All Sections

Android’s new security feature actually makes it less secure

Google’s new ‘On-body detection’ security feature in Android 5.0.1 actually makes the phone a better target for thieves, but may appeal to lazy people.

I quite like some of Android’s new Smart Lock features, which appeal to my inner lazy git. Rather than make you type in your unlock PIN every time you want to check your phone, to see if your great mates have messaged you in the ten seconds since you last checked, Smart Lock uses a bit of artificial intelligence to work out if a security step is strictly necessary. For instance, if the GPS detects that you’re in a ‘trusted location’, such as slumped on the sofa at home, Android will guess that your phone hasn’t been nicked and bypasses the security stage.

Of course, this raises its own ugly issues, such as ‘what if my kid gets his slimy mitts on my phone when it’s sat on my bedstand, and then buys £4000 worth of fake coins in some crappy game?’ But at least Smart Lock can be configured to suit your own personal tastes, so you can use all, some or none of its features. It’s completely up to you.

Google has added a new experimental ‘On-body detection’ feature to Smart Lock, which basically can tell the difference between your phone being laid flat on a table or sitting in your hand or pocket. If your mobile’s perfectly flat and still for two to three seconds, it locks up and requires a PIN to unlock again (or whatever your chosen security unlock method is). However, if you hold it upright or at an angle, the phone won’t fully lock no matter how much time passes (at least, it didn’t in the tests I performed).

The idea seems to be that, if your phone is vertical rather than horizontal, it must be either in your grasp or stuffed in a pocket or bag and therefore secure. Whereas, if it’s sat on a flat surface that’s not within one of your trusted places, chances are you’ve laid it down on a table in a bar or some other public joint, which makes it vulnerable to theft.

This poses an immediate problem. What if someone swipes your phone from your pocket or bag without your knowledge? The thief will then be able to gain immediate access to all of your private data and use your phone as their own, with no kind of security to keep them out. We simulated this in the office and as expected, when the phone is lifted from a pocket and carried away, it unlocks for the thief without any PIN request.

So rather than making your handset more secure, Android’s new feature actually removes a layer of security, with the only advantage being that you’re not bothered so often with a pesky PIN request. I’d recommend just ignoring On-body detection entirely when Android 5.0.1 rolls out and sticking with the existing Smart Lock features, which already do a great job of limiting how often you punch in your PIN. This is just excessive laziness.

Comments