Hacker News new | past | comments | ask | show | jobs | submit login
Why Don’t Smartphones Have A “Guest Mode”? (techcrunch.com)
245 points by jnuss on Jan 5, 2012 | hide | past | web | favorite | 203 comments

Somewhat related: I've long wondered why ATM cards don't have something similar.

1234 is my regular PIN. 1235 is my help I'm being robbed PIN -- it dispenses the cash, calls the cops, and tags the video.

Sounds really cool, but I'm not sure what problem it actually solves. Typical ATM robbery today probably ends with the cash coming out of the machine and the robber running away, hopefully without injuring or killing their victim. Victim calls police, they take a report, get the video from the ATM cam, bank refunds the stolen cash, done.

In the scenario that you're proposing, the only advantage is that police are called about 30 seconds sooner. But my guess is that in the vast majority of cities in the US, that 30 seconds won't be enough to catch the criminals.

Not to mention that if this became widespread (and therefore known) you've now given the victim a crude weapon that the robber may feel warrants more violence to convince the victim that they better not type in their duress code.

"the only advantage is that police are called about 30 seconds sooner"

Unless the thief takes off with the victims phone as well. Additionally there are sadly instances where the theft at the ATM is just the start of other crimes towards the victim.

Unless the thief takes off with the victims phone as well.

I was thinking of the best case scenario. So the robber takes the phone as well, and the person calls it in 15 minutes later when they get to a phone. When the average police response time is about ten minutes, the difference between a call being placed 30 seconds after the robbery and 15 minutes after is pretty much nil.

Additionally there are sadly instances where the theft at the ATM is just the start of other crimes towards the victim.

True. So maybe the advantage here is that the police are alerted to the fact that a crime is taking place. But let's say the victim is kidnapped or something at this point. Are the police going to be able to do anything? They'll show up 5-15 mins after the emergency call and find an empty parking lot. What then?

I guess this might be helpful for situations in which the robber takes the money but then hangs around the ATM to beat or rape the victim. But I doubt this is terribly common. And as soon as it becomes commonplace for people to have duress codes, they'll start taking the victim elsewhere instead of staying near the ATM. Or they'll just kick the shit out of the victim to impress upon them the foolishness of using such a code.

Actually, that's an interesting thought experiment. You're held up at gunpoint (or knifepoint) at an ATM. You have a duress code (that you remember). The criminal knows these are common and threatens you not to use it. Do you?

You do because for the criminal there is no way to know if you used a duress code or not.So if you cant really get into a better position in the eyes of the criminal by not using it,you might as well use it and get cops to know you are in trouble.

Not to mention that cops will potentially have a live video feed of the crime scene as the crime is being committed!

The problem then is people entering the duress code by accident (if it's similar to the pin) or forgetting it (if it's too different).

Also a criminal might see somebody fumbling with the keypad slower than usual and assume they are entering a duress code.

I generally enter my PIN very quickly , because the movements of my fingers on the keypad is stored in muscle memory.

If they're part of a gang with a mole in the police they'll know - and who are you to say they aren't?

Or better yet, what if it's an elaborate CIA plot to convince you that the moon landing was real? Plotted by intelligent elephants, who breathe fire and crap diamonds! They're a part of the deBeers cartel, and when you're asleep, they rearrange your underwear!

How deep do you want to make your conspiracy theory go?

That's always a risk anyway, in the UK we have an anonymous crime reporting phone number. You are never going to know for sure whether someone in their telephony department is somehow logging information from all the calls and handing it over to the mafia etc.

> But let's say the victim is kidnapped or something at this point. Are the police going to be able to do anything?

They'll know that I was in distress RIGHT NOW, instead of two hours later when I fail to show up for that party I told my fiance I'd meet her at - and even then, she would have to wait 22 hours before filing an official police report.

The possibility of kidnapping elevates this to a whole new level.

Do you?


Calling the police 30 seconds later may be typical in the US, but not the rest of the world. Latin America is filled with stories of people who took a dishonest taxi and were basically kidnapped and forced to withdraw the maximum every day until their accounts were emptied. Here in Colombia, it's known as the Paseo Millonario. Everybody's different, but I'd be incredibly interested in having a distress PIN, as it could be quite some time until somebody gets worried enough at not having heard from me to alert the authorities.

Perhaps the fake PIN would only show a preset of money in the account (and still call the cops)? If the robber didn't know the victim, they might buy it.

Not sure the situation in other countries, but in the US you aren't liable for any money lost in an ATM robbery. So this would be helpful to the banks, but not the victim.

Just the knowledge of this would discourage ATM robberies from happening. If you knew that you'd only get x bucks, and that the police would be called as the transaction was happening, you'd be less likely to try this technique.

Well, I think you'd have fewer ATM robberies, but the ones you did have would be more violent, because now the victim is effectively armed with a crude weapon. So the robber is going to be more violent to intimidate the victim into NOT using that duress code.

"Punch in the real code or I'll shoot you."

I think that's the far more sensible option.

Sure, they might get more violent and say 'use the real pin', but honestly, how are they going to know that there isn't only 67.87 in the bank?

Eh, I just have two bank accounts and only keep a few hundred in the one I use for debit card payments/withdrawals. If I need more, my smartphone app is right there.

Ah... this is a good benefit to having multiple accounts. I am always confused by those with only one bank account. My current account never goes above 2K, mostly sitting at around a few hundred. This gives me a perpetual feeling of not having very much money, so I don't spend too much.

If you've got some armed psychopath (or maybe more than 1) holding a weapon to you or threatening you on a dark night your probably not going to be thinking rationally.

All sorts of stuff is going through your head like "should I use the duress PIN?" , "can I remember the duress PIN?" , "will they know if I use it?" , "how could they know?" , "What if they somehow DO know, is it worth the risk?"

This is known as a "Duress Code" and it's sometimes found in alarm systems as a code which will disarm the alarm and still call the police.


My girlfriend worked at bank that did this. The alert PIN was your PIN backwards. I don't know if they still do this or not.

I heard about this before. According to Snopes it's false although it may have been implemented in A few places.



Thanks for the wiki article. I've heard about it and was pretty sure it's a hoax (mostly because of the palindromes).

Out of curiosity, do you know what happened if the pin number was a palindrome? Did they restrict your selection to prevent that?

Yes, they restricted the selection. They also encouraged each number to be unique.

For the interested: enforcing no palindromes and unique digits reduces the number of possible PINs by about a factor of 2, bringing it down to 5040 4-digit combinations.

[JS code] http://pastebin.com/3A46BP1C

If the digits are unique then there are no palindromes. Therefore there are 1098*7 = 5040 combinations.

The formatting ate your *'s but I understand. That's definitely the better way to reason the problem. In my defense it was late (after a trip to the bar) and my code is basically stream of consciousness.

That's a funny requirement. Requiring uniques reduces password strength.

Bank PINs aren't really about password strength though. To prevent brute force, they simply block access after n tries (usually n = 3). They are just a way of preventing access to the card in case of loss or theft. So as long as there are enough combinations to make the chance of a successful brute force after three tries small enough, it doesn't really matter how strong the password is.

For online banking, there are usually added security schemes and the PIN isn't used at all.

Dang, no palindrome PINs then, eh?

That would be an excellent idea in countries where people are taken hostage to empty out their bank accounts overnight to get the maximum withdrawal over 2 days.

I remember ATMs were turned off overnight to stop these kind of crimes in big cities of Brazil. Don't know if it's still relevant.

I think the double-PIN makes sense in the ATM case (because you don't want to alert the robber to your scheme), but in the phone case I think multiple PINs is far too complex.

Why not just have e.g. "swipe left to unlock to guest mode" or something similar? Then you can still have it be locked, but with the same old PIN; it will be far more attractive to users.

Will people change banks for it (compared to say, vague promises of better customer service)?

Will people pay a premium for it (compared to say, offering more air miles)?

I'd be willing to bet that for most people it simply isn't worth the investment for them.

Will people remember to use 1235 ONLY in an emergency? And never accidentally use it? And never use it when they feel "threatened" by the scary looking hipster hanging out by the ATM?

I would tend to guess it would cause more problems than it solves.

Exactly! I would just be repeating what you say, but I'll say it anyhow. False positive rate must be considered before putting such a measure in place.

I used to intern at a company that manufactured credit cards. If I recall correctly, this actually is in place in South American countries. Due to relatively low fraud rates, credit and debit card security in the US is far behind the rest of the world.

Edit: Somewhat replying to a sibling comment. In countries with less effective police, they originally put withdrawal limits on the cards, but this just caused muggers to hold their victims until the victim's account was drained.

Further Edit: I couldn't find any online sources for this information, so I could be remembering incorrectly.

Seems to me a better idea is that you put in a code, which locks your account for a few hours and displays a "this ATM is broken" message, taking it offline for a few mins.

I would forget the emergency pin. Maybe if they recognized a backward PIN, but I would probably be so flustered while being mugged that I couldn't enter it backward.

Bank machines have this.

Diebold ATMs could be configured to send a "distress signal" when their safe was opened and the last number of the combination lock was off by 1. The option was off by default, because it required additional hardware hook-up (for the signaling), but it was there.

Several of the PIN-activated access control systems I've used have a similar concept, usually called a duress code or such. Your normal PIN would be 1234 but if you are being forced to enter under duress you put in 1235, and a silent alarm is set off.

It's a nice idea but wouldn't work in practice. If the "help" PIN is always 1 higher then there would be too many false alarms due to pressing the wrong button. Or if the "help" PIN is totally different then victims will forget under stress.

Also, robbers would know there is such thing as a "help" pin, therefore rendering it useless. It's not a good idea in practice.

It wouldn't render it useless if the behaviour of the machine was identical (other that sending a silent alert) and still dispensed the cash.

People have trouble remembering one PIN, memorizing two would be too much for many.

Probably because the SIM standard has no provision for two local PINs.

Lock doesn't have to be from the SIM side, can be from the OS side.

On ATM cards? Is that a joke?

You should change your pin to something more difficult. Just saying.

What about simply having an emergency gun dispenser inside the ATM?

I'm more bewildered to why no tablets seem to have multi-user functionality. In my experience, tablets get shared far more often than phones.

I work for a tablet manufacturer, and I spoke to an Android product manager at I/O last year about this.

According to him, this is a feature that pops up once in awhile, but they have a long list of stuff to do and this is just one of those things that always gets bumped out.

From my perspective as a platform dev, I'd like to get into some of the technical problems with changing this, but I could end up breaking some NDAs or something. I'll just say, when you start mucking around with adding login code, file system changes, and the current dmcrypt encryption, you hit lots of fun design problems.

>you hit lots of fun design problems.

Single user login is a design problem! When I hand my tablet off to someone they have access to my gmail, gtalk, facebook, twitter, imap email, browser sessions and dropbox.

And that's just what I can recall on the fly.

Maybe the encryption doesn't matter? By default in Windows users are hidden from each other stuff but the files aren't encrypted so only the FS permissions are stopping them from reading each others home folders.

There are two your account and the hidden root account ;)

I think the concerns are the interactions between user accounts. I don't think anyone is too worried about the hidden root account having access to your user account data.

Hence the winky face.

> I'm more bewildered to why no tablets seem to have multi-user functionality.

That's the first thing I wondered about when Apple released the ipad: from the start, this looked like a family/eminently shareable device (and within a month you had reports of it being used as a shared family device, picked and left on the living room table for quick sessions of browsing or game), it felt weird that all the tablets were single-user, and the more time passes the weirder it is.

But if the whole family could share it, they might only buy one instead of four.

Speaking as a father of a 3-year-old, a separate profile for him would save me an immeasurable amount of frustration. "Figure out which folder the program I want is in" becomes really tiring after about the 600th time.

If you're on Android then Famigo Sandbox sort-of solves this.

It only lists a subset of apps (automatically adding child-friendly ones it finds, but then editable) and prevents access to the phone functionality, redirects ad links etc.

My Android phone and I thank you!

Spotlight could save you that frustration already.

Not really. Having to start typing the name of an app that's already somewhere on your homescreen feels incredibly inefficient.

If that were the right solution, why does iOS have homescreen icons at all?

My iPad app does something like this: http://switchapp.net/

It's not full user accounts, but a multi-user web browser. You can protect your bookmarks, logins & web history and it also has a guest mode.

Again this might be the simplicity issue, tablets are sold partly on the idea that they are simpler than PCs.

Once you start adding stuff like login systems, seperate file permissions you start becoming a PC with a touchscreen.

much easier to sell every family member their own tablet :-)

Windows 8 tablets (will) have this.

These guys are kind of working in this: http://www.famigo.com/

Their approach is targeted at kids though, I'd love to see someone tackle the general purpose approach.

Sounds like a great project for someone with a lot of free time. I rememeber hearing that the guy who came up with what is currently the ios notification style was hired by Apple after his jailbroken hack.

The void is wide open for someone to solve this well and be rewarded for it

I have heard many, many times from parents whose kids play with their iPhones, iPads, etc. that they would like to have this mode where only the current app is active, WiFi is disabled, etc. Kids are quick to figure out how to buy extra stuff from within the app.

"Why Don’t Smartphones Have A Guest Mode?"

Because dealing with multiple profiles and/or different profile types is a fucking huge giant pain the ass and a monumental amount of work! Xbox has local, guest, live silver, and live gold accounts. Dealing with all the different profiles and switching between is a nightmare. Urgh, no thanks.

At least two of the three most prominent smart phone roms are backed by operating systems that have long histories of (more or less successful) profile switching. It might in fact be a difficult problem, but it's one that has serviceable solutions and has for some time.

No, difficult for the users, not the operating systems.

Operating systems have had user switching for years. But I'll bet only a small minority of Mac users even know this is possible, and even fewer have ever used it.

What's the third? Blackberry or wp7?

Wasn't this a solved problem... 40 years ago? At least?

Sure. If you're willing to log out of your smart phone context, and restart any needed tools in the new guest context whenever you hand over your phone.

Oh, I'm sorry, you wanted instantaneous user switching? That's a smidgen harder than the 40-year-old solutions :)

> Oh, I'm sorry, you wanted instantaneous user switching? That's a smidgen harder than the 40-year-old solutions :)

These OS have been able to run multiple concurrent user sessions for 40 years, and fast user switching has been a feature of all desktop OS since Windows 9x went the way of the dodo.

There are specific issues (core services of these systems are probably — sadly — coded with the idea that a single user is running), but nothing which should be hard to fix.

The biggest issue is resource limitations - multi-user systems require an abundance of resources that phones don't have.

What about the memory overhead of concurrent sessions?

Who gets to run background processes, and when are they terminated? Because neither CPU nor battery life exist in abundance.

What happens to incoming calls/e-mails/texts/notifications? (Especially for the guest account, where you don't have a second phone number for that account)

What happens to e.g. alarms set by user1 if user2 is logged in?

Which settings are shared, which aren't? And if your phone storage is encrypted, how do you handle shared settings? What about privacy? Can user1 e.g. record GPS signals even if user2 is logged in? If not, what about "Find my phone" features?

Sure, conceptually it's a solved issue. Practically, there are innumerable details to be figured out.

I thought that iOS and/or Android gave each App its own user account in order to sandbox permissions between apps, so that they can't overwrite each other's files. If all of the user data for an app is owned by that app's uid, then wouldn't this allow someone else running that app to somehow gain access to user data from another 'actual' user?


App1 has uid 100 User1 has uid 101 User2 has uid 102

If all userdata for App1 is owned by uid 100, User1 or User2 could potentially used App1 to gain access to the other user's app-specific user data.

(I'll admit that I'm not an iOS or Android programmer, so I may be a bit out of my depth here.)

This is a good example of how HN has gone down the tubes. I've been downvoted to -1 based solely on a post where I raised a possible security concern. I admitted that I wasn't fully versed, but I expected someone to correct my if I was wrong. Instead, I'm downvoted, but no one has bothered to actually post useful information. Am I wrong? Did someone just 'not like the tone' of my post for some strange reason? Who knows? No one is talking.

Ephemeral voting noise is not going down the tubes.

You are right, and I upvoted you.

On Android, uids are used for apps, not for users. Supporting multiple users on Android is thus not as simple as one might think.

You mean Fast user switching? http://en.wikipedia.org/wiki/Fast_user_switching

I mean fast user switching on a resource-constrained portable device. There's a bit of a difference in terms of how to do it. (See also my above post listing some of the issues)

Current gen mobile phones are already more powerful than my first Windows XP desktop. I don't think computing resources are a limiting factor here.

And your XP desktop actually worked well with fast user switching? On an XP minspec machine? Or even recommended specs? There was a reason it was Powertoys only.

Not to mention that your XP machine had a HDD as a backing store for virtual memory. You could safely page out an entire session. Not so for phone OS's, AFAIK. (I know iOS doesn't have a backing store. Haven't checked Android, but I seriously doubt it)

Not to mention we've only very recently reached specs that make this doable. The iPhone 3GS (not that old) did have a 600MHz processor and 256MB of RAM. That's pretty close to an XP recommended spec, IIRC.

Given that your XP machine wasn't running on a battery, and wasn't busy in the background doing phone-y things, you can see where resources are getting tight.

Phones are just getting there, spec-wise. I'm sure sooner or later we will see a guest mode. The 'when', IMHO, hinges more on solving the UX issues, since specs always march on.

Nope. While on Windows, Linux, and OS X you can have two remote users logged in and independently using tty windows, they all must share the same GUI window.

That isn't true for Linux and Windows.

X (the service commonly providing the *nix GUI) was pretty much built with this in mind; Linux has had an implementation of X that has provided this since at least the mid-90s.

Windows has had this on the server since at least Windows Server 2003, and has also introduced it to the "consumer" market in Windows 7.

(I'd be happy to find out whether OS X supports this or not.)

I tried to do this couple years ago for Linux, asked around, and was told this was not possible for Linux. Apparently I was misinformed. I'm happy to be wrong about it. Can you point me to instructions for doing it for Ubuntu?

I have Windows XP, and have had 2000, NT, 98, 95, etc., and none of them could do it.

I'm glad to see that finally this "40 year old technology" is getting onto desktops in the last year or so.

Thank you. I will give it a try.

Do note that there are 2 ways to share a graphical user interface on X.

The first way is by remotely running a program on your own Xserver. The programs' processes occur on the remote connection and are sent down the SSH tunnel and show up on your display. This is the common way in Linux.

The second way is by an older program from the Windows world: VNC. VNC takes a local, running display (example: my gui) and allows someone else to view/control it at the same time I do. In this method, you both fight over the mouse and keyboard inputs.

There are several others as well. There are a couple different ways to make a "multi-head" setup in linux, which is what it sounds like. Multiple monitors/keyboards/mice all attached to the same computer allowing multiple people to run X at once independently.

VNC (at least TightVNC) also lets you set up a display for yourself, if you want.

Er, what? I regularly use Windows remote desktop and have my own full GUI session, independent of other logged in users. This has been around for many years.

On Mac OS X 10.7 (Lion), there is now multiple user screen sharing.


10.7 was released last year, not 40 years ago :-)

My older Mac Mini would not do it. I didn't know that this was added in 10.7.

IOS is really a stripped-down Unix-variant (BSD). You know, Unix, the world's most ubiquitous operating system, that supports multiple user accounts out of the box.

And whose name, in fact, stems from "uni-plexing" -- it was an operating system designed to support two users, so that Dennis and Ken could play Space Travel. A weak pun on "Multics" (multiplexing operating system).


That looks like a completely different issue... Are the local, live silver and live gold account all yours? If they are, that does look like a nightmare...

It's for different people, not for you that an account should be created. I also would like that in all the *pads. I'd like to split the history and logins of each person using my touchpad. It's a mess when 2+ people start using it.

The "two PINs" idea would also be great for when a police officer pulls you over and asks you to hand over and unlock your phone. With the proper encryption you could even have plausible deniability.

Haven't people suggested this with regards to TrueCrypt's hidden volumes, with "rubber-hose cryptography" being the most common answer, and "yeah, well, prove that this is your REAL phone unlock code" being the second most common.

Rubber hose cryptography isn't a valid response to plausible deniability, because it applies equally to a volume that's encrypted normally (i.e. the cops just see junk data). At least you have a chance to throw them off with your fake unlock. Anyway, if it comes down to torture, you're screwed no matter what (unless you're trained to withstand torture); plausible deniability is more for "civilized" courts because they can't possibly prove that you're withholding anything. Personally, I think the 5th amendment in the USA should mean you can't be compelled to decrypt your data anyway, but that's not how the courts see it.

actually that is how the courts see it

I think you mean rubber-hose cryptanalysis.

I am amused by the idea of rubber-hose cryptography though - beating on the data until it encrypts itself!

Actually, an actual example would be cutting out someone's tongue to prevent them from speaking.

(Obviously this only worked for illiterates.)

That wouldn't be cryptography (hidden writing). It would be cryptology (hidden speech, from "logos" rather than "graphos") or alogy (lack of speech).



Prove that it isn't, officer.

With that, you've just admitted that you're aware of the possibility of setting up multiple profiles with different unlock codes. Be careful what information you leak when you're trying to look innocent!

How so? The officer was the one that suggested the possibility in this scenario.

Yes, but the answer shows that you were aware of it before, which means you have already come in contact with the concept, leading to a higher probability for you to actually use it.

Then again, a tech savvy user that encrypts his drive and claims he/she haven't a slightest idea what the officer is talking about is probably in many cases way more suspicious. At least to an officer that is informed enough to bring that up.

Depends. How closely linked are the concepts of simple encryption and plausible deniability encryption? If you start researching the topic a bit you will stumble upon both, but if, say, a friend installed it?

I don't think that it does. I think the most it can be said to demonstrate is that you are aware of how the burden of proof is supposed to work in the United States.

In other words, it's his job to prove things, not yours.

Yes, but it implies much more than just that; defiance for example. You don't want to egg them on, do you?

No cellphones are allowed in top secret military locations in the US, because all can be remotely signalled to start recording audio. We know they'll turn a phone into a bug if they need to, so it's foolish to assume they wouldn't be able to get the real PIN.

Do you have any evidence that indicates that this is the reason?

A much more likely explanation for the policy involves abuse by the user, either intentionally or unintentionally. Cameras and USB sticks are similarly restricted.

Yeah, I'm sure that the Princeton, TX police department has access to CIA-level technology, and will use it to prove that I was texting while driving.

This is also why any app that handles sensitive information (including, arguably, the photo and video galleries) on a phone should have at least the _option_ to set an in-app PIN that's required before it opens up.

Lots of folks hand their smartphone to their kids to play games and even if there's nothing sensitive on there, they might have things they don't want deleted like treasured photos and videos.

Hell, I'd be happy if iOS had a way to lock down the Springboard so my kids can't screw up my home screen every time they get their hands on a device. Does anyone else come back to find all their apps dragged into countless random folders?

It's not only about deletion. There's also the issue that you might want to restrict who can see what photos. (I.e. PINs on subsets of your pix)

At work we're required to have a PIN lock on our phones if we have our email or calendar synced to it. Majorly inconvenient to have a system-wide lock, why not just give the option to set a PIN before the email accounts can be opened?

there are at least a few big companies already doing virtualization with android to separate business and personal modes so that corporate email and other apps can be quarantined off with a secure password, leaving personal email and games to run in a separate environment that may not require as much security to unlock.

presumably the same technology could be used to provide "normal" and guest environments.


I'd benefit from a "Driving Mode" on my phone. If John, Rachel, or Stan calls, auto-text them: "I'm driving, can't talk". Everyone else goes straight to voicemail. If they send me a text within 5 minutes of that call (must be serious), make the font huge so I can read it in .5 seconds on my console. Hide all other texts.

I'd like to be truly responsible and just turn my phone off, but I don't to allow for those few times when there actually is something important.

Siri is already the "Driving Mode" feature on the iPhone.

Hooking it up to the stereo system makes it feel like it is part of the vehicle. Some day, when I am feeling adventurous, I will wire the otherwise useless OnStar button to trigger it to complete the "factory look."

HTC Sense has something called modes - which allow you to put your phone in profiles that switch data off, or the keyboard off, etc. They recently acquired Inquisitive Minds for a "kids mode" (http://www.androidguys.com/2011/10/18/htc-acquires-inquisiti...) which is pretty much guest mode.

Ironically, Arrington still "writes" for Techcrunch


The tweet seems quite old, though: "9:43 PM - 18 Oct 10"

that was my point, he tweeted this long ago, while he was in TC, and yet, his voice is echoed...

Web browsers have been around since 92, first usable guest mode [1] on a web browser appeared 2005 or so. Give the phones a little more time, and it will get there too.

[1] mozilla had multiple profile support since forever, but it required you to restart the browser with a command line argument, or requires you to pick a profile every time, and even then it's not "guest" profile -- it's another profile with history and all. When I needed multiple profiles, it was always easier to set up another user on Linux. [On windows, at least in the 2000 days, the new browser would defer to the old one that was already on screen even if they were RunAs different users -- a different "desktop session" was required for separation. bleh]

I was going to write a tweak for iOS to do something like this, with behavior similar to that of the built in Camera shortcut from the lockscreen.

1. You are using an app

2. You activate 'Guest mode' using a button press, swipe, tap, etc. (configurable)

3. If the user hits the home button, it redirects to the lockscreen instead of the homescreen (much like the Camera application does in lock-mode)

4. Instead of the camera icon on the lockscreen when you double tap, it is the icon of the locked-in application. (You can tap it to resume use of the locked-in application)

5. To disable this guest mode, you simply unlock the device with your passcode.

So, when a friend asks "Hey can I check my email?", you can open Safari, enable this guest mode, and hand the phone to him, no worries.

What do you think?

> So, when a friend asks "Hey can I check my email?", you can open Safari, enable this guest mode, and hand the phone to him, no worries.

can you provide a sandboxed environment? he can't have access to any of my persistent Safari data (autofill/bookmarks/history/cookies/dbs/etc.), and any he creates should be wiped, probably on return to the lockscreen. all other forms of app switching (e.g. open a pdf url, then "open in" iBooks/goodReader/whatever) will need to be blocked as well. will also have to block the app tray, the notification center, pop-up/banner notifications, Siri, and possibly the phone. (could experiment with blocking badges and alerts but not sounds, since that only reveals the fact that an email/text/etc. was received, not any specific information about it.) might conceivably need to block all background app network traffic, tho i'm not sure if that's snoopable from inside safari.

basically os x guest mode

That would be the only issue with something like this. The number of system features is finite and they can be disabled each in their own respect, but partitioning a guest from a user's data in an arbitrary application would prove challenging.

yeah, by the time i got to the end of the list, it was pretty clear how hard it would be to do it right....

Yes, yes from a guy who has to nervously hope that as his Dad looks up something on his phone while having family dinner, he doesn't end up in my SMS or Photos app. It'd ruin the dinner. And some.

As far as I'm concerned the only 'Guest Mode' I need on my phone is the emergency call screen. I'm totally willing to be the 'weirdo' who won't let someone use his phone.

I was thinking of something related to this earlier today. One thing I'd really like from the emergency call screen is to allow me to tag several of my contacts as emergency contacts. That way if my phone is stolen, or I am hurt in an accident, the list of proper people to notify is very apparent.

Yeah, the old ICE contact.

The reason I don't log on someone else's phone is not because they don't want me to, is because I don't want to! Just the same reason why I usually don't log in on an untrusted computer.

Maybe just for browsing the internet it would be allright, but I won't hand over my passwords. Isn't there any keylogger yet for android/ios? You don't even need to go by the store/marketplace, just local, developper stuff and there you go. Do you want to log on my machine?

Smartphones seem to have mostly sacrificed some of their security for convenience.

Take Windows for example, sure you can setup multiple user accounts with different levels of privilege , access to website and apps etc but how many people outside of a corporate or academic setting actually use this?

Whenever I borrow someones laptop they just use their own login, sometimes I find porn in their Internet history but at the end of the day who cares?

Perhaps this is more of a problem for people with kids who might want to use the internet themselves but when their child uses it they don't want them to have access to certain sites or see that their parent has accessed certain sites.

One issue I have with android is that when I clear the history in the browser and delete all cookie etc etc.

If I hit the back button it still goes back to whatever I visited last , also if I goto google and tap the search bar all my previous searches come up. It's not really very privacy friendly.

Hopefully this problem will pass once everyone has a smartphone so they don't need to borrow someone elses.

My girlfriend and I both have logins on each other's laptops, so that we can both have our apps set up the way we like them. With bookmarks and history syncing between them, this makes life much easier.

It does, I have multiple logins for my PC including a guest one.

Most people don't seem to really understand the benefit of doing this though, I've seen couples argue because they both keep changing preferences on a shared computer when multiple logins would solve their problems.

It doesn't work for Windows because you wouldn't have an account on someone else's computer. Chrome OS solves this though since your account is in the cloud and you can login to your account with your settings/history/etc.. from any computer.

Android should be able to support this feature down the line too.

Users can, when choosing the right ROM.. hooray for choice!

Guest mode: enable the “Guest Mode” toggle in the panel, and your calls and text messages logs will be hidden, and all installed applications cannot be removed. You may have a try when you need to show your phone to guests or children.


The guest mode is a great idea. But for now, if you have very private stuff on your Android phone, you can lock down on an app-per-app basis. This could be a little inconvenient, though, and either you always keep them password protected, or you have to remember to protect them before you give the phone to someone.

This is something I've wondered quite a bit also. ChromeOS already has this feature -- it's the idea of the device simply acting as a terminal, with all user data stored in the cloud.

Also, I'm a bit afraid implementing full-featured multiple user sessions (similar to a desktop OS) would lead to a lot more bloat.

Seems like Apple is planning to implement multi-user mode in iOS with face recognition based login ie a user just enter his PIN, however, the camera detects which account to load. (IMHO, more secure than the current Android implementation) Article talking about related patent: http://www.cultofmac.com/137393/apple-patent-details-facial-...

I would imagine at that time, they might support Guest logins.

EDIT: the implementation detail of Face recognition talked above is my own take on how it should be done. Not suggested by the referenced article.

VMWare has virtualization working on Android, which supports this in a heavy-weight kind of way. See http://www.engadget.com/2011/02/15/vmware-android-handset-vi... and http://arstechnica.com/business/news/2011/09/samsung-boosts-...

The use-case for it usually suggested is one VM for work, one for personal use, but it could be used for this scenario too.


Quote: Which has revealed a feature that the Tab needs: a button in Gmail called “in strange hands”. The device is profoundly shareable, but mine has my Google email, full of threads that are distinctly not for public eyes. So I need to switch to disable that while letting people look at interesting web sites or play games or check stock prices or whatever. End Quote

On Android there is an app called "Hide it Pro" [1] (aka Audio Manager) that allows you to hide pictures and videos. The app disguises itself as an audio manager in the app drawer. To access the hidden files you have to type a PIN code. There is also an escape PIN if you get caught hiding files. Clever idea.

[1] https://market.android.com/details?id=com.smartanuj.hideitpr...

i love that almost everything in this thread would be added shortly if we had control of our phones. why isnt there a bigger open hardware phone movement? how about a new GPLv4? GPLed software can only be shipped on GPLed hardware. it can be installed later but the user gets to see an ad explaining what they cannot do with their phone, and possibly alternate carriers that support open hardware.

I've been thinking about this a lot recently. Guest account too, but mainly other user accounts. Not for phones but for tablets, these tend to get shared more - there's a way to have multiple user accounts on iPad but this requires jailbreaking, something I'm not too fond of. It'd be nice that each family member can use their own instances of mail and safari etc...

The MIUI rom for Android sort of does this. It has a privacy mode which hides calls and text messages and locks down the homescreen.

I would take this one step further and have smartphones/tablets with cloud based "login" for your accounts, apps, preferences etc. While you would probably only use it a few times a year it would be great when getting a new phone, swapping phones with friends to try them out or to borrow a phone if you are out of juice.

Interesting idea, but I don't see many use cases.

Are people really handing their phones out that often?

I only hand my phone to someone else when:

* I've asked them to take a photo of me.

* They're riding shotgun in my car and need to call a contact or navigate with info readily available on my phone.

Neither situation is risk for people snooping around.

It happens to me often enough. Maybe it's just if you have friends who are interested in gadgets, but they will usually say things like, "Oh, you got a new phone? Can I see it?", "Oh, you installed a new ROM? Can I see it?", "Oh, I was wondering how this worked on that phone, can I try it on yours?" All of these are generic requests that just involve tapping around a lot to get a feel for the device, and they're all totally valid requests that one wants to fulfill to help his friends experience more stuff.

Also, some people just don't consider their phones private and don't understand why anyone else would. My parents or siblings sometimes want to flip through Gallery to see the newest pictures of my children, friends, or co-workers.

A couple misplaced photos can be quite the liability in a situation like that...

Guest Mode has already been requested by many people: http://code.google.com/p/android/issues/detail?id=7472

Probably for the same reason a lot of other good features don't get implemented: there are higher more impactful features to be implemented first, a bigger bang for the company's buck.

And this is why me and my family get way more use out of a Chromebook rather than our Android tablet.

Please make Android grow multi-user capabilities or give me ChromeOS in a tablet format.

...and this is why developers should never be in charge of usability/design.

simplification enhances usability. the vast majority of smartphone and tablet users are happy that all that complicated IT/nerd stuff went away on their devices.

the complications you would introduce by user switching are big. you need to add UI elements to tell the user at all times in which mode they are, you need new dialogs to switch, etc etc. the android status bar already looks like a badly maintained win xp install with all that crap in it.

built by developers for developers. brrr.

The idea sounds awesome... but how many on us even have the guest account enabled on our laptops?

Why don't computers have a "party mode"? (locking everything but youtube and spotify).

My Mac has a guest mode, but I never use it. Do you?

Every time I have guests at the house that want to use the computer for some reason. That's what it's for -- why not use it?

To answer your question, no. But my Mac does have more than one user account.

It would be nice if iOS would support multiple user accounts/profiles, especially for games - so when a user is "logged in" a game's saved progress would be tailored for that specific user.

Better yet, why hasn't anyone created an app that just simulates a guest mode? A launcher with two sets of home screens would be perfect. Or, you just disable your preferred launcher when handing your phone to a friend, revealing the mostly barren stock screens. It's as simple as hiding icons, since the apps might as well not exist if the icons aren't there (access doesn't actually need to be explicitly forbidden, per se).

Maybe I'm missing something important here, but it seems many apps on the Android market are just a few tweaks away from doing this already?

Not all games have a separation of user data. Some games basically only have one save slot, so that starting a new game wipes out the save data.

This caused me to be beat upside the head with a Gameboy repeatedly when I was young when I hit "new game" on my cousin's Pokemon Red.

If you were my cousin who did that to me, you wouldn't exist today, to put it lightly.

This was done to me by cousins and brothers maybe 4-5 times (with very well developed games before each time). I understand the frustration (although what you describe sounds a bit full on) particularly as I'm pretty sure you had to start a new game then save.

Hell, I want a guest mode on my computer. Instead I need to just have netbooks available for when company wants to check their email.

What kind of computer do you have that doesn't have a guest mode? Windows, Mac/UNIX and Linux have all been multi-user either from the beginning or for decades.

Yeah, but then I have to have a "guest" log-in. My computers are always on, so people never feel bad about asking to use them, and I feel it's unnecessary and unsmooth to log out.

Since I've already been perfectly demanding|whining about a feature I'd like to have, what I _really_ want is to just click a program that boots up a vm with the same OS, but only the browser ready to go with a fresh lack of cookies, history, etc.

IS THAT REALLY SO MUCH TO ASK? </overdramatic>

Ubuntu already has a "proper" guest mode, only accessible when unlocked by a regular user, wiped clear each time and only providing access to the guest sandbox. It's available from the system menu, so two clicks to activate when logged in already, or a couple of clicks and a password if the machine is locked (and in that case you don't have to go through your regular desktop to get to it).

why would you log out?

In Windows you'd hit Windows-L, which would take you to the login screen, and then they'd click "Guest" (or whatever alternate login you've set up). You'd still be logged in, and when they were done (or were giving it back to you for five minutes) you press Windows-L again and choose your own login to switch back to your still-running programs.

I'd be astounding if Linux didn't have an equivalent.

How about using Opera kiosk mode - it appears to meet your requested features.

Also FastUserSwitching doesnt require logout IIRC.

os x has a guest mode. (enable it as documented here http://docs.info.apple.com/article.html?path=Mac/10.6/en/156...) just tell them to wiggle the mouse, click "switch user", and click "guest".

No kidding. I really need to dig into Windows 7 and find a way to restrict VLC's history. Browsing history is of course also risky. I suppose I could make a guest account, but I really just want a one click solution that authorizes basic web access for ten minutes.

This is primarily a problem on my laptop which lumps to much diverse media together.

apparently we have similar friends.

a phone in guest mode would be totally useless.

case 1: no apps. guest has to install apps. will guest have a itunes/android market account? does he enter his Credit card to buy paid ones he want to use?

case 2: apps with no data from real user. He opens up foursquare/yelp to look for a restaurant... has to create profile

Looking at the mocked-up screenshots in the article, he's proposing that the user customize which apps are available. Note "Configure Guest Access" in Settings.app.

"""case 2: apps with no data from real user. He opens up foursquare/yelp to look for a restaurant... has to create profile"""

And that somehow makes it totally useless?

He can: talk on the phone, check his email on the web browser, surf to anything he likes, use any other app that doesn't require a profile, play a game, ..., ..., ...

Even calling case 1 "totally useless" is retarded. He can still do tons of stuff (call, browse, use as calculator, ...) except run apps.

For the guy with friends that he doesn't trust. Actually, for the guy who thinks he has friends.

Privacy is important. But why not just avoid keeping weird stuff on your phone? Keep it somewhere else. Or say, "hold on let me log out of my bank app" or something.

> But why not just avoid keeping weird stuff on your phone? Keep it somewhere else.

My girlfriend texting me about medical issues isn't "weird", but I still don't want my mom to read it if I happen to hand him my phone for a few minutes.

My mom emailing me photos of my childhood self taking a bath isn't weird, but I wouldn't want my friends to see them.

My friend asking me if I'll be showing up to the Atheist Association meetup isn't weird, but I wouldn't necessarily want my boss to see the message.

My friend asking me if I'll be showing up to the Atheist Association meetup isn't weird, but I wouldn't necessarily want my boss to see the message.

Wow. I'm glad I don't live in a country where that would even be an issue. It would never occur to me as something anyone would need to be private in any country(until now).

(Or do you work for a fundamentalist religious organisation?)

That was actually hypothetical - none of my current or past bosses would care. We did have a lot of religious clients at my old job, but they probably wouldn't care, either.

There are, however, places where it would definitely lead to a change in the work environment.

> It would never occur to me as something anyone would need to be private in any country

Even in countries ostensibly ruled by sharia law?

Being from the UK the whole idea of having an atheist organisation seems a little odd. Most people are technically christian but don't go to church and their beleif is fairly skin deep.

Religious apathy is sort of the default and religion doesn't really dictate public policy very much so having an atheist society would be a bit like having a society for heterosexual people.

Are atheists really marginalized enough in the US that it becomes necessary to band together?

not sure why the downvotes here?

I didn't up- or down-vote, but probably because the conversation is rapidly heading off-topic.

>keep it somewhere else

Where? Keep my naked girlfriend pics in a recipe box? Wtf are you even saying?

I'd rather not turn into a dull prude just because apple is too lazy to implement a guest account on their unix OS.

I'm trying to imagine how dull and colorless your life must be. I took the pictures with my phone. The obvious place to keep them is on my phone.

So the civil answer to my question "why not just avoid keeping weird stuff on your phone?"

is: "I keep naked girlfriend pics on my iPhone. I don't think that's weird, but I don't want someone to see them."

I see your point. I apologize for using the word "weird." I assume that's what the downvotes were for.

Civil answers are overrated. I'm really sick of corporate leaders (e.g. You) telling me I should change my life to suit them. Their job is to accommodate the customer regardless of how weird my hobbies may be.

"corporate leaders (e.g. You)"

I'm honored, and confused, that you would consider me a corporate leader.

Like I said, I see your point. And if you look at my comment, it was in the form of a question, not an imperative.

There is an app for that. :) Seriously. But agreed, a guest account for iOS would be awesome.

"Hold on, let me log out of my Facebook app, my Messenger app, my Twitter app, my WhatsApp app, my Path app, my Yammer app, my LinkedIn app, my Evernote app, ... And disable all my email accounts and iMessage and clear my text messages and web history. Here you go."

Because the 'phone' is just a small subset of my iPhone. I would be curious to see my most used apps, but I imagine the phone app would be about an 11, with skype at 10.

My bank sends me summary of my account every once in a while. I don't want a random person to see it pop up.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact