How does Android's screen locker work?


Does anyone know where I can find some technical articles explaining the Android's screen locker mechanism? I want to understand how a password is protected, where it is saved, how it communicates with the locker screen, gui, etc.



How does Android's screen locker work?


The password works like a traditional password. Its digested and stored. The data security is a little weak (see the bug reports below).

The pattern locker turns the pattern into a string, and then it works like a traditional password. The data security is a little weak (see the bug reports below).

The face unlocker is based on facial recognition. It falls back to passwords if detection fails. I don't know anything about the recognizer.

sstendal's answer below provides a link to using Yubikeys and One-Tme Passwords (OTP) over NFC to unlock your Android phone. Nikolay Elenkov's blog rocks, so you'll almost certainly learn something.

For the password and pattern locker source code, see <a href="https://android.googlesource.com/platform/frameworks/base/+/HEAD/core/java/com/android/internal/widget/LockPatternUtils.java" rel="nofollow">https://android.googlesource.com/platform/frameworks/base/+/HEAD/core/java/com/android/internal/widget/LockPatternUtils.java</a>.

For face recognition source code, see <a href="https://android.googlesource.com/platform/frameworks/base/+/HEAD/core/java/com/android/internal/widget/FaceUnlockView.java" rel="nofollow">https://android.googlesource.com/platform/frameworks/base/+/HEAD/core/java/com/android/internal/widget/FaceUnlockView.java</a>. Also see <a href="https://android.googlesource.com/platform/frameworks/base/+/99f2f5e/packages/Keyguard/src/com/android/keyguard/FaceUnlock.java" rel="nofollow">https://android.googlesource.com/platform/frameworks/base/+/99f2f5e/packages/Keyguard/src/com/android/keyguard/FaceUnlock.java</a>.

As of Android 4.4, the unlocker (called KeyGuard) was moved to a separate component. I believe its source is at <a href="https://android.googlesource.com/platform/frameworks/base/+/99f2f5e/packages/Keyguard/src/com/android/keyguard" rel="nofollow">https://android.googlesource.com/platform/frameworks/base/+/99f2f5e/packages/Keyguard/src/com/android/keyguard</a>.

You can use ADB to reset the relevant fields in the system's SQLite database. Here's the <a href="http://www.google.com/search?q=reset+password+using+ADB" rel="nofollow">Google Search</a> from VenomVendor below.

The implementation has some rough edges. I know there are some bug reports on the subject. For example:

<ul><li><a href="https://code.google.com/p/android/issues/detail?id=37220" rel="nofollow">Lock Pattern/Pattern uses Immutable Strings</a></li> <li><a href="https://code.google.com/p/android/issues/detail?id=37219" rel="nofollow">Password/Pattern Serialization use 8 byte salts</a></li> <li><a href="https://code.google.com/p/android/issues/detail?id=37218" rel="nofollow">Lock Pattern/Pattern uses Unsalted SHA Hash</a></li> <li><a href="https://code.google.com/p/android/issues/detail?id=37213" rel="nofollow">Lock Pattern/Password uses MD5 Hash</a></li> </ul>


Nikolay Elenkov explains how you can implement your own screenlock authentication mechanism for Android:

<a href="http://nelenkov.blogspot.no/2014/03/unlocking-android-using-otp.html" rel="nofollow">http://nelenkov.blogspot.no/2014/03/unlocking-android-using-otp.html</a>


  • How to crop face section from an image with given corner points. MATLAB
  • Plot specified area of a surface mesh with color
  • How to get multiple locations of multi touch UITapGestureRecognizer
  • CMAKE for a build a simple framework
  • Using OpenCV, how can I detect text orientation before performing OCR?
  • Google cloud speech syncrecognize “INVALID_ARGUMENT”
  • Get touch points in UIScrollView through UITapGestureRecognizer
  • How to do nonblocking input from stdin in C [duplicate]
  • Import Drupal user accounts into Rails without requiring users change their passwords
  • Face aligment check with DLIB
  • Ignore mapView:didSelectAnnotationView when long press is occuring
  • protecting sql server database file
  • How to make the tableview response pan gesture in ZUUIRevealController
  • get passwords from chrome
  • Using SWIG with a build system [closed]
  • Using HTML/CSS for UI in XNA?
  • what is the purpose of “export as namespace foo”?
  • Is there a way to set up a fallback for the formAction attribute in HTML5?
  • Is it possible to get the word under the mouse cursor in a ``?
  • c++ regex_replace not doing intended substitution
  • Spring integration inbound-gateway Fire an event when queue is empty
  • Updating Dojo provide
  • Hash Code in SQL Server?
  • How to programatically 'login' a user based on 'remember me' cookie when using j
  • Java color detection
  • I18n locale disregarding fallbacks
  • Silverlight DependencyProperty.SetCurrentValue Equivalent
  • Sequential (transactional) API calls in angular 4 with state management
  • Webgrid not refreshing after delete MVC
  • Use of this Javascript
  • Jquery UI tool tip close icon
  • C++ Partial template specialization - design simplification
  • Jquery - Jquery Wysiwyg return html as a string
  • How to get next/previous record number?
  • Arrays break string types in Julia
  • Traverse Array and Display in markup
  • Python: how to group similar lists together in a list of lists?
  • WPF Applying a trigger on binding failure
  • Java static initializers and reflection
  • Qt: Run a script BEFORE make