Google is preparing to borrow a feature from Apple’s Stolen Device Protection

2 months ago 53
Droid bots staring at a phone screen that is asking to verify the identity of the owner

Mishaal Rahman / Android Authority

TL;DR

  • Google is preparing to implement an Identity Check feature that forces you to use your biometrics to unlock apps.
  • However, biometrics will only be mandatory if the device is outside of a trusted location.
  • This is so thieves who know your phone’s lock screen PIN can’t unlock your apps to steal your data.

Your phone’s lock screen is the main thing keeping all your apps and data from prying eyes. But what happens if a thief peeks over your shoulder, sees what your lock screen PIN is, and snatches your phone from your hands? Suddenly, many of your apps and personal data are vulnerable, even if they’re protected by the additional layer of security that is Android’s biometric prompt. This is because many apps that use Android’s biometric prompt let you enter the device’s lock screen credentials as a fallback mechanism. Fortunately, while I was digging through the Android 15 QPR1 Beta 2 release that Google pushed out the other day, I found evidence that the company is working on a solution to this problem — and it comes right out of the Apple Stolen Device Protection playbook.

In the Settings app, I came across an interesting new string named mandatory_biometrics_prompt_description. It reads, “Identity Check is on.” The Settings app has code to show this “Identity Check is on” string when it invokes Android’s biometric prompt dialog. However, the Settings app doesn’t show this string when it invokes a biometric prompt, which it does when you try to change the USB mode or screen timeout in Android 15.

Code

<string name="mandatory_biometrics_prompt_description">Identity Check is on</string>

Digging deeper, I found that this feature is referenced in several classes related to Android’s biometrics. Specifically, it seems that Google is setting up Android to ignore when apps invoke the biometric prompt dialog with a PIN/password/pattern fallback. However, this will only be done when “mandatory biometrics” is triggered.

Although Android 15 QPR1 itself doesn’t have any code that tells us when “mandatory biometrics” is triggered, the description for the very flag controlling the feature gives us a big clue. It specifically says that “when the phone is outside trusted locations,” Android should remove the “LSKF fallback” from the biometric prompt dialog. LSKF stands for Lock Screen Knowledge Factor (LSKF), which is the technical term for the PIN, password, or swipe pattern used to unlock your device. This description confirms how “mandatory biometrics” is triggered, but it doesn’t explain what these “trusted locations” are or whether it’s the OS itself that’s tracking when the phone is outside of them.

Earlier today, though, frequent Android Authority contributor AssembleDebug posted a screenshot to X that laid the final piece of the puzzle. His screenshot revealed that Google is preparing to upgrade its Trusted Places feature — which keeps your phone unlocked when it’s at a trusted location like your home — with a new “mandatory biometric” option. This perfectly lines up with my discovery in Android 15 QPR1 and suggests that the Google Play Services app will track when your phone is outside of a trusted location. If so, it will tell the OS to trigger mandatory biometrics, causing it to hide the PIN/password/pattern fallback when apps invoke the biometric prompt dialog.

Google Play Services mandatory biometrics

If this sounds familiar to any of our readers with Apple devices, it’s because this is the same thing that iPhones do when Stolen Device Protection is enabled. With this enabled, some actions like accessing stored passwords and credit cards require biometric authentication via Face ID or Touch ID when the device is away from a familiar location.

Google’s take on this feature — which appears to be called Identity Check — should hopefully be just as effective when it rolls out. We don’t know when that will happen, but when it does, it might require Android 15 QPR1 or higher, given that it involves core changes to the behavior of the system app that handles biometric prompt dialog.

Special thanks to security researcher linuxct for their assistance in researching this feature!

Got a tip? Talk to us! Email our staff at [email protected]. You can stay anonymous or get credit for the info, it's your choice.

Read Entire Article