Removing “Forgot Password” Functionality from Android in the Name of Security!
I recently watched this Defcon 20 talk from 2012, called “Can You Track Me Now? Government And Corporate Surveillance Of Mobile Geo-Location Data“. It’s a good watch and I highly recommend it.
At one part of it, they were talking about mobile device encryption and the different “back-doors” that each OS maker has in their phones. The one that really stood out at me was the way Google does it with Android, mainly because I have an Android phone.
On the unlock screen with Android, if one enters their password incorrectly enough times, they are presented with a “Forgot Password” dialog which asks for the device’s Google account credentials. If the user enters the right username/password combination, the passkey is removed from the device, and they’re allowed in. Now, normally this functionality is quite helpful for everyone. Say you forget your password, you can easily unlock it without problems. Cool.
Now, here’s another example (like what’s in the YouTube link). A public servant gets a hold of an individual’s mobile device that’s been properly encrypted with the built-in Android encryption. The way they can “backdoor” into the device is by simply contacting Google, having them set your Google account password to something new – something the agent knows – and *poof* goes the lock screen.
This backdoor didn’t really sit well with me. While it’s nice to have that functionality to unlock my device if I forget my password, knowing that Google has the power to unlock my device is worrisome. But wait a minute… Android is Open Source!
I took it amongst myself to peek into the code to see what I can find out about this. Searching for “Forgot Password” on one of the many Android code websites, I was presented with these two source files:
keyguard_screen_unlock_portrait.xml (there were a few different ones for different screen sizes and landscape lock screens).
the xml file is simply the layout of the lock screen. While it could allow the removal of the “Forgot Password” button, that functionality is still inside of the OS. Now, KeyguardAccountView.java on the other hand has the following function:
This activates after the login credentials have been validated by Google, and is responsible for actually clearing out the lock screen key. After the if (success) statement, it first removes the permanent lock from the device (I’m assuming because of the number of incorrect password attempts), disables the lock, and then nullifies the lock pattern. Once those run, it shows the user a new screen to set the new lock code if they wish. They can easily back out of that screen, and are brought to the Android Home Screen.
I think this ability should have the option to be disabled, as well as having the option of disabling application-pushing by Google. I like Google, but having the option to disable these really would make me feel better.
I’ll keep this page updated if I am able to gain traction on finding a solution to allow Android owners to disable this functionality.