mirror of
https://github.com/PrivSec-dev/privsec.dev
synced 2024-11-18 20:41:33 -05:00
Avoid pattern unlock
This commit is contained in:
parent
4c2f29657c
commit
20ab63dad6
@ -44,6 +44,16 @@ It's important to not use an [end-of-life](https://endoflife.date/android) versi
|
||||
|
||||
[Rooting](https://en.wikipedia.org/wiki/Rooting_(Android)) Android phones can decrease security significantly as it weakens the complete [Android security model](https://en.wikipedia.org/wiki/Android_(operating_system)#Security_and_privacy). This can decrease privacy should there be an exploit that is assisted by the decreased security. Common rooting methods involve directly tampering with the boot partition, making it impossible to perform successful Verified Boot. Apps that require root will also modify the system partition meaning that Verified Boot would have to remain disabled. Having root exposed directly in the user interface also increases the [attack surface](https://en.wikipedia.org/wiki/Attack_surface) of your device and may assist in [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) vulnerabilities and SELinux policy bypasses.
|
||||
|
||||
## Use a diceware passphrase, avoid pattern unlock
|
||||
|
||||
On Android, the phone unlock (Password, Pin, Pattern) is used to protect the encryption key for your device. Thus, it is vital that your unlock secret is secure and can withstand Bruteforce attacks.
|
||||
|
||||
Pattern unlock is extremely insecure and should be avoided at all cost. This is discussed in detail in the Cracking Android Pattern Lock in Five Attempts(/researches/Cracking-Android-Pattern-Lock-in-Five-Attempts.pdf) research paper.
|
||||
|
||||
If you trust the hardware enforced rate limiting features (typically done by the [Secure Element](https://en.wikipedia.org/wiki/Secure_cryptoprocessor) or [Trusted Execution Environment](https://en.wikipedia.org/wiki/Trusted_execution_environment)) of your device, a 8+ digit PIN may be sufficient.
|
||||
|
||||
Ideally, you should be using a 8-10 words [diceware passphrase](https://en.wikipedia.org/wiki/Diceware) to secure your phone. This would make your phone unlock practially impossible to bruteforce, regardless of whether there is proper rate limiting or not.
|
||||
|
||||
## Use Global Toggles
|
||||
|
||||
Modern Android devices have global toggles for disabling Bluetooth and location services. Android 12 introduced toggles for the camera and microphone. When not in use, you should disable these features. Apps cannot use disabled features (even if granted individual permission) until re-enabled.
|
||||
|
32668
static/researches/Cracking-Android-Pattern-Lock-in-Five-Attempts.pdf
Normal file
32668
static/researches/Cracking-Android-Pattern-Lock-in-Five-Attempts.pdf
Normal file
File diff suppressed because one or more lines are too long
Loading…
Reference in New Issue
Block a user