When I first got my Droid I went to set up my security. The first thing I do with a new mobile phone is set it up to require a password to unlock the device. I also set a timeout so that after a few minutes of inactivity the phone will automatically lock itself. If your phone isn’t locked and gets stolen, you may incur some hefty charges for calls placed. You also turn over any information on the device. Locking a phone is a good security practice.
My Droid 2 gives me a variety of choices when it comes to locking the phone. I can connect a pattern of dots, I can use a numeric PIN, or I can use a password. When I got to the screen lock timeout is where I found a problem. If you are not paying close attention, you won’t see the slider bar on the right side of the screen disappear. By default it appears that your options for a timeout are 2, 3, 5, 110, 15, or 20 minutes. The only indication that there are other choices is the slider bar that disappears a second after you get to the screen. As it turns out there are options for 1 minute and “When display is off”.
The top of the Droid 2 has a power button. When the phone is turned on, a short press of the power button will simply turn off the screen, a long press will turn off the phone. Initially I set the timeout for 2 minutes. Next I pressed to power button briefly. Not only does the screen turn off, but at this point the phone should be locked, but it isn’t. My Blackberry has a timeout, but I can also lock the device immediately if I choose to. The default timeout is 20 minutes. This means that if you have enabled password protection and you turn off the screen it will take 20 minutes for the device to require a password when you turn the screen back on again. This is definitely not expected behavior, but it is documented that if you want the phone to be locked when you press the power button you need to set the timeout for when the display is off. Rather a nuisance since I want a timeout and the ability to lock the phone immediately. So I set the timeout for when the display is off and pressed the power button briefly. I pressed the button again to turn the screen back on and it did NOT require my password!
As it turns out, there is a 5 to 6 second delay before the lock takes effect. This is a bug. If the screen is allowed to time out it also takes 5 seconds for the lock to take effect. I have discussed this with one other security person who also has a Droid 2. He was unaware of the options for 1 minute and when the display is off for locking the phone and was able to replicate my results. I wonder if this behavior is the same for all Android based phones? If you have a different model Android based phone, give it a test. Set the screen timeout for something short, like 15 seconds. Setup a password to lock your phone. Let the screen timeout and then immediately bring it back up. Did you need to use your password? I’d love to get comments back here to find out if this is a Droid 2 issue, a Verizon issue, a Motorola issue, or the actual Android operating system. If you repeat this test and post a reply, please be sure to include the model of phone, the carrier, and the version of your Android operating system. The Droid 2 shipped with Android version 2.2.
Director of Technical Education
Author ESET Research, We Live Security