Genuine question: what threat model does the \"app locking via screenlock\" on many #Android apps like #Signal, #Nextcloud #Talk and many other apps follow?
I can hardly make up a scenario where some adversary gets their hands on my unlocked phone and then fails to unlock apps that are locked with the same password/pin as the lock screen itself.
Anyone with further insights? #security #privacy
", "mediaType":"text/html", "attachment":[], "tag":[ {"type":"Hashtag","name":"#Android","href":"https://social.jayvii.de/tags/Android"}, {"type":"Hashtag","name":"#Signal","href":"https://social.jayvii.de/tags/Signal"}, {"type":"Hashtag","name":"#Nextcloud","href":"https://social.jayvii.de/tags/Nextcloud"}, {"type":"Hashtag","name":"#Talk","href":"https://social.jayvii.de/tags/Talk"}, {"type":"Hashtag","name":"#security","href":"https://social.jayvii.de/tags/security"}, {"type":"Hashtag","name":"#privacy","href":"https://social.jayvii.de/tags/privacy"} ], "type":"Note", "id":"https://social.jayvii.de/objects/UJMVoXf1JlU" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2024-06-16T07:51:03.000Z", "attributedTo":"https://mastodon.social/users/penguingeek", "inReplyTo":"https://social.jayvii.de/objects/UJMVoXf1JlU", "replies":"https://mastodon.social/users/penguingeek/statuses/112625206102366826/replies", "to":["https://www.w3.org/ns/activitystreams#Public"], "cc":["https://mastodon.social/users/penguingeek/followers","https://social.jayvii.de/actors/jayvii"], "content":"@jayvii If someone has your phone physically and the screen is unlocked, a hacker can reveal whatever is on your phone. It will be enough to reach the root directory.
Now there will be those who say otherwise. Let them try, what can they hide? :)
", "attachment":[], "tag":[ {"type":"Mention","name":"@jayvii@social.jayvii.de","href":"https://social.jayvii.de/actors/jayvii"} ], "url":["https://mastodon.social/@penguingeek/112625206102366826"], "type":"Note", "id":"https://mastodon.social/users/penguingeek/statuses/112625206102366826" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2024-06-16T09:04:04.483Z", "attributedTo":"https://social.jayvii.de/actors/jayvii", "inReplyTo":"https://mastodon.social/users/penguingeek/statuses/112625206102366826", "replies":"https://social.jayvii.de/objects/6_jDnI3pWr4/replies", "to":["https://www.w3.org/ns/activitystreams#Public","https://mastodon.social/users/penguingeek"], "cc":["https://social.jayvii.de/actors/jayvii/followers"], "content":"@penguingeek sure, although that's an \"attack\" vector where android in general and most other OSs are rather vulnerable to begin with. Having access to anuunlocked device could cause harm in many other ways besides accessing messages on signal
", "mediaType":"text/html", "attachment":[], "tag":[ {"type":"Mention","name":"@penguingeek@mastodon.social","href":"https://mastodon.social/users/penguingeek"} ], "type":"Note", "id":"https://social.jayvii.de/objects/6_jDnI3pWr4" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2024-06-16T08:13:37.000Z", "attributedTo":"https://social.linux.pizza/users/realestninja", "inReplyTo":"https://social.jayvii.de/objects/UJMVoXf1JlU", "replies":"https://social.linux.pizza/users/realestninja/statuses/112625294836634512/replies", "to":["https://www.w3.org/ns/activitystreams#Public"], "cc":["https://social.linux.pizza/users/realestninja/followers","https://social.jayvii.de/actors/jayvii"], "content":"@jayvii if someone grabs your phone before the screen is locked? It probably won't help against hackers but against a casual attempt I would assume
", "attachment":[], "tag":[ {"type":"Mention","name":"@jayvii@social.jayvii.de","href":"https://social.jayvii.de/actors/jayvii"} ], "url":["https://social.linux.pizza/@realestninja/112625294836634512"], "type":"Note", "id":"https://social.linux.pizza/users/realestninja/statuses/112625294836634512" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2024-06-16T08:24:48.000Z", "attributedTo":"https://mastodon.social/users/DonTheMaster", "inReplyTo":"https://social.jayvii.de/objects/UJMVoXf1JlU", "replies":"https://mastodon.social/users/DonTheMaster/statuses/112625338851946877/replies", "to":["https://www.w3.org/ns/activitystreams#Public"], "cc":["https://mastodon.social/users/DonTheMaster/followers","https://social.jayvii.de/actors/jayvii"], "content":"@jayvii also, a virus can access any app data if the app is not locked
", "attachment":[], "tag":[ {"type":"Mention","name":"@jayvii@social.jayvii.de","href":"https://social.jayvii.de/actors/jayvii"} ], "url":["https://mastodon.social/@DonTheMaster/112625338851946877"], "type":"Note", "id":"https://mastodon.social/users/DonTheMaster/statuses/112625338851946877" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2024-06-16T09:02:07.946Z", "attributedTo":"https://social.jayvii.de/actors/jayvii", "inReplyTo":"https://mastodon.social/users/DonTheMaster/statuses/112625338851946877", "replies":"https://social.jayvii.de/objects/v-Qkq9VMgAo/replies", "to":["https://www.w3.org/ns/activitystreams#Public","https://mastodon.social/users/DonTheMaster"], "cc":["https://social.jayvii.de/actors/jayvii/followers"], "content":"@DonTheMaster sure, that might help mitigate damage, if that's how locking works (and app data is encrypted on device...). However once the device is compromised, there is not much hope to begin with.
", "mediaType":"text/html", "attachment":[], "tag":[ {"type":"Mention","name":"@DonTheMaster@mastodon.social","href":"https://mastodon.social/users/DonTheMaster"} ], "type":"Note", "id":"https://social.jayvii.de/objects/v-Qkq9VMgAo" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2024-06-16T09:06:32.000Z", "attributedTo":"https://mastodon.social/users/DonTheMaster", "inReplyTo":"https://social.jayvii.de/objects/v-Qkq9VMgAo", "replies":"https://mastodon.social/users/DonTheMaster/statuses/112625502965258963/replies", "to":["https://www.w3.org/ns/activitystreams#Public"], "cc":["https://mastodon.social/users/DonTheMaster/followers","https://social.jayvii.de/actors/jayvii"], "content":"@jayvii that's true, any trojan will sit there and wait for any user unlock to "do it's job".
Still if you are travelling borders or so, this extra lock could be useful. Depending on the laws in the country
", "attachment":[], "tag":[ {"type":"Mention","name":"@jayvii@social.jayvii.de","href":"https://social.jayvii.de/actors/jayvii"} ], "url":["https://mastodon.social/@DonTheMaster/112625502965258963"], "type":"Note", "id":"https://mastodon.social/users/DonTheMaster/statuses/112625502965258963" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2024-06-16T08:32:00.000Z", "attributedTo":"https://hachyderm.io/users/lucasmz", "inReplyTo":"https://social.jayvii.de/objects/UJMVoXf1JlU", "replies":"https://hachyderm.io/users/lucasmz/statuses/112625367168084692/replies", "to":["https://www.w3.org/ns/activitystreams#Public"], "cc":["https://hachyderm.io/users/lucasmz/followers","https://social.jayvii.de/actors/jayvii"], "content":"@jayvii one may share their phone with someone else and want to lock a specific app from being used without extra authentication, that's it.
", "attachment":[], "tag":[ {"type":"Mention","name":"@jayvii@social.jayvii.de","href":"https://social.jayvii.de/actors/jayvii"} ], "url":["https://hachyderm.io/@lucasmz/112625367168084692"], "type":"Note", "id":"https://hachyderm.io/users/lucasmz/statuses/112625367168084692" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2024-06-16T08:32:37.000Z", "attributedTo":"https://hachyderm.io/users/lucasmz", "inReplyTo":"https://hachyderm.io/users/lucasmz/statuses/112625367168084692", "replies":"https://hachyderm.io/users/lucasmz/statuses/112625369549322945/replies", "to":["https://www.w3.org/ns/activitystreams#Public"], "cc":["https://hachyderm.io/users/lucasmz/followers","https://social.jayvii.de/actors/jayvii"], "content":"@jayvii I think signal should ask for authentication when adding a new device for syncing tbh. That one can cause some serious problems.
", "attachment":[], "tag":[ {"type":"Mention","name":"@jayvii@social.jayvii.de","href":"https://social.jayvii.de/actors/jayvii"} ], "url":["https://hachyderm.io/@lucasmz/112625369549322945"], "type":"Note", "id":"https://hachyderm.io/users/lucasmz/statuses/112625369549322945" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2024-06-16T09:07:28.595Z", "attributedTo":"https://social.jayvii.de/actors/jayvii", "inReplyTo":"https://hachyderm.io/users/lucasmz/statuses/112625369549322945", "replies":"https://social.jayvii.de/objects/aJ_NcBqEMy0/replies", "to":["https://www.w3.org/ns/activitystreams#Public","https://hachyderm.io/users/lucasmz"], "cc":["https://social.jayvii.de/actors/jayvii/followers"], "content":"@lucasmz regarding your first remark: yes, that is the only probable reason I could come up with myself. Although, personally, I would not share my device with anyone I wouldn't trust to access messages or where I wouldn't care if they would / ppl that have my permission. That I'd a rather small circle of individuals 😅 but yes, I suppose that comes down to preference, so I do see a reason for the feature, it's just not very common, I guess
", "mediaType":"text/html", "attachment":[], "tag":[ {"type":"Mention","name":"@lucasmz@hachyderm.io","href":"https://hachyderm.io/users/lucasmz"} ], "type":"Note", "id":"https://social.jayvii.de/objects/aJ_NcBqEMy0" } , { "@context":[ "https://www.w3.org/ns/activitystreams", {"Hashtag":"as:Hashtag"} ], "published":"2024-06-16T09:08:06.498Z", "attributedTo":"https://social.jayvii.de/actors/jayvii", "inReplyTo":"https://social.jayvii.de/objects/aJ_NcBqEMy0", "replies":"https://social.jayvii.de/objects/Cg1Jt8YzIKU/replies", "to":["https://social.jayvii.de/actors/jayvii","https://www.w3.org/ns/activitystreams#Public","https://hachyderm.io/users/lucasmz"], "cc":["https://social.jayvii.de/actors/jayvii/followers"], "content":"@lucasmz secondly: yes, device linking could be a lot more secure IMO as well
", "mediaType":"text/html", "attachment":[], "tag":[ {"type":"Mention","name":"@lucasmz@hachyderm.io","href":"https://hachyderm.io/users/lucasmz"} ], "type":"Note", "id":"https://social.jayvii.de/objects/Cg1Jt8YzIKU" } ] }