Android password protection

[Pietia10]

Hi, There is a problem with password protection in ROM , (try submitting bad password five times) it simply does not work at all even though there are sources in aosp for that and it should be working . Phone mi5 latest stable

[smeroni68]

How is meant to work?

[Pietia10]

The code is in aosp KeyguardSecurityContainer.java

[smeroni68]

@B--B @MZO9400 @CheckYourScreen @xlxfoxxlx ... something to check here.

[smeroni68]

@Pietia10 This is the code... it is disabled by default: https://github.com/JDCTeam/android_frameworks_base/commit/13cb572a1a54f12fec1b82bcbe0254e2f4fcf120

[Pietia10]

Yeah in every phone this is enabled by default.

[smeroni68]

Looking on the code, if we set eg. 5 times, it will ask to factory reset the data... so you would like to have this?

[MZO9400]

True, doesn't work

[smeroni68]

It is meant to be so if disabled... as it is.

[MZO9400]

At least it should timeout. It doesn't timeout after 5 attempts

[smeroni68]

If countdown is > 0 ... yes... not if it is ==0

            if  (!(mMaxCountdownTimes > 0) && timeoutMs > 0) {
                  long deadline = mLockPatternUtils.setLockoutAttemptDeadline(
                          userId, timeoutMs);
                  handleAttemptLockout(deadline);
              }
          } 
          if (timeoutMs == 0) {
             mSecurityMessageDisplay.setMessage(getWrongPasswordStringId(), true);
             String msg = getMessageWithCount(getWrongPasswordStringId());

It works as it is set.

[MZO9400]

Weird

[Pietia10]

If it wont factory reset at some point the password will be easily bruteforceable , google know their's stuff .

[smeroni68]

My mistake... the commit I linked is on Opt-CM14 github...

https://github.com/AOSP-JF-MM/platform_frameworks_base/commit/13cb572a1a54f12fec1b82bcbe0254e2f4fcf120

This is on AOSP

[MZO9400]

Ah lol

[smeroni68]

Can we think to change this behaviour? Finally I use 99.99% the FP unlock...

And last: also LOS has this commit... https://github.com/LineageOS/android_frameworks_base/commit/13cb572a1a54f12fec1b82bcbe0254e2f4fcf120

[smeroni68]

FYI: if you fail for 5 times the FP recognition... the message that comes out is "Too much trials: retry later"... and you need to use the pin.

[Pietia10]

Not true with fp you just wait 30 seconda and try again .

[smeroni68]

What is not true?

[Pietia10]

You dont need to use pin after 5 failures of fp you just wait 30 seconds and you can use fp scanner again.

[smeroni68]

If you need to unlock the phone, you will wait 30 seconds, or you will swipe the correct pin to use the phone?

Anyway, the behaviour (as already written) is the same on LOS and all custom roms based on it. That's the situation.

[Pietia10]

The fingerprint implementation is same as in aosp however unlocking with passcode is not .

[smeroni68]

Are you referring to swipe passcode (3x3 or 4x4) or numeric keyboard with pin?

[Pietia10]

Im referring to both.

[smeroni68]

But numeric keyboard pin works!

https://www.dropbox.com/s/8qo0ltqznzl1xjx/Screenshot_20170528-172633.png?dl=0

(I hope italian language is not a problem to see)

Only swipe sequence has no timeout. Please check and confirm.

[Pietia10]

I cant reproduce what you sent me it doesnt work on my mi5 17 may build.

[smeroni68]

Fine... on our internal build, after 5 wrong pins or fingerprint, start the timeout of 30 seconds... on sequence swipe not. We will check what's happen... for next public build.

Thanks for reporting.

[smeroni68]

I found something: after a reboot, if you fail 5 times the sequence it stop with 30 sec delay. After entering the good sequence, the failing of 5 times do not generate anymore the 30 sec delay. To be checked...

[Pietia10]

Isnt a good idea to copy keyguard implementation from plain AOSP?

[smeroni68]

If you are trying to brute force a 6 pin code by swiping only few pins... you are playing with the phone, and you can stay for 2 hours trying to unlock a 6 pin code with 3 or 4 pins. If you wanna unlock you need 6 pin code... and after 5 trials with wrong 6 pins sequence the phone block with the timer of 30 seconds. Where is the security problem?

The issue do not exist, security it's fine. Closed.