app, offering a lot of features. Relevant to this question are
Pattern Lock: This allows you invisible mode in security options. This mode hides the ripples. Which means the typical trailing lines joining the dots are not shown. However, this is a risk from smudge attack view, unless you change the pattern very frequently
PIN Lock: This allows you to set a Random keyboard in security settings. With this the keyboard changes with every lock / unlock, and is recommended for security against prying eyes and smudge attack. Screen shots below show this on consecutive lock / unlock-note the randomized digit placement
Rooted Devices: This takes the approach of directly modifying the lockscreen functionality of Android, without using any apps. I am aware of one method and there may well be more. This is based on scrambling the key board while entering PIN. This requires Xposed framework to be installed and Gravity Box module to be installed. This module aside of tons of features offers means to PIN scramble (under Lock screen tweaks). This PIN scrambling feature is similar to the one shown in the above method as far as user interface is concerned.
Since rooting tag, xposed-framework cover related aspects, specifics to OPs device are not covered here. OP can study them and if need be ask a separate question
OP's device is not rooted but has indicated in comments that he is willing to root the device to meet his requirement . Rooting without fully understanding the risks could be a bigger risk. IMO, rooting the device and taking adequate precautions to safeguard against the risks is highly worth it. It is up to OP to decide which course but using app based method to start with could be a good start.
Edit: I just noticed your edit, which shows that the free version of app is unusable due to ads. Unfortunately, Free always comes with a price tag of ads as far as apps go ( There ain't no such thing as a free lunch at play !). So your options are limited to a) buying the pro or buying an ad blocker for unrooted devices b ) searching for other apps from the list at serial 1 on notes below c) Root your device and use Gravity box or flash a ROM that has this feature inbuilt (understand CM 11 , which is quite old has it - I am not aware of other ROMs)
There isn't much one can do about that, unfortunately
I have been searching and there appears to be no free without adds. Also searching for timepin throws up similar apps which modify PIN based on current time in various configurations. But all of them are ad supported.
Additional Information
Where to find a PIN lock screen that scrambles the keypad on every use? a related question on scrambling PIN lists out some other apps as well, which have not been tried by me.
There have been feature enhancement requests to Google to include this as a default feature in Android OS for long. Issue 10496: Randomize screen lock pin keypad option was opened in 2010 and closed in 2014 ; Issue 74338:Option for keypad number randomizer on lock screen settings to increase PIN entry security was opened in 2014 and closed in 2015 ; Issue 181566: Option for keypad number randomizer on lock screen settings to increase PIN entry security was opened in 2015 and thankfully is still open - head over there and star it to support or leave a helpful comment - I just did and there are less than 10 folks supporting- do your bit !
Answer here to Touch Screen Password Guessing by Fingerprint Trace from Security SE , wiki on smudge attacks and other net searches reveal a product by Whispercore, which seems unavailable now
No comments:
Post a Comment