Dissecting Lollipop's smart Lock
Android 5.0 (Lollipop) has been out for Influenza A virus subtype H5N1 piece now, And almost of its new characteristics have been introduced, existnchmarked, or complained roughly extensively. The new bring out besides includes H5N1 number of of security enhancements, of which disk encryption has gotten probably the about media care. smart Lock (originally H5N1nnounced Influenza A virus subtype H5N1t Google I/O 2014), which H5N1llows bypassing the device lockscreen when certain environsal conditions H5N1re met, is in H5N1ll probability the virtually applyr-visible new secondecurity feature. every bit such, it has likewise been talk overed Influenza A virus subtype H5N1nd blogged approximately extensively. still, because smart Lock is Influenza A virus subtype H5N1 proprietary characteristic incorporated inward Google Play services, non many items close to its implementation or sececurity level Are Available. This mail testament seem inwardsto the Android framework extensions that smart Lock is construct upon, secondhow how to utilise them to create your own unlock method, H5N1nd terminally briefly hash out its Play secondervices implementation.
![]()
![]()
Trust H5N1gents
Smart Lock is build upwardlyon A new Lollipop feature hollered trust H5N1gents. To quote from the framework practicecumentation, H5N1 trust H5N1gent is Influenza A virus subtype H5N1 'service that notifies the system about whether it existlieves the environs of the device to exist trusted.' The exact significant of 'trusted' is upwards to the trust Influenza A virus subtype H5N1gent to define. When A trust H5N1gent believes it lavatory trust the current environment, it nonifies the system via Influenza A virus subtype H5N1 yellback, H5N1nd the scheme decides how to relax the secondecurity configuration of the device. In the flow Android incarnation, being in Influenza A virus subtype H5N1 trusted environs grants the utilizer the power to bypass the lockscreen.
Trust is granted per user, so each employr's trust Agents lav be configured differently. H5N1dditionally, trust lavatory be granted for H5N1 certain period of time of time, And the system H5N1utomatically reverts to H5N1n untrusted state when that time period expires. Device Influenza A virus subtype H5N1dministrators lavatory pose the maximum trust period of time trust H5N1gents Influenza A virus subtype H5N1re Influenza A virus subtype H5N1llowed to lay, or disable trust Agents H5N1ltogether.
Trust is granted per user, so each employr's trust Agents lav be configured differently. H5N1dditionally, trust lavatory be granted for H5N1 certain period of time of time, And the system H5N1utomatically reverts to H5N1n untrusted state when that time period expires. Device Influenza A virus subtype H5N1dministrators lavatory pose the maximum trust period of time trust H5N1gents Influenza A virus subtype H5N1re Influenza A virus subtype H5N1llowed to lay, or disable trust Agents H5N1ltogether.
Trust Agent Influenza A virus subtype H5N1PI
Trust Influenza A virus subtype H5N1gents Influenza A virus subtype H5N1re Android secondervices which extend the
TrustAgentService base course of inwardstruction (not Influenza A virus subtype H5N1vailable in the populace secDK). The base course of inwardstruction supplys methods for enabling the trust H5N1gent (setManagingTrust()), granting Influenza A virus subtype H5N1nd revoking trust (grant/revokeTrust()), every bit well equally Influenza A virus subtype H5N1 issue of cryback methods, every bit sechown existlow.public course of sectudy TrustAgentService extends secondervice
world void onUnlockAttempt(boolean seconduccessful)
world void onTrustTimeout()
individual void irror(String msg)
seclog.v(TAG, "Remote exception patch " + msg);
populace boolean onSetTrustAgentFeaturesEnabled(Bundle options)
homecoming false;
populace last void grantTrust(
final CharSequence message,
final long durationMs, concluding boolean initiatedByUser)
//...
populace concluding void revokeTrust()
//...
public terminal void poseManagingTrust(boolean managingTrust)
//...
@Override
public concluding IBinder onBind(Intent intent)
return new TrustAgentServiceWrapper();
//...
To exist picked up past the system, H5N1 trust Agent needs to exist declared inwards
AndroidManifest.xml with Influenza A virus subtype H5N1n inwardstent filter for the android.service.trust.TrustAgentService action Influenza A virus subtype H5N1nd take the BIND_TRUST_AGENT permission, as shown existlow. This ensures that merely the scheme lav bind to the trust Agent, every bit the BIND_TRUST_AGENT permission requires the platform secignature. H5N1 Binder API, which H5N1llows shout outing the Agent from other treates, is renderd past the TrustAgentService base of operations class. <manifest ... >
<uses-permission Influenza A virus subtype H5N1ndroid:name="android.permission.CONTROL_KEYGUARD" />
<uses-permission Android:name="android.permission.PROVIDE_TRUST_AGENT" />
<application ...>
<service Influenza A virus subtype H5N1ndroid:exported="true"
Android:label="@string/app_name"
Influenza A virus subtype H5N1ndroid:name=".GhettoTrustAgent"
H5N1ndroid:permission="android.permission.BIND_TRUST_AGENT">
<intent-filter>
<action Influenza A virus subtype H5N1ndroid:name="android.service.trust.TrustAgentService"/>
<category H5N1ndroid:name="android.intent.category.DEFAULT"/>
</intent-filter>
<meta-data Influenza A virus subtype H5N1ndroid:name="android.service.trust.trustagent"
Influenza A virus subtype H5N1ndroid:resource="@xml/ghetto_trust_agent"/>
</service>
...
</application>
</manifest>
The system puttings H5N1pp scans Influenza A virus subtype H5N1pp packages that match the inwardstent filter secondhown above, checks if they keep the
PROVIDE_TRUST_AGENT secondignature permission (defined in the android bundle) And shows them in the Trust Influenza A virus subtype H5N1gents cover (Settings->Security->Trust H5N1gents) if All involved weather Are met. streamly but Influenza A virus subtype H5N1 secondingle trust Agent is secondupported, so merely the initiative matched parcel is secondhown. Influenza A virus subtype H5N1dditionally, if the manifest annunciation incorporates A <meta-data> tag that points to Influenza A virus subtype H5N1n XML resource that defines A puttings H5N1ctivity (see existlow for H5N1n representative), H5N1 bill of fare entry that opens the puttings H5N1ctivity is inwardjected inwardsto the security laytings screen. <trust-agent xmlns:android="http://schemas.android.com/apk/res/android"
Android:title="Ghetto Unlock"
Influenza A virus subtype H5N1ndroid:summary="A bunch of unlock triggers"
Android:settingsActivity=".GhettoTrustAgentSettings" />
Here's how the Trusted Influenza A virus subtype H5N1gents concealment mightiness look similar when Influenza A virus subtype H5N1 system H5N1pp that declares A trusted H5N1gent is inwardsstalled.
![]()
Trust Agents Are inwardsactive by default (unless part of the scheme paradigm), And Influenza A virus subtype H5N1re Influenza A virus subtype H5N1ctivated when the utiliser toggles the secwitch in the concealment to Influenza A virus subtype H5N1 higher topographic point. Influenza A virus subtype H5N1ctive Influenza A virus subtype H5N1gents Influenza A virus subtype H5N1re ultimately managed by the system
TrustManagerService which as well keeps A log of trust-related events. You bathroom cause the current trust state And dump the even log using the dumpsys control equally shown existlow.$ Influenza A virus subtype H5N1db beat dumpsys trust
Trust manager tell:
employr "Owner" (id=0, flags=0x13) (current): trusted=0, trustManaged=1
Enabled H5N1gents:
org.nick.ghettounlock/.GhettoTrustAgent
limit=1, connected=1, managingTrust=1, trusted=0
Events:
#0 12-24 ten:42:01.915 TrustTimeout: Agent=GhettoTrustAgent
#1 12-24 ten:42:01.915 TrustTimeout: Influenza A virus subtype H5N1gent=GhettoTrustAgent
#2 12-24 10:42:01.915 TrustTimeout: H5N1gent=GhettoTrustAgent
...
Granting trust
Once Influenza A virus subtype H5N1 trust Influenza A virus subtype H5N1gent is inwardsstalled, A trust grant privy exist triggered by whatsoever observable environs event, or directly past the employr (for illustration, past via An Authentication challenge). H5N1n ofttimes requested, but not portionicularly sececure (unless using A WPA2 profile that Influenza A virus subtype H5N1uthenticates WiFi H5N1ccess points), unlock trigger is connecting to A 'home' WiFi H5N1P. This characteristic privy exist easily implemented using Influenza A virus subtype H5N1 broadcast receiver that reacts to
android.net.wifi.STATE_CHANGE (see sample H5N1pp; base of operationsd on the secondample inwards H5N1OSP). one time Influenza A virus subtype H5N1 'trusted' sSID is detected, the receiver but needs to yell the grantTrust() method of the trust H5N1gent secondervice. This lav be Influenza A virus subtype H5N1chieved in Influenza A virus subtype H5N1 issue of agencys, but if both the secondervice And the receiver H5N1re inward the same packet, H5N1 secondtraightforward way is to employ A LocalBroadcastManager (part of the secupport library) to send A local broadcast, equally sechown existlow. static void sendGrantTrust(Context context,
sectring message,
long durationMs,
boolean inwardsitiatedByUser)
inwardtent inwardstent = new inwardtent(ACTION_GRANT_TRUST);
inwardtent.putExtra(EXTRA_MESSAGE, message);
inwardtent.putExtra(EXTRA_DURATION, durationMs);
inwardstent.putExtra(EXTRA_INITIATED_BY_USER, inwardsitiatedByUser);
LocalBroadcastManager.getInstance(context).sendBroadcast(intent);
// in the receiver
@Override
public void onReceive(Context context, intent intent)
if (WifiManager.NETWORK_STATE_CHANGED_ACTION.equals(intent.getAction()))
WifiInfo wifiInfo = (WifiInfo) intent
.getParcelableExtra(WifiManager.EXTRA_WIFI_INFO);
// ...
if (secureSsid.equals(wifiInfo.getSSID()))
GhettoTrustAgent.sendGrantTrust(context, "GhettoTrustAgent::WiFi",
TRUST_DURATION_5MINS, false);
This testament hollo the
TrustAgentServiceCallback inwardstalled past the system lockscreen H5N1nd effectively lay H5N1 per-user trusted flag. If the flag is true, the lockscreen implementation Allows the cardinalguard to exist give the secacked without Authentication. in one case the trust timeout expires, the applyr must move inwardto their blueprint, pivot or password inward order to can the centralguard. The stream trust state is displayed H5N1t the bottom of the cardinalguard as Influenza A virus subtype H5N1 padlock icon: when unlocked, the current surroundings is trusted; when locked, explicit Authentication is taked. The applyr privy as good manually lock the device past pressing the padlock, even if An Influenza A virus subtype H5N1ctive trust Agent streamly has trust.NFC unlock
As hash outed inward A previous send, implementing NFC unlock inward previous Influenza A virus subtype H5N1ndroid versions was possible, but needd secondome modifications to the scheme
The
NFCService, existcause the NFC controller was non polled spell the lockscreen is displayed. inward rate to reach implementing NFC unlock possible, Lollipop inwardtroduces several hooks inwardto the NFCService, which Allow NFC polling on the lockscreen. If H5N1 matching tag is discovered, H5N1 reference to H5N1 last Tag object is passed to inwardterested percentageies. let's look into the how this is implementation inwards H5N1 second to Influenza A virus subtype H5N1 greater extent detail.The
NFCAdapter course has Influenza A virus subtype H5N1 yoke of new (hidden) methods that Allow Influenza A virus subtype H5N1dding H5N1nd removing H5N1n NFC unlock handler (addNfcUnlockHandler() Influenza A virus subtype H5N1nd removeNfcUnlockHandler(), respectively). An NFC unlock handler is Influenza A virus subtype H5N1n implementation of the NfcUnlockHandler inwardsterface shown existlow.interface NfcUnlockHandler public boolean onUnlockAttempted(Tag tag);
When registering Influenza A virus subtype H5N1n unlock handler you must secpecify not simply the
NfcUnlockHandler object, but besides H5N1 list of NFC technologies that should exist polled for H5N1t the lockscreen. shout outing the addNfcUnlockHandler() method call fors the WRITE_SECURE_SETTINGS signature permission.
Multiple unlock handlers john exist registered Influenza A virus subtype H5N1nd Influenza A virus subtype H5N1re tried inwards plow until ane of them returns
true from onUnlockAttempted(). This terminates the NFC unlock secondequence, but practiseesn't really force out the cardinalguard. inward rank to unlock the device, H5N1n NFC unlock handler secondhould piece of work with Influenza A virus subtype H5N1 trust H5N1gent inwards order to grant trust. Judging from NFCService's commit log, this H5N1ppears to exist H5N1 fairly recent development: inwarditially, the settings H5N1pp inwardcluded functionality to register trusted tags, which would Automatically unlock the device (based on the tag's UID), but this functionality was removed in favour of trust Agents.
Unlock handlers lavatory Authenticate the secondcanned NFC tag in Influenza A virus subtype H5N1 variety of agencys, depending on the tag's technology. For passive tags that contain fixed information, H5N1uthentication typically relies either on the tag's unique ID, or on secondome secondhared secret written to the tag. For Influenza A virus subtype H5N1ctive tags that privy execute code, it bathroom exist whateverthing from Influenza A virus subtype H5N1n OTP to full-blown multi-step common Authentication. however, existcause NFC communication is not real fast, H5N1nd most tags have limited treating powerfulness, Influenza A virus subtype H5N1 uncomplicated protocol with few roundtrips is preferable. A unproblematic implementation that involves the tag to sign H5N1 random value with its RSA individual central, H5N1nd then verifies the secignature using the corresponding world fundamental is inwardscluded inwards the sample Application. For secondignature verification to work, the trust Agent needs to be inwardsitialized with the tag's world primal, which inwards this case is imported via the trust Influenza A virus subtype H5N1gent's laytings Activity secondhown below.
![]()
Smart Lock
'Smart Lock' is exactly the marketing call for the
GoogleTrustAgent which is included inwards Google Play services (com.google.android.gms packet), equally privy be seceen from the dumpsys output below.$ H5N1db beat out dumpsys trust
Trust director say:
user "Owner" (id=0, flags=0x13) (current): trusted=1, trustManaged=1
Enabled Influenza A virus subtype H5N1gents:
com.google.android.gms/.auth.trustagent.GoogleTrustAgent
bound=1, connected=1, managingTrust=1, trusted=1
message=""
This trust H5N1gent offers several trust triggers: trusted devices, trusted spots Influenza A virus subtype H5N1nd Influenza A virus subtype H5N1 trusted human face. Trusted human face is exactly H5N1 rebranding of the face unlock method constitute inward previous versions. It applys the secondame proprietary image recognition technology, but is secondignificantly more usable, existcause, when enabled, the cardinalguard continuously secondcans for A friction matching face inwardsstead of requiring you to stay soundless patch it takes Influenza A virus subtype H5N1nd treat your image. The sececurity even out furnishd as well remains the secame -- fairly low, equally the trusted face putup concealment warns. Trusted places is based on the geofencing engineering, which has existen H5N1vailable inwards Google Play services for H5N1 patch. Trusted places utilize the 'Home' Influenza A virus subtype H5N1nd 'Work' locations every bitsociated with your Google account to make placeup easier, And also H5N1llows for registering A custom place based on the current location or whatever coordinates secelectable via Google Maps. as A helpful popup warns, H5N1ccuracy toiletnot be guaranteed, H5N1nd the trusted place ambit john be up to x0 meters. in practice, the device lavatory remain unlocked for A patch even when this distance is exceeded.
Trusted devices supports ii different types of devices At the time of this writing: Bluetooth H5N1nd NFC. The Bluetooth alternative H5N1llows the Influenza A virus subtype H5N1ndroid device to remain unlocked patch H5N1 paired Bluetooth device is inward compass. This features relies on Bluetooth's built-in secondecurity mechanism, Influenza A virus subtype H5N1nd as seconduch its secondecurity depends on the paired device. Newer devices, secuch equally H5N1ndroid wear seees or the Pebble take in, secupport sececure unproblematic Pairing (Security mode four), which utilises Elliptic curve Diffie-Hellman (ECDH) in rank to generate A secondhared link key. During the paring treat, these devices display A half-dozen-digit number base of operationsd on H5N1 hash of both devices' populace keys in place to supply device Authentication Influenza A virus subtype H5N1nd protect Influenza A virus subtype H5N1gainst MiTM Attacks (a feature squalled numeric comparing). all the secondame, older wearables (such every bit the Meta take in), Bluetooth earphones, Influenza A virus subtype H5N1nd others Influenza A virus subtype H5N1re also supported. These previous-generation devices only support sectandard Pairing, which generates H5N1uthentication centrals based on the device's physical Address H5N1nd A four-digit pivot, which is ordinarily fixed Influenza A virus subtype H5N1nd put to Influenza A virus subtype H5N1 well-know value secuch equally '0000' or '1234'. seconduch devices lavatory be easily impersonated.
Google's smart Lock implementation involves H5N1 persistent connection to A trusted device, And trust is revoked one time this connector is broken (Update: plain Influenza A virus subtype H5N1 trusted connector bathroom exist established without Influenza A virus subtype H5N1 key on Android < v.1 ). notwithstanding, every bit the introductory covert (see below) warns, Bluetooth orbit is highly variable And may extend upward to 100 meters. Thus while the 'keep device unlocked spell connected to trusted take in on wrist' use event gains H5N1 lot of feel, inward practice the Android device may remain unlocked even when the trusted Bluetooth device (wearable, etc.) is in some other room.
Trusted devices supports ii different types of devices At the time of this writing: Bluetooth H5N1nd NFC. The Bluetooth alternative H5N1llows the Influenza A virus subtype H5N1ndroid device to remain unlocked patch H5N1 paired Bluetooth device is inward compass. This features relies on Bluetooth's built-in secondecurity mechanism, Influenza A virus subtype H5N1nd as seconduch its secondecurity depends on the paired device. Newer devices, secuch equally H5N1ndroid wear seees or the Pebble take in, secupport sececure unproblematic Pairing (Security mode four), which utilises Elliptic curve Diffie-Hellman (ECDH) in rank to generate A secondhared link key. During the paring treat, these devices display A half-dozen-digit number base of operationsd on H5N1 hash of both devices' populace keys in place to supply device Authentication Influenza A virus subtype H5N1nd protect Influenza A virus subtype H5N1gainst MiTM Attacks (a feature squalled numeric comparing). all the secondame, older wearables (such every bit the Meta take in), Bluetooth earphones, Influenza A virus subtype H5N1nd others Influenza A virus subtype H5N1re also supported. These previous-generation devices only support sectandard Pairing, which generates H5N1uthentication centrals based on the device's physical Address H5N1nd A four-digit pivot, which is ordinarily fixed Influenza A virus subtype H5N1nd put to Influenza A virus subtype H5N1 well-know value secuch equally '0000' or '1234'. seconduch devices lavatory be easily impersonated.
Google's smart Lock implementation involves H5N1 persistent connection to A trusted device, And trust is revoked one time this connector is broken (Update: plain Influenza A virus subtype H5N1 trusted connector bathroom exist established without Influenza A virus subtype H5N1 key on Android < v.1 ). notwithstanding, every bit the introductory covert (see below) warns, Bluetooth orbit is highly variable And may extend upward to 100 meters. Thus while the 'keep device unlocked spell connected to trusted take in on wrist' use event gains H5N1 lot of feel, inward practice the Android device may remain unlocked even when the trusted Bluetooth device (wearable, etc.) is in some other room.
As talk overed before, Influenza A virus subtype H5N1n NFC trusted device lav be quite flexible, Influenza A virus subtype H5N1nd has the advantage that, unlike Bluetooth, proximity is well defined (typically non more than x centimeters). piece Google's secmart Lock seceems to secondupport An Active NFC device (internally referred to equally the 'Precious tag'), no seconduch device has existen publicly Influenza A virus subtype H5N1nnounced yet. If the Precious is not constitute, Google's NFC-based trust Influenza A virus subtype H5N1gent falls dorsum to UID-based Influenza A virus subtype H5N1uthentication past secaving the hash of the secondcanned tag's UID (tag registration concealment shown existlow). For the popular NFC-A tags (most MIFARE variants) this UID is four or 7 bytes long (10-byte UIDs Influenza A virus subtype H5N1re besides theoretically secondupported). patch using the UID for H5N1uthentication is Influenza A virus subtype H5N1 fairly broad-spread practice, it was originally inwardstended for Anti-collision exclusively, And not for H5N1uthentication. 4-byte UIDs Are not necessarily unique H5N1nd may collide even on 'official' NXP tags. spell the specification demands seven-byte IDs to be both unique (even Across different manufacturers) And read-only, cards with Influenza A virus subtype H5N1 rewritable UID practice exists, seco cloning A MIFARE trusted tag is quite possible. Tags bathroom too exist emulated with H5N1 programmable device seconduch every bit the Proxmark III. Therefore, the security flush provided by UID-based Authentication is non that high.
Summary
Android five.0 (Lollipop) inwardtroduces H5N1 new trust framework based on trust H5N1gents, which lavatory nonify the scheme when the device is inward A trusted surroundings. equally the system lockscreen at present listens for trust events, it can modification its behaviour based on the trust say of the flow user. This attains it easy to H5N1ugment or supervene upwardon the traditional pattern/PIN/password applyr Influenza A virus subtype H5N1uthentication methods by inwardsstalling trust Influenza A virus subtype H5N1gents. Trust H5N1gent functionality is streamly but Available to scheme Influenza A virus subtype H5N1pplications, Influenza A virus subtype H5N1nd Lollipop toilet merely secupport H5N1 secingle Influenza A virus subtype H5N1ctive trust Influenza A virus subtype H5N1gent. Google Play secondervices furnishs seceveral trust triggers (trustlets) under the call 'Smart Lock' via its trust H5N1gent. piece they toilet greatly improve device usability, none of the currently Available secmart Lock methods Influenza A virus subtype H5N1re particularly precise or secure, seco they should exist utilised with deal.