Bug(s): App activation / Google sign-in / Power cycle bypass
-
Hi,
Note: I've been through the relevant sections of this forum, the public bug database and FaceBook page. I can find no similar issues to what I've decribed below.
[u:tt198m0x][b:tt198m0x]Summary/details:[/b:tt198m0x][/u:tt198m0x]
I'm a Kickstarter backer (don't have a ring yet), using a Nexus 4 running Android 4.4.2I was having a play with my NFC Ring Unlock app earlier and activated the security features. Initially nothing happened (which I expected), but about 8 hours later, after I returned home from work, I tried to unlock my phone and the NFC screen had kicked in.
Since I don't have a ring yet I tried to bypass the app by signing into my Google account. However, I use 2-step authorisation for my Google account, so when I entered my details it rejected them. It seems there was no way for the app to prompt for a 2-step verification code: these are normally requested after the phone navigates to a Google sign in page via a web browser (I don't think the Google sign in API or whatever is used allows for 2-step auth). Note that I did notice an authentication message at the top of my phone screen cycle a few times before it gave up.
Now the only thing left for me to try was a power cycle. I turned the phone off and on again and entered my unlock PIN as soon as I was able. This did bypass the NFC Unlock app and allowed me to deactivate it.
[u:tt198m0x][b:tt198m0x]Bugs/questions/suggestions:[/b:tt198m0x][/u:tt198m0x]
-
Why did it take so long for the app to start working? I was using my phone intermittently throughout the day and nothing changed (I could unlock my phone with my PIN without issue).
-
Should the app kick in without any kind of Ring/Tag registered against it? This seems like it could lock potential early users out of their devices (as it almost did me).
-
Shouldn't there be a way for Google 2-step authorisation to work within the app? Is this a bug, a limitation of the app or a big oversight?
-
Should power cycling a device bypass the NFC Ring Unlock app?
Thanks,
MadDave123 -
-
Bugs/questions/suggestions:
-
Why did it take so long for the app to start working? I was using my phone intermittently throughout the day and nothing changed (I could unlock my phone with my PIN without issue).
[b:181f9d50]No good explanation for this, this is the first report of this issue.[/b:181f9d50] -
Should the app kick in without any kind of Ring/Tag registered against it? This seems like it could lock potential early users out of their devices (as it almost did me).
[b:181f9d50]You aren't alone, the app now warns you if you try to enable security without any rings registered.[/b:181f9d50] -
Shouldn't there be a way for Google 2-step authorisation to work within the app? Is this a bug, a limitation of the app or a big oversight?
[b:181f9d50]https://github.com/mclear/Android_NFC_Ring_Unlock/issues/38[/b:181f9d50] -
Should power cycling a device bypass the NFC Ring Unlock app?
It should be starting up on startup.
-
-
Thanks very much for the response. That helps ease some of my concerns.
-
I had a very similar problem yesterday on a Nexus 5 with Android 4.4.2. It took an arbitrary amount of time (in minutes) for the ring unlock to be activated. I thought it didn't work initially but after a while it activated itself.
Now, because I have a professional account on my phone (or at least I believe it the cause), the ring unlock hasn't replaced the PIN. Thus when it activated itself I had a kind of double security, first the PIN code then the ring swipe. I can't remove the PIN protection because my professional account is set as admin and it has deactivated some security features (i.e. I can't remove the PIN check). I tried to unset the account as admin, but then it would basically swipe all its data so not an option.
This configuration is probably not common, but I wonder if it's not a trouble maker. Basically what happened after a while, once I entered my PIN, the ring unlocker never recognized my ring (even though I was hearing the noise indicating a successful swipe). Since I have a 2 factors authentication enabled on my Google account I was locked out of my phone. I must say I didn't think about temporarily deactivating the Google 2 factors authentication. Also I didn't try to generate an application password which is one of the features of Google 2 factors authentication (i.e. for apps that do not support it you can generate a password that allows to bypass the 2 factors authentication and simply use a standard login / password). Reading on github I understand that setting the app password allows another recovery mode but didn't know at the time. What I did is trying to unlock when calling myself. I saw that in the app there where specific parameters when a call occurs. It didn't work either. Then suddenly after one more try the phone unlocked and I had 22 open pages on Chrome corresponding to all my attempts to unlock the phone (it opened the link stored on my ring). I have no idea why the phone finally unlocked or why it didn't before, but I was unable to use my professional phone for one day. Overall it makes me wonder about the real security of the whole system.
Pretty scary. I was close to try a hard reset to get rid of the ring unlocker.
Also if I may when an app asks me to enter my Google credentials, I'd rather be in a browser page. It's not the kind of credentials I like to share with an app especially on an odd red screen that doesn't work in this case because of 2 factors authentication.
Now that I've red some more I'll perhaps give it another try (I quickly removed the app after that episode), but I don't believe most people want to get problems with an app and be locked out of their phone.
-
[quote="p6ril":3fxlowls]
Also if I may when an app asks me to enter my Google credentials, I'd rather be in a browser page. It's not the kind of credentials I like to share with an app...[/quote:3fxlowls]
Absolutely! That is rule number one of federated login: present the authority's login page so the user can trust where the details are going. It is very easy to just present a username/password box in your own app and say it is Google/Live/Yahoo, but the user has no idea what happens with those details.