Does anyone know where I can find some technical articles explaining the Android's screen locker mechanism? I want to understand how a password is protected, where it is saved, how it communicates with the locker screen, gui, etc.Answer1:
How does Android's screen locker work?</blockquote>
The password works like a traditional password. Its digested and stored. The data security is a little weak (see the bug reports below).
The pattern locker turns the pattern into a string, and then it works like a traditional password. The data security is a little weak (see the bug reports below).
The face unlocker is based on facial recognition. It falls back to passwords if detection fails. I don't know anything about the recognizer.
sstendal's answer below provides a link to using Yubikeys and One-Tme Passwords (OTP) over NFC to unlock your Android phone. Nikolay Elenkov's blog rocks, so you'll almost certainly learn something.
For the password and pattern locker source code, see <a href="https://android.googlesource.com/platform/frameworks/base/+/HEAD/core/java/com/android/internal/widget/LockPatternUtils.java" rel="nofollow">https://android.googlesource.com/platform/frameworks/base/+/HEAD/core/java/com/android/internal/widget/LockPatternUtils.java</a>.
For face recognition source code, see <a href="https://android.googlesource.com/platform/frameworks/base/+/HEAD/core/java/com/android/internal/widget/FaceUnlockView.java" rel="nofollow">https://android.googlesource.com/platform/frameworks/base/+/HEAD/core/java/com/android/internal/widget/FaceUnlockView.java</a>. Also see <a href="https://android.googlesource.com/platform/frameworks/base/+/99f2f5e/packages/Keyguard/src/com/android/keyguard/FaceUnlock.java" rel="nofollow">https://android.googlesource.com/platform/frameworks/base/+/99f2f5e/packages/Keyguard/src/com/android/keyguard/FaceUnlock.java</a>.
As of Android 4.4, the unlocker (called KeyGuard) was moved to a separate component. I believe its source is at <a href="https://android.googlesource.com/platform/frameworks/base/+/99f2f5e/packages/Keyguard/src/com/android/keyguard" rel="nofollow">https://android.googlesource.com/platform/frameworks/base/+/99f2f5e/packages/Keyguard/src/com/android/keyguard</a>.
You can use ADB to reset the relevant fields in the system's SQLite database. Here's the <a href="http://www.google.com/search?q=reset+password+using+ADB" rel="nofollow">Google Search</a> from VenomVendor below.
The implementation has some rough edges. I know there are some bug reports on the subject. For example:<ul><li><a href="https://code.google.com/p/android/issues/detail?id=37220" rel="nofollow">Lock Pattern/Pattern uses Immutable Strings</a></li> <li><a href="https://code.google.com/p/android/issues/detail?id=37219" rel="nofollow">Password/Pattern Serialization use 8 byte salts</a></li> <li><a href="https://code.google.com/p/android/issues/detail?id=37218" rel="nofollow">Lock Pattern/Pattern uses Unsalted SHA Hash</a></li> <li><a href="https://code.google.com/p/android/issues/detail?id=37213" rel="nofollow">Lock Pattern/Password uses MD5 Hash</a></li> </ul>Answer2:
Nikolay Elenkov explains how you can implement your own screenlock authentication mechanism for Android:
<a href="http://nelenkov.blogspot.no/2014/03/unlocking-android-using-otp.html" rel="nofollow">http://nelenkov.blogspot.no/2014/03/unlocking-android-using-otp.html</a>