Lockscreens on mobile phones have become a poisoned chalice.
The theory is simple: after a suitably brief interval (we recommend a maximum of two minutes, inconvenience notwithstanding), your phone locks.
When you next try to use your phone, it pops up a special screen on which you need to put in a secret passcode or scan your fingerprint before you can get back in and access the apps and data on the device.
The benefits of a lockscreen are obvious: it makes it harder for a crook who steals your phone to steal your personal information as well, and it protects you from the sort of childish pranks that some so-called “friends” can’t resist playing if they see your phone unattended.
In practice, though, lockscreens have become less about locking your phone, and more about merely limiting the features you can use without knowing the passcode.
Some of these “use at any time” features are there for regulatory reasons, such as the ability to make emergency calls without unlocking the phone.
If you’re in a panic and in a hurry, the ability to dial 112 (or 911, 999, 000, etc.) without first fiddling with your passcode makes perfect sense.
But many other “use at any time” features are there purely for convenience, such as swiping on the camera icon on a locked iPhone in order to take pictures without authenticating first.
At odds with security
You can see why this sort of feature is at odds with security: every specially-programmed exception in the lockscreen opens up a whole new risk.
For example, after you’ve taken pictures on a locked iPhone (a feature, annoyingly, that can no longer be turned off), you can browse and even edit them using the Photos app…
…but only the photos you just took, so that you can’t use the Photos app to sneak a look at any earlier pictures already on the phone.
In other words, the Photos app became more complicated in order to support a less powerful mode of operation.
Sadly, there are numerous other apps you can authorise to run, albeit in restricted form, from your iPhone’s lockscreen.
And each new lockscreen app increases the risk that some exploitable vulnerability will be opened up, right when you expect your phone to be at its most secure.
The risk of Siri
Historically, one of the riskiest apps to enable on your lockscreen has been Apple’s voice command system, Siri, which has been implicated in numerous lockscreen bugs and security issues over the years.
Typically, Siri-based lockscreen holes exploit the fact that Siri needs to know which voice commands are off-limits when your phone is locked.
As you can imagine, any errors or omissions in Siri’s lockscreen “command blocklist” could essentially turn Siri into an unofficial backdoor.
We’ve written about many such glitches before, and another one surfaced on YouTube earlier this week.
The latest security Siriness relied on a sequence something like this:
- Ask Siri to open Twitter.
- Use Siri to do a Twitter search.
- Find a tweet containing an email address.
So far, this sounds fairly harmless, and feels like a safe sequence of voice commands to permit from the lockscreen.
After all, these commands only search Twitter for data that is already posted publicly, whether by you or anyone else.
The problem was that if you had an iPhone 6S (or 6S Plus), with its new type of pressure-sensitive screen known as 3D Touch, you could then use a special way of pressing the screen on the email address in the tweet you just found.
This screen-press would bring up a context-sensitive menu giving you access to the Contacts app so you could add the new email address as a contact.
Presumably, given that this particular programmatic pathway into the Contacts app was impossible before 3D Touch was introduced, it was never identified as a possible security short-cut past the lockscreen, never tested, and never blocked.
But once you’d opened the Contacts app, you could then access the whole contact list, even though you’d started from the lockscreen and never entered the passcode.
No update required
The fix turned out to be surprisingly easy, and didn’t even require Apple to push out an iOS update. (Just as well, because the latest iOS update, 9.3.1, came out less than a week ago.)
It seems that all Apple had to do to patch against this flaw, or perhaps more accurately to work around it, was to reconfigure Siri not to process “open Twitter” commands from the lockscreen.
And that didn’t need an update because Siri’s voice processing is done “in the cloud,” not on your iPhone.
OS X has the option to install Siri’s voice matching databases locally and to do all the voice processing locally, but iPhones don’t really have enough processing power or local file storage for that.
As a result, Siri on the iPhone doesn’t support local-only operation: your voice commands are always uploaded to Apple’s servers to be processed.
Ironically, then, a cloud-based feature that was once criticised for putting your privacy and security at risk (because it processes your voice remotely) turned out to be a handy way of fixing a privacy and security bug (because it processes your voice remotely).
What to do?
Even though this trick no longer works, Siri remains a liability on your lockscreen, and so we very strongly recommend that you don’t allow it.
Indeed, if you have a Mobile Device Management (MDM) product that can centrally enforce iOS security policies in your organisation, we recommend “no Siri on the lockscreen” as a company-wide setting.
There’s a downside: you will no longer be able to do a hands-free check whether someone just mentioned you on Twitter while you’re driving.
We think you’ll be able to live with that.