
Dissecting Lollipop's Smart Lock - sohkamyung
http://nelenkov.blogspot.com/2014/12/dissecting-lollipops-smart-lock.html
======
tdkl
Latest Google Play Services release (6.5.99x) started to poll GPS location at
every unlock, even if the "Smart unlock" with "Trusted Places" set isn't
active. This gets nasty when you're inside, have mobile connection disabled,
are outside of a known Wi-fi connection, because GPS keeps polling for
location, resulting in a hit on battery.

There's a workaround where you change the lockscreen security to "Off" and
back to whatever you use, but this removes the GPS polling only temporarily.
Or you could disable GPS completely, setting it to "Wi-fi and cell" only. But
after running an app that requires GPS (like navigation), the GPS polling gets
set back to "High" and you have to change it manually back again, so this
isn't exactly practical.

They also run a WearableService, nevertheless your device newer paired with
Android Wear. Same goes for BrokeredFitnessService, which apparently has to do
with Google Fit but also don't minding that Fit is removed from the device.

The only fix for those is having root, installing "Disable service" Android
app
([https://play.google.com/store/apps/details?id=cn.wq.disables...](https://play.google.com/store/apps/details?id=cn.wq.disableservice))
and practically disabling all services containing _wear_ and _fitness_. This
also results in significant battery gain.

I'm all ears for Google innovations, but Play Services is starting to become
more and more malware then something as highly praised as it is by Google.

~~~
carlob
Other than the technical problems I also wonder if the person who invented
this location-based unlock has ever been married…

\- Honey, your phone is locked.

\- Yeah, I always keep it locked, just in case.

\- Did you know you can make it unlock at home?

\- Oh… great… I guess I'll set that up then.

– a few days later…

\- Honey, you just received 5 messages from $LoversName, who's that?

The sole existence of this feature invalids any plausible deniability when
keeping your phone locked!

------
click170
I really wish people wouldn't rely on javascript to avoid delivering a blank
page to the user when they visit their site. Speaking for myself, it casts
doubt onto a site when so many other websites get along fine without relying
on it to deliver the content itself and this one doesn't. What are they trying
to collect about me that's so much more important than delivering content.

~~~
afandian
You're probably being downvoted because you're making accusations in addition
to stating facts, but it's true, google does have other priorities more
important than serving you that content in a timely fashion. On a desktop
browser, blogger sites usually take an extra 10 to 15 seconds to load.

I just visited on a mobile connection and recent webkit browser and got a
blank page. I gave it 5 minutes to load after the browser had finished loading
the page. No content and no error messages.

Discussing this isn't off topic if the content doesn't show.

Does anyone have a cached version?

~~~
userbinator
[http://webcache.googleusercontent.com/search?hl=en&q=cache:0...](http://webcache.googleusercontent.com/search?hl=en&q=cache:0Dxo6Eis6nQJ:http://nelenkov.blogspot.com/2014/12/dissecting-
lollipops-smart-lock.html)

------
zaroth
Lots of interesting choices and perhaps mistakes in the user interface design.
The underlying crypto design of 'trust anchor' is pretty straight-forward, and
it sounds like nothing screaming wrong about the APIs.

There was a quick bit about the service only being available through a path
which requires a Google-controlled certificate?

So that means no 3rd party trust anchor implementations are allowed?

------
higherpurpose
Is there a serious security reason why Smart Lock is tied to the Play Services
framework? I mean I'm sure there are "reasons" (there always are), but are
they _great_ reasons that we can't live without? Wouldn't it be better for the
security to be localized?

~~~
tdkl
I suppose their argument would be easier updates throughout the platform,
since Android updates aren't regulated by Google. But the side agenda is
"forcing" vendors into Google apps suite certification, devices without it
can't use certain apps which use Google APIs.

~~~
reitanqild
At least to a certain degree the more features are integrated into play
services the better: never trust Samsung to provide timely updates.

------
nly
Have they separated the storage encryption key from the lock screen code yet?
I'm still on Kit Kat but you currently need to install a third party app to
achieve this (even when using CyanogenMod 11).

Using scrypt won't save you if you're using a 4 digit PIN for device
encryption as is currently the default.

~~~
aroch
Nope, still only locked to the same code as your lockscreen.

FWIW, on CM11 you don't need the other app:

    
    
       1. Set a long password that you want for encryption 
       2. Enable encryption
       3. Change lock to 'pin' or whatever you'd like, pick a shorter pass phrase

