Ask LH: How Secure Is The Passcode On My Phone?

Ask LH: How Secure Is The Passcode On My Phone?

Dear Lifehacker, There have been a lot of passcode exploits lately. Like, a whole lot. Should I be worried? How much does protection does my lock screen actually give me? Sincerely, Perturbed About Passcodes

Picture: Neyro/Shutterstock

Dear Perturbed,

Your concern isn’t unfounded. While these exploits don’t give an attacker full access to your phone, other tricks can. Here’s what you need to know about keeping your phone secure.

What These Exploits Actually Do

Let’s start with the iPhone: Both of the recent iOS 6 passcode exploits allowed an attacker to glitch their way only into the Phone app, not the home screen. As such, they could place calls, see/edit your contacts and access your photos via the “assign new picture” option. So, while it doesn’t give someone total access to your phone, it’s still enough to be concerned about.

The exploits affecting Samsung Galaxy phones worked a bit differently, flashing the home screen (or whatever was open before the phone locked) for no more than a second. While it doesn’t seem all that nefarious, it’s enough time to launch an app, and persistent attackers could use it repeatedly to download an app that would unlock your phone completely.

Both manufacturers are aware of these problems — Apple recently released iOS 6.1.3 to address its passcode issue, only to have it circumvented yet again. Samsung has also stated its intent to do the same, although, at the time that this being written, the only existing fix is a third-party one.

A Passcode Doesn’t Completely Protect You

It may seem like your phone’s security has suddenly been compromised with all these passcode exploits, but, really, passcodes have never been foolproof. In fact, they’re no more secure than any other password or PIN: they can be cracked, and they really shouldn’t be the only thing protecting your smartphone’s data.

I reached out to security expert Brandon Gregg about the level of security a passcode affords. Here’s what he had to say:

Passcodes do not mean encryption. Only if you specifically go to your Android settings can you encrypt your phone (and SD card) with a separate, strong password. Too many people believe their four digit Android or iOS passcodes protect their private information. First off, anyone can easily brute force your short 1000 possibility password. Tools like XRY (which I use and was profiled on Gizmodo) can do the crack in milliseconds. Second, a passcode does not protect from direct forensic access by tools like XRY, MPE by Accessdata and the growing list of programs for Law Enforcement. Once inside the phone, all your data is up for grabs. The best thing you can do right now is full encryption. The above tools aren’t designed for brute force at that level (yet) and the data will be useless.

Basically, your data is vulnerable on two levels. First, you have a lock screen passcode, which can be cracked, although using a strong alphanumeric password can make brute-forcing your phone take much longer to crack. However, your data is still sitting there on your phone’s hard drive, and an attacker with the proper forensic equipment and enough patience can still get at your data — unless you have full disk encryption.

Android has had full disk encryption since Honeycomb (3.0), albeit with some limitations. iOS also has a Data Protection API that apps can use to encrypt and protect your data, but it’s up to app developers to incorporate it (and it doesn’t work with apps that use iCloud), so its a lot less useful. In both cases, however, the encryption key is the same as your passcode lock, and you would have to use a strong passcode for the encryption to be effective. But who wants to enter in a long, alphanumeric password every time they need their phone? The point is to make it hard for hackers to get into your phone, not you.

Should I Even Bother with a Passcode Lock?

Of course. There’s no reason for you to make things easy for the thief who steals your phone. You could also be very fortunate and end up being robbed by someone who doesn’t know the first thing about getting around lock screens. By all means, enable your passcode, and make sure it’s a good one.

However, understand that your lock screen alone isn’t going to truly protect your data, and encryption is far from perfect. To that end, we recommend setting up a service like Apple’s Find My iPhone, or a third-party app like Prey. They can track your smartphone and wipe its data when you lose it (or it gets stolen). Hopefully, you’ll never need to worry about this sort of thing, but you know what an ounce of prevention is worth.

Cheers Lifehacker

Got your own question you want to put to Lifehacker? Send it using our contact tab on the right.


  • If android phones have had encryption since Honeycomb, does that mean that phones stuck on Gingerbread (like the Samsung GS1) don’t have it?

  • The encryption key is not the same as you pin in either case, Android you can manually set a key (not via gui yet) or a kdf derives one. For iOS4+ on iPhone 4 and above a hardware chip holds a keybag with all the goodies like escrow keys and filesystem keys. A 4 digit pin would take ~2 hours on an iPhone 4 given you cannot crack it offline.

Show more comments

Log in to comment on this story!