Using local security to lock down your mobile device
- 26 November, 2013 15:08
Being able to lock your mobile device is important because, in many cases, it's your first line of defense. It may not be the strongest form of security -- in fact, it's arguably the weakest -- but it could prove to be the difference in protecting your organization by keeping the device locked down until mobile device management measures like remote wiping are put into play.
Here, we cover the various locking and local security options that are available for the different mobile platforms. Choose wisely, though; while each option presents their own unique strengths, so too do they present weaknesses.
PIN/Password Lock (multiple platforms)
The personal identification number (or password) is the most tried-and-true and simplest form of local security. Most users opt to protect their device with a PIN that is at least four digits in length, while some go for a longer, more complicated password that combines both letters and numbers.
It may go without saying, but those who care enough to make their PINs/passwords long and complex will enjoy a greater level of security here. After all, this option's greatest weakness stems from user error (or rather, apathy): lock your phone with an easily-guessed password like "1234" and that's precisely the level of security you'll be enjoying.
Android Facial Recognition
Originally rolled out as a new feature of Android 4.0 (Ice Cream Sandwich), the platform's face unlock feature works surprisingly well, thanks mostly to intuitive software. As part of the setup process, the user is prompted to snap multiple photos of his or herself using the device's front-facing camera to make the device as "familiar" as possible with their face. So taking multiple shots from various angles, with or without glasses on, and in different lighting all improve the device's ability to recognize the user's face. As is the case with some of the other security features on this list, the face lock feature falls back on a PIN or other form of locking should the software fail to recognize the face in question.
Face unlock ranks high on the convenience scale, especially once users build up the device's library of facial shots to the point that it can recognize the user's face under virtually any condition. However, it ranks rather low on the security scale; so low, in fact, that the Android interface actually warns the user when setting up face unlock that it's even less secure than a pattern, PIN, or password lock.
Also -- and the software warns users about this as well -- someone with a similar face can unlock the mobile device. Even worse, someone can simply pull up a picture of your face on another device and point the front-facing camera on it to successfully bypass the face lock. Though it sounds paranoid, the latter technique has been proven to be disconcertingly effective.
Apple iPhone 5S Fingerprint Recognition
The fingerprint scanner is a new feature that was added to Apple's latest flagship smartphone, the iPhone 5S. With it, iPhone users can now use Touch ID, allowing them to use their fingerprint as a means to unlock their phones instead of the traditional password. That said, entering a password during the setup process is still necessary for "additional security validation," such as unlocking the phone in the event of multiple failed scans and scanning in new fingerprints.
Touch ID features 360-degree readability, allowing the scanner to recognize users' fingerprints no matter the angle or orientation. Beyond locking the phone itself, Touch ID can also be used to authorize mobile payments, such as purchases from the App Store or iTunes Store. While the security is far from perfect, the security it offers is a step up from simple 4-digit passcodes that can, in theory, be guessed. According to Apple, the odds of a fingerprint other than the one that was originally enrolled successfully unlocking the phone are 1 in 50,000.
Though some users may have privacy concerns, Apple maintains that images of fingerprints are not stored, only "mathematical representations." The company alleges that it is impossible for actual fingerprint images to be reverse engineered from the representations, while password and fingerprint data are stored in and protected by the "Secure Enclave" security architecture within the iPhone 5S' A7 chip.
Android Pattern Lock
An alternative to PINs or password locks, the pattern lock on Android allows a user to trace a unique pattern with their finger over a 3 x 3 grid of dots to unlock their phone. The pattern lock is arguably more convenient than PINs or passwords, given that a quick swipe on a particular path is all that's required -- as opposed to hunting and pecking for specific keys on a virtual keyboard -- but convenience isn't the goal when it comes to mobile security.
On the surface, it may seem like the pattern lock is more secure than the traditional PIN/password lock, simply because there are few patterns that are as "obvious" as a PIN like "1234." However, given the limited number of dots and the fact that each one can only be used once in the pattern, the number of different possible patterns is in fact much lower than the different possible combinations of numbers and/or letters that can be used for PINs and passwords. The truly paranoid would argue that the fingerprint smears left on the screen could also be a giveaway as to what the pattern may be, but the real concern here is that the likelihood of guessing the correct pattern is actually higher than guessing a combination of numbers or letters.
Windows Picture Password
The picture password, which is a feature exclusive to Windows devices, is one of the more unique methods of locally protecting your mobile device (in this case, your Microsoft Surface). Though it shares some similarities to the ideas presented with the Android pattern lock, picture password adds another layer of individuality: users select a picture of their choice and then draw a unique pattern on the image to serve as their password. The gestures involved in creating the pattern can be circles, straight lines, or taps, and where the user traces them on the image is also relevant.
Though some may find picture passwords to be a refreshing concept, the unfortunate reality is that they are far from the best choice for enterprise users. While there are some smaller concerns, like the ability to record picture passwords through malware, the biggest issue is that they are not compatible with Microsoft's Active Directory, the authentication software that is used to verify/authorize all machines on a Windows domain network.