Bug(s): App activation / Google sign-in / Power cycle bypass



  • Hi,

    Note: I've been through the relevant sections of this forum, the public bug database and FaceBook page. I can find no similar issues to what I've decribed below.

    [u:tt198m0x][b:tt198m0x]Summary/details:[/b:tt198m0x][/u:tt198m0x]
    I'm a Kickstarter backer (don't have a ring yet), using a Nexus 4 running Android 4.4.2

    I was having a play with my NFC Ring Unlock app earlier and activated the security features. Initially nothing happened (which I expected), but about 8 hours later, after I returned home from work, I tried to unlock my phone and the NFC screen had kicked in.

    Since I don't have a ring yet I tried to bypass the app by signing into my Google account. However, I use 2-step authorisation for my Google account, so when I entered my details it rejected them. It seems there was no way for the app to prompt for a 2-step verification code: these are normally requested after the phone navigates to a Google sign in page via a web browser (I don't think the Google sign in API or whatever is used allows for 2-step auth). Note that I did notice an authentication message at the top of my phone screen cycle a few times before it gave up.

    Now the only thing left for me to try was a power cycle. I turned the phone off and on again and entered my unlock PIN as soon as I was able. This did bypass the NFC Unlock app and allowed me to deactivate it.

    [u:tt198m0x][b:tt198m0x]Bugs/questions/suggestions:[/b:tt198m0x][/u:tt198m0x]

    1. Why did it take so long for the app to start working? I was using my phone intermittently throughout the day and nothing changed (I could unlock my phone with my PIN without issue).

    2. Should the app kick in without any kind of Ring/Tag registered against it? This seems like it could lock potential early users out of their devices (as it almost did me).

    3. Shouldn't there be a way for Google 2-step authorisation to work within the app? Is this a bug, a limitation of the app or a big oversight?

    4. Should power cycling a device bypass the NFC Ring Unlock app?

    Thanks,
    MadDave123


  • NFC Ring Team

    Bugs/questions/suggestions:

    1. Why did it take so long for the app to start working? I was using my phone intermittently throughout the day and nothing changed (I could unlock my phone with my PIN without issue).
      [b:181f9d50]No good explanation for this, this is the first report of this issue.[/b:181f9d50]

    2. Should the app kick in without any kind of Ring/Tag registered against it? This seems like it could lock potential early users out of their devices (as it almost did me).
      [b:181f9d50]You aren't alone, the app now warns you if you try to enable security without any rings registered.[/b:181f9d50]

    3. Shouldn't there be a way for Google 2-step authorisation to work within the app? Is this a bug, a limitation of the app or a big oversight?
      [b:181f9d50]https://github.com/mclear/Android_NFC_Ring_Unlock/issues/38[/b:181f9d50]

    4. Should power cycling a device bypass the NFC Ring Unlock app?
      It should be starting up on startup.



  • Thanks very much for the response. That helps ease some of my concerns.



  • I had a very similar problem yesterday on a Nexus 5 with Android 4.4.2. It took an arbitrary amount of time (in minutes) for the ring unlock to be activated. I thought it didn't work initially but after a while it activated itself.

    Now, because I have a professional account on my phone (or at least I believe it the cause), the ring unlock hasn't replaced the PIN. Thus when it activated itself I had a kind of double security, first the PIN code then the ring swipe. I can't remove the PIN protection because my professional account is set as admin and it has deactivated some security features (i.e. I can't remove the PIN check). I tried to unset the account as admin, but then it would basically swipe all its data so not an option.

    This configuration is probably not common, but I wonder if it's not a trouble maker. Basically what happened after a while, once I entered my PIN, the ring unlocker never recognized my ring (even though I was hearing the noise indicating a successful swipe). Since I have a 2 factors authentication enabled on my Google account I was locked out of my phone. I must say I didn't think about temporarily deactivating the Google 2 factors authentication. Also I didn't try to generate an application password which is one of the features of Google 2 factors authentication (i.e. for apps that do not support it you can generate a password that allows to bypass the 2 factors authentication and simply use a standard login / password). Reading on github I understand that setting the app password allows another recovery mode but didn't know at the time. What I did is trying to unlock when calling myself. I saw that in the app there where specific parameters when a call occurs. It didn't work either. Then suddenly after one more try the phone unlocked and I had 22 open pages on Chrome corresponding to all my attempts to unlock the phone (it opened the link stored on my ring). I have no idea why the phone finally unlocked or why it didn't before, but I was unable to use my professional phone for one day. Overall it makes me wonder about the real security of the whole system.

    Pretty scary. I was close to try a hard reset to get rid of the ring unlocker.

    Also if I may when an app asks me to enter my Google credentials, I'd rather be in a browser page. It's not the kind of credentials I like to share with an app especially on an odd red screen that doesn't work in this case because of 2 factors authentication.

    Now that I've red some more I'll perhaps give it another try (I quickly removed the app after that episode), but I don't believe most people want to get problems with an app and be locked out of their phone.



  • [quote="p6ril":3fxlowls]
    Also if I may when an app asks me to enter my Google credentials, I'd rather be in a browser page. It's not the kind of credentials I like to share with an app...[/quote:3fxlowls]
    Absolutely! That is rule number one of federated login: present the authority's login page so the user can trust where the details are going. It is very easy to just present a username/password box in your own app and say it is Google/Live/Yahoo, but the user has no idea what happens with those details.


Log in to reply
 

Looks like your connection to NFC Ring Forum was lost, please wait while we try to reconnect.