How does Android's screen locker work?

2019-09-01 09:50发布

问题:

Does anyone know where I can find some technical articles explaining the Android's screen locker mechanism? I want to understand how a password is protected, where it is saved, how it communicates with the locker screen, gui, etc.

回答1:

How does Android's screen locker work?

The password works like a traditional password. Its digested and stored. The data security is a little weak (see the bug reports below).

The pattern locker turns the pattern into a string, and then it works like a traditional password. The data security is a little weak (see the bug reports below).

The face unlocker is based on facial recognition. It falls back to passwords if detection fails. I don't know anything about the recognizer.

sstendal's answer below provides a link to using Yubikeys and One-Tme Passwords (OTP) over NFC to unlock your Android phone. Nikolay Elenkov's blog rocks, so you'll almost certainly learn something.

For the password and pattern locker source code, see https://android.googlesource.com/platform/frameworks/base/+/HEAD/core/java/com/android/internal/widget/LockPatternUtils.java.

For face recognition source code, see https://android.googlesource.com/platform/frameworks/base/+/HEAD/core/java/com/android/internal/widget/FaceUnlockView.java. Also see https://android.googlesource.com/platform/frameworks/base/+/99f2f5e/packages/Keyguard/src/com/android/keyguard/FaceUnlock.java.

As of Android 4.4, the unlocker (called KeyGuard) was moved to a separate component. I believe its source is at https://android.googlesource.com/platform/frameworks/base/+/99f2f5e/packages/Keyguard/src/com/android/keyguard.

You can use ADB to reset the relevant fields in the system's SQLite database. Here's the Google Search from VenomVendor below.

The implementation has some rough edges. I know there are some bug reports on the subject. For example:

  • Lock Pattern/Pattern uses Immutable Strings
  • Password/Pattern Serialization use 8 byte salts
  • Lock Pattern/Pattern uses Unsalted SHA Hash
  • Lock Pattern/Password uses MD5 Hash


回答2:

Nikolay Elenkov explains how you can implement your own screenlock authentication mechanism for Android:

http://nelenkov.blogspot.no/2014/03/unlocking-android-using-otp.html