Using his new Galaxy S8, Davey Winder contemplates whether security is as smart as the phone it’s running on
Using his new Galaxy S8, Davey Winder contemplates whether security is as smart as the phone it’s running on ..............................................
’ve recently added a Samsung Galaxy S8+ to my collection of smartphones. Mainly because, at the time of writing, it’s quite simply the best smartphone available on the market. Sorry iPhone lovers, but until the iPhone 8 hits the shops and we can compare the two handsets, that’s the honest truth.
I was also keen to put the triple-lock of security smarts included with the S8+ to the test: fingerprint, iris and facial recognition for user authentication. All three had come under some negative scrutiny before the device was even available for pre-order. This being the real-world section of the magazine, and me having seen it all before during almost three decades covering IT security issues, I thought I’d put the features tothe test to see if there was any merit to the claims being made.
So, let’s start with the fingerprint authentication. Right o the bat I will stand up and admit that I think the combination of a long (10-digit minimum) PIN or password and a fingerprint is far and away the best method of securing your smartphone against unwanted access from those who have physical access to the device. Not perfect, no, and it can be defeated if someone also has access to your finger or a latex version of your fingertip. In 99.9% of real-world scenarios, however, neither is going to happen, so you can relax.
Funnily enough, though,most of the negativity about the fingerprint feature on the S8/S8+ hasn’t been security related at all, but rather design-orientated. The complaint being that the positioning of the scanner alongside the camera lens on the reverse of the device somehow makes it impossible to use without first smudging the camera.
Seriously? I have pretty fat fingers and haven’t managed to do this once yet, for a couple of reasons. First, I looked to see where the scanner was located and then used the connection between my brain and my finger to position it in the correct place. It really isn’t dicult. However, if this still remains too much eort for you then invest in a protective case. I’m using the rather excellent – if not cheap – Samsung LED view case, which, like many others, has a physical separation between the flash/heart-rate scanner and camera bit and the fingerprint scanner bit. This makes it all but impossible to misjudge the position of your finger.
DO THE EYES HAVE IT?
You could just use the iris scanner, and hardly ever have to use the fingerprint option at all. Ah, I hear you say, didn’t those clever hackers demonstrate how easily this could be fooled by a photograph of the eye? Yes, they did, by taking an infrared image of the user’s eyeball (so an infrared camera lens was needed) and printing it with a specific printer (only one gave repeatable results) then overlaying it with a contact lens. So, clever chaps, does this make it an insecure method of authentication for your phone?
In the clear majority of real-world scenarios, no, it doesn’t. The would-be hacker must have taken a photograph of your eye and have physical possession of your phone. To achieve both they would either be someone you are very close to (in which case, there may well be much easier methods of peeking at your text messages), or you’d need to be a very attractive target to justify the eort.
In the latter case, I’d suggest you need to protect data so that even an authenticated user needs to bypass a second security layer to access anything useful. AppLock provides such a tool, and if used in “advanced mode” it’s all but impossible to circumvent without knowledge of the master passkey. It’s a good solution for a multilayered approach to smartphone data security and privacy. You can choose which apps, and what data, is valuable enough to protect in this way and leave the rest unlocked. You can even have a randomised numeric pad so that snoopers can’t determine your PIN by shoulder surfing.
I like it. Especially now that it supports fingerprint unlocking. So, you can have iris authentication as your primary security layer, and if someone did manage to circumvent that they’d need your fingerprint to progress further. AppLock can also prevent uninstallation of the app itself; even force-stopping can be disabled.
This leaves the facial recognition option on the new Galaxy range. This is, without doubt, the fastest in use. Not that iris recognition is a slouch, nor fingerprints for that matter. However, if a second or two is critical to you – the need to take a chill pill aside – then facial is the quickest.
On paper, it’s also the least secure of the authentication triumvirate. It wouldn’t be able to distinguish between identical twins – well, duh. Some have claimed it can be fooled with a high-resolution photo, but I’ve been unable to recreate this myself. Again, coupled with a secondary layer of protection, it should be sucient for most users in most scenarios.
What you should take away from this is that no matter how clever the security features of your device, there are always clever people out there looking at ways to break it. You should also understand that once a would-be hacker has physical access to your device, any device, then it’s likely game over if that attacker has access to the necessary resources to slurp your data out of the thing.
But – and it’s worth repeating – if you have no lockscreen security then your
data is wide open to anyone who, even fleetingly, gets hands-on with the device. Every layer you add makes it harder to compromise your data and privacy. So always use a PIN at the very least, and make it longer than the four-digit defaults. I find a 10-digit PIN is easy enough to remember – especially once muscle memory starts to kick in – or you could step up to the next level and use a long-ish, random password instead.
Whichever you choose, add another layer using the biometric functionality of your phone. All the biometric authentication methods will require a PIN/password fall-back, which kicks in when you restart the phone for example. Then, because two is never enough, add something else such as the AppLock option to further frustrate an attacker. The fourth layer, by the way, is full device encryption, which should also be a given whether or not your particular phone and Android version combo is forcing it upon you.
MORE SMARTPHONE SECURITY SMARTS
What else can you do to improve your smartphone security posture? Well, there’s plenty of best practice security basics that apply as much to your phone as they do to your desktop orlaptop. In light of the recent WannaCrypt0r attacks, which only infected machines running Windows in one guise or another (so Android or iOS users needn’t panic), there’s one clear lesson to be learned: keep on top of security updates.
That really does apply to your phone as well, although it can be easier said than done at the OS level. iOS users will be content knowing that when Apple rolls out an update, they all get it. Android users are less fortunate. If you have a Google-branded device that’s running a recent vanilla version of the OS then you’ll receive monthly security updates as they become available. The same should apply to most premium devices: for example, my Samsung S8+ has a security patch from three weeks ago.
What it doesn’t have, and won’t have until Samsung determines it’s stable enough with the company’s own TouchWiz system that runs on top of it, is Android 7.1. Instead, it’s sitting on version 7.0, despite being a brand-new device. These updates are pretty much out of your control once your hardware purchase decision is made. What you do have control over is updating the apps you’re running, and these should be kept up to date for security reasons as well as for access to new features.
And talking of apps, be careful what you download. I know that’s a bit twee, but it matters. While both Apple and Google do their best to keep unsavoury applications out of their respective app stores, both have made mistakes. As a result, privacy-busting apps, adware and sometimes even malware has made it past the bouncer (literally, in the case of the Play Store) at the gate. That said, downloading from the ocial stores is your best way to avoid malicious apps of any flavour.
As far as the later versions of Android are concerned, I’d recommend making good use of permissions vetting. You can see exactly what permissions an app is asking for before you install it. Ask yourself why a finance app needs access to your text messages; heck, ask the developer. If neither of you can reach a convincing answer, don’t install it. The same applies when an app is updating: you’ll be shown any permission changes and can review them before installing a new version.
I’d also recommend against sideloading anything, unless you can be 100% sure it’s safe. I recommend against rooting your device as many malicious apps target just such devices. Sure, if you’re a security guru with the technical knowledge to root andprotect, go ahead; everyone else, steer clear. And finally, never download from an unocial store, even if it does look like agood way to bypass a bottleneck or get something cheaper. Seriously.
NOT SO SMART LOCK
Personally, I’d avoid any of the “smart lock” functionality of your phone. It might seem like a good usability idea for your smartphone to always be unlocked when you’re in the oce (location) wearing your smartwatch (device) or on your person (on-body detection), but from a security perspective it sucks elephants through a straw, backwards. Sure, there’s an autolockdown after four hours of non-usage, which requires unlocking via PIN, but that’s a long time to safety if your phone is unlocked on your desk in your oce and you’re in the toilet with your watch and phone still connected over Bluetooth. Google uses terminology such as “smart lock” and“trusted devices”, but it’s people I don’t trust – and this is anything but smart in practice.
The remote unlock idea isn’t all bad, though, especially when viewed in reverse; by which I mean remote lock. Always make sure you use whatever facility is available for your OS to be able to track your phone if it’s lost or stolen, and anything that allows you to lock it down remotely. This should enable you to play a loud alarm if the phone is switched on, and display a message on the lockscreen, as well as remotely perform a factory reset if you need to protect the data in a not-comingback scenario.
And talking of displaying lockscreen messages, don’t forget to make sure you configure your device not to display notification content on a locked-down device. Lockscreen notifications should always be set to just display an icon, requiring authentication to read what’s being notified. Unless you don’t value your privacy at all and are happy for anyone to see this stu – or the handful of seconds it takes to authenticate these days is too long for your busy lifestyle (yeah right).
This may come as a surprise from a security guy, and from someone who’s been scathing of smartwatch functionality in the past. However, I’ve succumbed to the wearables habit and do now sport a Samsung Gear S3 Frontier to accompany the S8+ handset. Yes, wearables open up another avenue for insecurity, there’s no doubt about that, and there are some documented problems with the Tizen OS that need rectifying. But the same realworld scenario needs to be applied when talking about smartwatches – and for most people, most of the time, they’re not going to be considered high risk if general good security housekeeping principles are applied.
Where a smartwatch can help with smartphone security is by having the two connected, so that if – or when – that connection is broken, you become aware of it. If my S8+ goes out of Bluetooth range and the watch disconnects, it vibrates in a specific pattern, making me aware I’ve left
Davey is an award-winning journalist and consultant specialising in privacy and security issues @happygeek
How secure is iris authentication in the real world?