Us­ing his new Galaxy S8, Davey Win­der con­tem­plates whether se­cu­rity is as smart as the phone it’s run­ning on

PC & Tech Authority - - LOGIN - DAVEY WIN­DER

Us­ing his new Galaxy S8, Davey Win­der con­tem­plates whether se­cu­rity is as smart as the phone it’s run­ning on ..............................................

’ve re­cently added a Sam­sung Galaxy S8+ to my col­lec­tion of smart­phones. Mainly be­cause, at the time of writ­ing, it’s quite sim­ply the best smart­phone avail­able on the mar­ket. Sorry iPhone lovers, but un­til the iPhone 8 hits the shops and we can com­pare the two hand­sets, that’s the hon­est truth.

I was also keen to put the triple-lock of se­cu­rity smarts in­cluded with the S8+ to the test: fin­ger­print, iris and fa­cial recog­ni­tion for user au­then­ti­ca­tion. All three had come un­der some neg­a­tive scru­tiny be­fore the de­vice was even avail­able for pre-or­der. This be­ing the real-world sec­tion of the magazine, and me hav­ing seen it all be­fore dur­ing al­most three decades cover­ing IT se­cu­rity is­sues, I thought I’d put the fea­tures tothe test to see if there was any merit to the claims be­ing made.

So, let’s start with the fin­ger­print au­then­ti­ca­tion. Right oˆ the bat I will stand up and ad­mit that I think the com­bi­na­tion of a long (10-digit min­i­mum) PIN or pass­word and a fin­ger­print is far and away the best method of se­cur­ing your smart­phone against un­wanted ac­cess from those who have phys­i­cal ac­cess to the de­vice. Not per­fect, no, and it can be de­feated if some­one also has ac­cess to your fin­ger or a la­tex ver­sion of your fin­ger­tip. In 99.9% of real-world sce­nar­ios, how­ever, nei­ther is go­ing to hap­pen, so you can re­lax.

Fun­nily enough, though,most of the neg­a­tiv­ity about the fin­ger­print fea­ture on the S8/S8+ hasn’t been se­cu­rity re­lated at all, but rather de­sign-ori­en­tated. The com­plaint be­ing that the po­si­tion­ing of the scan­ner along­side the cam­era lens on the re­verse of the de­vice some­how makes it im­pos­si­ble to use with­out first smudg­ing the cam­era.

Se­ri­ously? I have pretty fat fin­gers and haven’t man­aged to do this once yet, for a cou­ple of rea­sons. First, I looked to see where the scan­ner was lo­cated and then used the con­nec­tion be­tween my brain and my fin­ger to po­si­tion it in the cor­rect place. It re­ally isn’t di”cult. How­ever, if this still re­mains too much eˆort for you then in­vest in a pro­tec­tive case. I’m us­ing the rather ex­cel­lent – if not cheap – Sam­sung LED view case, which, like many oth­ers, has a phys­i­cal sep­a­ra­tion be­tween the flash/heart-rate scan­ner and cam­era bit and the fin­ger­print scan­ner bit. This makes it all but im­pos­si­ble to mis­judge the po­si­tion of your fin­ger.


You could just use the iris scan­ner, and hardly ever have to use the fin­ger­print op­tion at all. Ah, I hear you say, didn’t those clever hack­ers demon­strate how eas­ily this could be fooled by a pho­to­graph of the eye? Yes, they did, by tak­ing an in­frared im­age of the user’s eye­ball (so an in­frared cam­era lens was needed) and print­ing it with a spe­cific prin­ter (only one gave re­peat­able re­sults) then over­lay­ing it with a con­tact lens. So, clever chaps, does this make it an inse­cure method of au­then­ti­ca­tion for your phone?

In the clear ma­jor­ity of real-world sce­nar­ios, no, it doesn’t. The would-be hacker must have taken a pho­to­graph of your eye and have phys­i­cal pos­ses­sion of your phone. To achieve both they would ei­ther be some­one you are very close to (in which case, there may well be much eas­ier meth­ods of peek­ing at your text mes­sages), or you’d need to be a very at­trac­tive tar­get to jus­tify the eˆort.

In the lat­ter case, I’d sug­gest you need to pro­tect data so that even an au­then­ti­cated user needs to by­pass a sec­ond se­cu­rity layer to ac­cess any­thing use­ful. Ap­pLock pro­vides such a tool, and if used in “ad­vanced mode” it’s all but im­pos­si­ble to cir­cum­vent with­out knowl­edge of the mas­ter passkey. It’s a good so­lu­tion for a mul­ti­lay­ered ap­proach to smart­phone data se­cu­rity and pri­vacy. You can choose which apps, and what data, is valu­able enough to pro­tect in this way and leave the rest un­locked. You can even have a ran­domised nu­meric pad so that snoop­ers can’t de­ter­mine your PIN by shoul­der surfing.

I like it. Es­pe­cially now that it sup­ports fin­ger­print un­lock­ing. So, you can have iris au­then­ti­ca­tion as your pri­mary se­cu­rity layer, and if some­one did man­age to cir­cum­vent that they’d need your fin­ger­print to progress fur­ther. Ap­pLock can also pre­vent unin­stal­la­tion of the app it­self; even force-stop­ping can be dis­abled.


This leaves the fa­cial recog­ni­tion op­tion on the new Galaxy range. This is, with­out doubt, the fastest in use. Not that iris recog­ni­tion is a slouch, nor fin­ger­prints for that mat­ter. How­ever, if a sec­ond or two is crit­i­cal to you – the need to take a chill pill aside – then fa­cial is the quick­est.

On pa­per, it’s also the least se­cure of the au­then­ti­ca­tion tri­umvi­rate. It wouldn’t be able to dis­tin­guish be­tween iden­ti­cal twins – well, duh. Some have claimed it can be fooled with a high-res­o­lu­tion photo, but I’ve been un­able to recre­ate this my­self. Again, cou­pled with a sec­ondary layer of pro­tec­tion, it should be su”cient for most users in most sce­nar­ios.

What you should take away from this is that no mat­ter how clever the se­cu­rity fea­tures of your de­vice, there are al­ways clever peo­ple out there look­ing at ways to break it. You should also un­der­stand that once a would-be hacker has phys­i­cal ac­cess to your de­vice, any de­vice, then it’s likely game over if that at­tacker has ac­cess to the nec­es­sary re­sources to slurp your data out of the thing.

But – and it’s worth re­peat­ing – if you have no lockscreen se­cu­rity then your

data is wide open to any­one who, even fleet­ingly, gets hands-on with the de­vice. Ev­ery layer you add makes it harder to com­pro­mise your data and pri­vacy. So al­ways use a PIN at the very least, and make it longer than the four-digit de­faults. I find a 10-digit PIN is easy enough to re­mem­ber – es­pe­cially once mus­cle me­mory starts to kick in – or you could step up to the next level and use a long-ish, ran­dom pass­word in­stead.

Which­ever you choose, add an­other layer us­ing the bio­met­ric func­tion­al­ity of your phone. All the bio­met­ric au­then­ti­ca­tion meth­ods will re­quire a PIN/pass­word fall-back, which kicks in when you restart the phone for ex­am­ple. Then, be­cause two is never enough, add some­thing else such as the Ap­pLock op­tion to fur­ther frus­trate an at­tacker. The fourth layer, by the way, is full de­vice en­cryp­tion, which should also be a given whether or not your par­tic­u­lar phone and An­droid ver­sion combo is forc­ing it upon you.


What else can you do to im­prove your smart­phone se­cu­rity pos­ture? Well, there’s plenty of best prac­tice se­cu­rity ba­sics that ap­ply as much to your phone as they do to your desk­top or­lap­top. In light of the re­cent Wan­naCryp­t0r at­tacks, which only in­fected ma­chines run­ning Win­dows in one guise or an­other (so An­droid or iOS users needn’t panic), there’s one clear les­son to be learned: keep on top of se­cu­rity up­dates.

That re­ally does ap­ply to your phone as well, al­though it can be eas­ier said than done at the OS level. iOS users will be con­tent know­ing that when Ap­ple rolls out an up­date, they all get it. An­droid users are less for­tu­nate. If you have a Google-branded de­vice that’s run­ning a re­cent vanilla ver­sion of the OS then you’ll re­ceive monthly se­cu­rity up­dates as they be­come avail­able. The same should ap­ply to most pre­mium de­vices: for ex­am­ple, my Sam­sung S8+ has a se­cu­rity patch from three weeks ago.

What it doesn’t have, and won’t have un­til Sam­sung de­ter­mines it’s sta­ble enough with the com­pany’s own TouchWiz sys­tem that runs on top of it, is An­droid 7.1. In­stead, it’s sit­ting on ver­sion 7.0, de­spite be­ing a brand-new de­vice. These up­dates are pretty much out of your con­trol once your hard­ware pur­chase de­ci­sion is made. What you do have con­trol over is up­dat­ing the apps you’re run­ning, and these should be kept up to date for se­cu­rity rea­sons as well as for ac­cess to new fea­tures.

And talk­ing of apps, be care­ful what you down­load. I know that’s a bit twee, but it mat­ters. While both Ap­ple and Google do their best to keep un­savoury ap­pli­ca­tions out of their re­spec­tive app stores, both have made mis­takes. As a re­sult, pri­vacy-bust­ing apps, ad­ware and some­times even mal­ware has made it past the bouncer (lit­er­ally, in the case of the Play Store) at the gate. That said, down­load­ing from the o•cial stores is your best way to avoid ma­li­cious apps of any flavour.

As far as the later ver­sions of An­droid are con­cerned, I’d rec­om­mend mak­ing good use of per­mis­sions vet­ting. You can see ex­actly what per­mis­sions an app is ask­ing for be­fore you in­stall it. Ask your­self why a fi­nance app needs ac­cess to your text mes­sages; heck, ask the de­vel­oper. If nei­ther of you can reach a con­vinc­ing an­swer, don’t in­stall it. The same ap­plies when an app is up­dat­ing: you’ll be shown any per­mis­sion changes and can re­view them be­fore in­stalling a new ver­sion.

I’d also rec­om­mend against side­load­ing any­thing, un­less you can be 100% sure it’s safe. I rec­om­mend against root­ing your de­vice as many ma­li­cious apps tar­get just such de­vices. Sure, if you’re a se­cu­rity guru with the tech­ni­cal knowl­edge to root and­pro­tect, go ahead; ev­ery­one else, steer clear. And fi­nally, never down­load from an uno•cial store, even if it does look like agood way to by­pass a bot­tle­neck or get some­thing cheaper. Se­ri­ously.


Per­son­ally, I’d avoid any of the “smart lock” func­tion­al­ity of your phone. It might seem like a good us­abil­ity idea for your smart­phone to al­ways be un­locked when you’re in the o•ce (lo­ca­tion) wear­ing your smartwatch (de­vice) or on your per­son (on-body de­tec­tion), but from a se­cu­rity per­spec­tive it sucks ele­phants through a straw, back­wards. Sure, there’s an au­tolock­down af­ter four hours of non-us­age, which re­quires un­lock­ing via PIN, but that’s a long time to safety if your phone is un­locked on your desk in your o•ce and you’re in the toi­let with your watch and phone still con­nected over Blue­tooth. Google uses ter­mi­nol­ogy such as “smart lock” and“trusted de­vices”, but it’s peo­ple I don’t trust – and this is any­thing but smart in prac­tice.

The re­mote un­lock idea isn’t all bad, though, es­pe­cially when viewed in re­verse; by which I mean re­mote lock. Al­ways make sure you use what­ever fa­cil­ity is avail­able for your OS to be able to track your phone if it’s lost or stolen, and any­thing that al­lows you to lock it down re­motely. This should en­able you to play a loud alarm if the phone is switched on, and dis­play a mes­sage on the lockscreen, as well as re­motely per­form a fac­tory re­set if you need to pro­tect the data in a not-com­ing­back sce­nario.

And talk­ing of dis­play­ing lockscreen mes­sages, don’t for­get to make sure you con­fig­ure your de­vice not to dis­play no­ti­fi­ca­tion con­tent on a locked-down de­vice. Lockscreen no­ti­fi­ca­tions should al­ways be set to just dis­play an icon, re­quir­ing au­then­ti­ca­tion to read what’s be­ing no­ti­fied. Un­less you don’t value your pri­vacy at all and are happy for any­one to see this stuŸ – or the hand­ful of sec­onds it takes to au­then­ti­cate these days is too long for your busy life­style (yeah right).


This may come as a sur­prise from a se­cu­rity guy, and from some­one who’s been scathing of smartwatch func­tion­al­ity in the past. How­ever, I’ve suc­cumbed to the wear­ables habit and do now sport a Sam­sung Gear S3 Fron­tier to ac­com­pany the S8+ hand­set. Yes, wear­ables open up an­other av­enue for inse­cu­rity, there’s no doubt about that, and there are some doc­u­mented prob­lems with the Tizen OS that need rec­ti­fy­ing. But the same re­al­world sce­nario needs to be ap­plied when talk­ing about smart­watches – and for most peo­ple, most of the time, they’re not go­ing to be con­sid­ered high risk if gen­eral good se­cu­rity house­keep­ing prin­ci­ples are ap­plied.

Where a smartwatch can help with smart­phone se­cu­rity is by hav­ing the two con­nected, so that if – or when – that con­nec­tion is bro­ken, you be­come aware of it. If my S8+ goes out of Blue­tooth range and the watch dis­con­nects, it vi­brates in a spe­cific pat­tern, mak­ing me aware I’ve left


Davey is an award-win­ning jour­nal­ist and con­sul­tant spe­cial­is­ing in pri­vacy and se­cu­rity is­sues @hap­pygeek

How se­cure is iris au­then­ti­ca­tion in the real world?

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.