Sophos Cloud Optix
Google must be taking pity on index fingers fatigued with all that Android unlocking.
According to Android Police tipsters, Google’s rolling out a new feature called on-body detection that uses a device’s accelerometer to determine if it’s still in your hand, purse or pocket and to lock up the mobile when it’s not.
That should foil busybodies or thieves who pick up a phone that’s been left on a table or that’s flopped out of a pocket, the thinking goes.
Here is one of the screenshots Android Police readers shared:
As the image explains, on-body detection will disable the lock screen until you place your phone down.
When you first pick it up in the morning or after setting it down, you’ll need to unlock it, but after that, it will pick up on movement and remain unlocked and ready to go when you next need it, assuming you’re not using another trusted authenticator factor.
Or, at any rate, it will be ready to go for you, or for somebody to whom you handed it after unlocking it, or for a pickpocket, or, say, a zombie.
Anybody, in short, who keeps the accelerometer happily jiggling away will be able to get at your data, according to Google’s caveat:
If you unlock your device and hand it to someone else, your device also stays unlocked as long as the other person continues to hold or carry it.
In other words, the accelerometer isn’t sniffing your pheromones to find out whether it’s you or somebody else snuggling up to it. Any movement is “keep me unlocked” movement.
It was first spotted on a Nexus 4 still running Android 5.0.1, but Android Police’s David Ruddock reports that it has now been seen on many devices, including most Nexuses.
He also says that the publication’s tipster is running the most recent version of Play Services and that the news outlet has determined that trusted places is enabled by Google Play Services, so “it seems likely this on-body detection mode is probably activated similarly, and isn’t part of the core OS.”
Android Police says not to worry if you’re not seeing it yet.
It’s seen multiple confirmations, so on-body detection looks like a real thing, albeit one that Google’s unveiling gradually.
Image of Android lock courtesy of Shutterstock.
I think this is a good idea.
As security experts it is easy to think up scenarios where the security will fail. (eg a pick-pocket who steals an unlocked phone, then keeps it unlocked with their own body movements). Just as we can come up with ways to defeat face unlock or even fingerprint sensors.
Those threat models are not the point. The point is that most users don’t lock their phone at all, or set a really long time-out, because they find it to much trouble to unlock their phone every time they use it. As security managers, we would like them to keep their phone locked at all times, but in practice most users won’t.
This is a good compromise because it means that users will actually enable the feature, and get the security without the inconvenience.
For the record, my phone is running android 5.1.0, and has the feature. I have not enabled it because I have set the lock time-out to only a minute, so it is unnecessary.
Something that could improve on this is the addition of a proximity sensor — Apple has an easy win here, as they could do this with their Watch. For everyone not having an iPhone and watch, there’s another solution that already exists: pair your phone with a bluetooth device you keep on you, and have the phone auto-lock if the two become separated. Laptop computers already have software like this available; search for bluetooth proximity lock, and you’ll find products for Windows, Linux and OS X that will auto lock/unlock the system when the keyed bluetooth device leaves/enters range.
A number of companies also sell inexpensive to very expensive low power bluetooth devices such as keyfobs that pair with your phone and could be used in this way — assuming Android/iOS include the functionality to lock based on pairing.
I’ll leave this in Google and Apple’s court 🙂
The latest versions of Android have a feature in the bluetooth settings to trust a device, and to not lock when that device in nearby.
With my phone, I have set it to trust the hands free kit on my car, so the phone will not lock when I am in the car, but will go back to locking normally as soon as I leave the car.
As you suggest, you could buy a cheap bluetooth low energy keyfob or the like, with no other purpose than to lock your phone when you are not near it.