Using local security to lock down your mobile device

Being able to lock your mobile device is important because, in many cases, it's your first line of defense. It may not be the strongest form of security -- in fact, it's arguably the weakest -- but it could prove to be the difference in protecting your organization by keeping the device locked down until mobile device management measures like remote wiping are put into play.

See the related slideshow

Here, we cover the various locking and local security options that are available for the different mobile platforms. Choose wisely, though; while each option presents their own unique strengths, so too do they present weaknesses.

PIN/Password Lock (multiple platforms)

The personal identification number (or password) is the most tried-and-true and simplest form of local security. Most users opt to protect their device with a PIN that is at least four digits in length, while some go for a longer, more complicated password that combines both letters and numbers.

It may go without saying, but those who care enough to make their PINs/passwords long and complex will enjoy a greater level of security here. After all, this option's greatest weakness stems from user error (or rather, apathy): lock your phone with an easily-guessed password like "1234" and that's precisely the level of security you'll be enjoying.

Android Facial Recognition

Originally rolled out as a new feature of Android 4.0 (Ice Cream Sandwich), the platform's face unlock feature works surprisingly well, thanks mostly to intuitive software. As part of the setup process, the user is prompted to snap multiple photos of his or herself using the device's front-facing camera to make the device as "familiar" as possible with their face. So taking multiple shots from various angles, with or without glasses on, and in different lighting all improve the device's ability to recognize the user's face. As is the case with some of the other security features on this list, the face lock feature falls back on a PIN or other form of locking should the software fail to recognize the face in question.

[10 tips for Android security]

Face unlock ranks high on the convenience scale, especially once users build up the device's library of facial shots to the point that it can recognize the user's face under virtually any condition. However, it ranks rather low on the security scale; so low, in fact, that the Android interface actually warns the user when setting up face unlock that it's even less secure than a pattern, PIN, or password lock.

Also -- and the software warns users about this as well -- someone with a similar face can unlock the mobile device. Even worse, someone can simply pull up a picture of your face on another device and point the front-facing camera on it to successfully bypass the face lock. Though it sounds paranoid, the latter technique has been proven to be disconcertingly effective.

Apple iPhone 5S Fingerprint Recognition

The fingerprint scanner is a new feature that was added to Apple's latest flagship smartphone, the iPhone 5S. With it, iPhone users can now use Touch ID, allowing them to use their fingerprint as a means to unlock their phones instead of the traditional password. That said, entering a password during the setup process is still necessary for "additional security validation," such as unlocking the phone in the event of multiple failed scans and scanning in new fingerprints.

Touch ID features 360-degree readability, allowing the scanner to recognize users' fingerprints no matter the angle or orientation. Beyond locking the phone itself, Touch ID can also be used to authorize mobile payments, such as purchases from the App Store or iTunes Store. While the security is far from perfect, the security it offers is a step up from simple 4-digit passcodes that can, in theory, be guessed. According to Apple, the odds of a fingerprint other than the one that was originally enrolled successfully unlocking the phone are 1 in 50,000.

[20 security and privacy apps for Androids and iPhones]

Though some users may have privacy concerns, Apple maintains that images of fingerprints are not stored, only "mathematical representations." The company alleges that it is impossible for actual fingerprint images to be reverse engineered from the representations, while password and fingerprint data are stored in and protected by the "Secure Enclave" security architecture within the iPhone 5S' A7 chip.

Android Pattern Lock

An alternative to PINs or password locks, the pattern lock on Android allows a user to trace a unique pattern with their finger over a 3 x 3 grid of dots to unlock their phone. The pattern lock is arguably more convenient than PINs or passwords, given that a quick swipe on a particular path is all that's required -- as opposed to hunting and pecking for specific keys on a virtual keyboard -- but convenience isn't the goal when it comes to mobile security.

On the surface, it may seem like the pattern lock is more secure than the traditional PIN/password lock, simply because there are few patterns that are as "obvious" as a PIN like "1234." However, given the limited number of dots and the fact that each one can only be used once in the pattern, the number of different possible patterns is in fact much lower than the different possible combinations of numbers and/or letters that can be used for PINs and passwords. The truly paranoid would argue that the fingerprint smears left on the screen could also be a giveaway as to what the pattern may be, but the real concern here is that the likelihood of guessing the correct pattern is actually higher than guessing a combination of numbers or letters.

Windows Picture Password

The picture password, which is a feature exclusive to Windows devices, is one of the more unique methods of locally protecting your mobile device (in this case, your Microsoft Surface). Though it shares some similarities to the ideas presented with the Android pattern lock, picture password adds another layer of individuality: users select a picture of their choice and then draw a unique pattern on the image to serve as their password. The gestures involved in creating the pattern can be circles, straight lines, or taps, and where the user traces them on the image is also relevant.

Though some may find picture passwords to be a refreshing concept, the unfortunate reality is that they are far from the best choice for enterprise users. While there are some smaller concerns, like the ability to record picture passwords through malware, the biggest issue is that they are not compatible with Microsoft's Active Directory, the authentication software that is used to verify/authorize all machines on a Windows domain network.

Join the CSO newsletter!

Error: Please check your email address.

Tags servicesmobile

More about AppleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Hatchimonji

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts