os icon indicating copy to clipboard operation
os copied to clipboard
verified publisher icon hashbang

[PATCH] Don’t require strong auth on regular time interval

Open ypid opened this issue 6 years ago • 3 comments

This disables the need to provide strong authentication except when booting the device. The idea behind this is that you are no longer forced to enter your strong authentication credentials in random locations where it might be easy to snoop your strong authentication credentials allowing an adversary to boot and decrypt your device against your will.

Changing DEFAULT_STRONG_AUTH_TIMEOUT_MS is not enough. Rather, it has the opposite effect for some reason. In my tests, it caused the strong auth to be required every hour rather than a 42 d interval.

In my tests, dpm.getRequiredStrongAuthTimeout(null, userId)) returned 3600000.

Also submitted to: https://github.com/RattlesnakeOS/community_patches/pull/9, https://github.com/GrapheneOS/platform_frameworks_base/pull/19

ypid avatar Jul 10 '19 20:07 ypid

This one has wider implications and will need more discussion. Merged your other patches.

Can you describe a specific scenario where this is a risk?

I worry about border-check situations where a timeout that enforces strong auth vs a fingerprint could be useful.

lrvick avatar Aug 15 '19 18:08 lrvick

I have not been in such a border-check situations but I don’t believe that this patch would make much of a difference there. Without this patch, Android defaults to a 3 day interval. I find it very unlikely that boarder control will just wait for such a duration without trying to unlock the phone. When you read the discussion in https://github.com/RattlesnakeOS/community_patches/pull/9, you will find that there are some more thoughts also. Another idea is to use https://f-droid.org/en/packages/xyz.iridiumion.plucklockex/.

So currently in practice I think the following scenarios are realistic:

  1. You lookdown the device or ideally shut it down. Border control will not be able to access your data without you providing the passphrase in some way.
  2. You don’t lookdown the device so it will accept weak auth like your fingerprint which I guess in most countries, you could be forced to put your finger onto the reader.

Can you describe a specific scenario where this is a risk?

Without this patch, the need to provide strong auth kicks in every 3 days regardless of other factors like location or if you have just unlocked your device successfully a second ago. Some situations where this can be a risk:

  • You are surrounded by other people or (hidden) cameras which could see the passphrase you type in https://en.wikipedia.org/wiki/Shoulder_surfing_(computer_security)

I came to the conclusion that for me it makes more sense to keep this strong auth passphrase as secret as possible and rather manually lockdown the device when needed because the 3 day interval is just a hassle for me and I don’t see the benefit of it. The only (declared) benefit is that people don’t forget their strong auth passphrase which I mitigated otherwise.

ypid avatar Aug 20 '19 19:08 ypid

Well argued, and I am inclined to agree. Approved to merge into our next release.

lrvick avatar Aug 20 '19 23:08 lrvick