The Strange Case of the Droid 2 Password Lock

When I first got my Droid I went to set up my security. The first thing I do with a new mobile phone is set it up to require a password to unlock the device. I also set a timeout so that after a few minutes of inactivity the phone will automatically lock itself. If your phone isn’t locked and gets stolen, you may incur some hefty charges for calls placed. You also turn over any information on the device. Locking a phone is a good security practice.

My Droid 2 gives me a variety of choices when it comes to locking the phone. I can connect a pattern of dots, I can use a numeric PIN, or I can use a password. When I got to the screen lock timeout is where I found a problem. If you are not paying close attention, you won’t see the slider bar on the right side of the screen disappear. By default it appears that your options for a timeout are 2, 3, 5, 110, 15, or 20 minutes. The only indication that there are other choices is the slider bar that disappears a second after you get to the screen. As it turns out there are options for 1 minute and “When display is off”. 

The top of the Droid 2 has a power button. When the phone is turned on, a short press of the power button will simply turn off the screen, a long press will turn off the phone. Initially I set the timeout for 2 minutes. Next I pressed to power button briefly. Not only does the screen turn off, but at this point the phone should be locked, but it isn’t. My Blackberry has a timeout, but I can also lock the device immediately if I choose to. The default timeout is 20 minutes. This means that if you have enabled password protection and you turn off the screen it will take 20 minutes for the device to require a password when you turn the screen back on again. This is definitely not expected behavior, but it is documented that if you want the phone to be locked when you press the power button you need to set the timeout for when the display is off. Rather a nuisance since I want a timeout and the ability to lock the phone immediately. So I set the timeout for when the display is off and pressed the power button briefly. I pressed the button again to turn the screen back on and it did NOT require my password!

As it turns out, there is a 5 to 6 second delay before the lock takes effect. This is a bug. If the screen is allowed to time out it also takes 5 seconds for the lock to take effect. I have discussed this with one other security person who also has a Droid 2. He was unaware of the options for 1 minute and when the display is off for locking the phone and was able to replicate my results. I wonder if this behavior is the same for all Android based phones? If you have a different model Android based phone, give it a test. Set the screen timeout for something short, like 15 seconds. Setup a password to lock your phone. Let the screen timeout and then immediately bring it back up. Did you need to use your password? I’d love to get comments back here to find out if this is a Droid 2 issue, a Verizon issue, a Motorola issue, or the actual Android operating system. If you repeat this test and post a reply, please be sure to include the model of phone, the carrier, and the version of your Android operating system. The Droid 2 shipped with Android version 2.2.

Randy Abrams
Director of Technical Education
ESET LLC

Author ESET Research, ESET

  • Johan Ryberg

    I got an HTC Desire with 2.2 “stock”, not bundled with any operator.

    When I choose to lock the phone immediately it locks at the moment I press the “power button” to turn off the display. I have tried several times to press the button as fast as I can but I don’t have any delay at all.

    Worth to mention is that I also got a policy from our Exchange server and the screen time-out is set to maximum 5 minutes.

    Best regards Johan

  • Russell Golden

    I have a T-Mobile G1 (HTC Dream). When I had stock 1.6 on it, I used a pattern lock. It locked as soon as the screen was turned off, and there wasn't an option to change that, just how long until the screen turned off.
    I've since rooted it with CyanogenMod 6 RC3 (2.2-based), and now that I look for it, a five second lock after turning off the screen is the default. However, if I turn off the screen with the power button, it locks immediately anyway. I changed it to require lock immediately to test for you, and it locked immediately.
    This *is* a serious bug. Thanks for bringing it to public attention, Mr. Abrams.

  • Chris Smith

    I have a Droid X (rooted, froyo) I use a pattern lock and the security mechanism works as it should. I tested different intervals and the screen locks at whatever interval is set.

  • Randy Abrams

    So Chris, even if you try to wake it up immediately after the screen goes black it requires a password? My Droid 2 takes 5 to 6 seconds to require a password.

  • Jim Samborsky

    I have a Motorola Droid 2 on Verizon running Android 2.2.

    When I let the screen timeout on its own, I can wake it up by pressing the power button within five seconds. (The screen dims just a bit before it times out.) After it wakes up, I do not even have to swipe left-to-right to unlock the screen.

    The “Display settings” “Screen timeout” function seems to work properly for me.

    The “Location & security settings” “Security” functions I find confusing.

    With “Screen unlock security” set to “None” I am still required to swipe left-to-right to unlock my screen. So “None” in this case means no security to unlock, but I still have the step. Within five seconds of screen timeout, this unlock goes away as well.

    With “Screen unlock security” set to “Pattern”, “Pin”, or “Password”, I need to perform three steps to use my phone: power button, screen unlock, then security unlock.

    The “Security lock timer” seems to work only if the screen is off (plus five seconds). I was thinking I could leave my screen on longer (and avoid having to press the power button) and just get a security prompt. Even Windows has that feature with a screen saver plus password.

  • Brian

    I have the droid 2 and once i set my screen lock pattern I scrolled down and there was an option for setting when the lock took effect and set that to when  the screen timed out or was turned off.

  • Giuliana

    I have the Droid X on Verizon, updated with 2.2.  When power button is pressed to activate screen lock, it does so immediately.  It also does so immediately when it times out the screen as per the settings.

    This being said, has anyone else been able to turn off the slide lock since the 2.2 update?  I HATE that I have the slide lock, and the pattern lock.  I only want the pattern lock.  I've googled for answers, but no one seems to have one.

    • Randy Abrams

      With my Droid 2 from Verizon there is still a 5 second window after the screen times out in which I can access the phone without a password.

  • Johnny

    I have a different twist to add to all of the other scenarios I can see….
    I am a verizon customer, I have been using the original Droid since about March of 2010. I have had repeated issues with the phone, so verizon recently reissued me an upgrade to the Droid2, which I have been told is far superior to the Droid 1. Since having activated the phone two days ago, I have noticed several strange deviations from the original. With regards to your comments about the password locks, I have noticed a different issue that even after having talked directly to Motorola techs, they cannot explain. It is regarding a double lock issue. With droid1, if you set a lock pattern (dot pattern), it automatically overrode the need to swipe the original security screen swipe (lock icon on left, speaker icon on right), which both droid 1&2 have set by default.
    With the Droid2, even after having set up and initiated the lock pattern (dots), the need to swipe the original screen lock still remains, resulting in a double lock scenario. Neither Motorola nor Verizon can explain why this glitch exists or how to eliminate it. Not the end of the world, but certainly an annoyance and what I consider illogical. Any of you out there experienced this? Solutions???
    Thanks Randy…by the way, are you tied in with ESET….as in ESET node32 antivirus? I use it on my machine and it is the best!!
    Johnny

  • Randy Abrams

    The Droid2 was the first Android phone I got. It has always worked this way for me. This is probably a function of the newer operating system and not the manufacturer or provider. And yes, I am a proud employee of ESET. I am happy that you like our products!

  • Eduardo

    Nice! I was looking for this, and I aggree totally with the part "This means that if you have enabled password protection and you turn off the screen it will take 20 minutes for the device to require a password when you turn the screen back on again. **This is definitely not expected behavior**"
    I use Defy+, and actually I was not aware about the scrollbar, was good to read it here because the first option was 2 minutes, and I was WTF? Good to enhance the scrollbar part, but I strongly believe that the user would expect that the default value was "when display is off" instead of a timer of 2 minutes (sic).
    Thanks.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

1 article related to:
Hot Topic
25 Aug 2010
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.