The Future Of Smartphone Security

Modern smartphones usually offer some kind of security option to let you into the phone. The iPhone has the a four-digit PIN-like passcode, Android phones have a swiping pattern, Windows Phone has a numeric or text-based password. Those work OK, but they’re pretty hackable, and could well be improved by new technologies. Insidious and scary technologies. Here’s the rundown.

The Problem

A large percentage of users select from a few easy-to-remember numbers. A four-digit PIN like the iPhone uses has around 10,000 possibilities, but the four most commonly used PIN numbers are used about 20 percent of the time. If the person trying to hack your phone knows anything about you–your birthday, when you were married, your address–it makes it that much easier to guess your PIN.

A PIN is easy to forget, which is why people often pick patterns that are easy to remember, like 1-2-3-4, which you should not use. And knowledge of the password is its only security; the security of an alphanumeric password does not involve the identity of the person entering it. The iPhone doesn’t attempt to see who is entering the password; if it’s right, that’s all that matters.

A Fingerprint

Biometrics: The Solution?

Biometrics refers to the practice of identifying someone based on physical characteristics, rather than on an alphanumeric key. The most well-known biometric technique is fingerprinting, but biometrics extends to all kinds of other ideas, from retinal scanning to analysis of a person’s gait to detection of a person’s particular smell (really). Some of these are good fits for smartphone security! And some are not. (You probably won’t be holding up your phone to your armpit for smell identification anytime soon.)

Fingerprinting: The grandpa of biometrics has a lot going for it. It requires minimal hardware, it’s well-understood, and it’s non-invasive. There are a few different ways to perform a fingerprint scan in a way that might be useful on a smartphone. There’s optical scanning, which is basically a digital camera; capacitance scanning, which measures the minute differences between electrical stimuli in the ridges and valleys of your fingerprint; and 3-D scanning, which makes a digital map of your finger, sort of like a Microsoft Kinect.

Capacitance scanning seems the most likely here; a company called AuthenTec has made some strides in capacitance fingerprint scanning on phones, partnering with Toshiba for the Regza T-01D Android phone. And, not at all coincidentally, Apple bought AuthenTec just over a year ago.

Will Apple opt for this method? Well, we haven’t ever seen a scanner of this type integrated into a button. The iPhone has very few buttons; the home button sees a lot of action, and the last thing you want a fingerprint scanner to have to deal with is a lot of gunk and debris piling up in there from undue use. That’s why the Toshiba Regza put the scanner on the back, where it’s less likely to accumulate dust and dirt that could foul up its inner workings. And fingerprint quality is often degraded over time, thanks to repeated manual labor or skin buildup. It can also be hacked with gummy bears. Seriously.

Face Recognition: Face recognition already exists! Ever since Android 4.0, back in 2011, Android phones have had face recognition as an unlocking option. The iPhone doesn’t have face recognition built in, but you can snag an app that’ll do it just as easily. Face recognition is great because it doesn’t require any extra hardware–the front-facing camera on your phone is just fine for this–and, theoretically, when you turn on your phone, you’ve already got your face turned toward it, so you don’t have to do much adjusting.

There are problems with this system; it’s not particularly secure, for one thing. Like most biometrics that rely on mere optics, face recognition tools can be fooled with a good picture. It also depends on the quality of the teeny-tiny front-facing camera in your phone; what if it’s dark? What if the camera breaks? What if there’s blinding light? Any of those issues could make face recognition difficult.

Will Apple try to include this feature? Possibly! The technology (and precedents) already exists, so it’d be easy to implement. But on Android, it doesn’t work particularly well, so Apple may decide it’s not worth the trouble.

Retinal Scanning: Ah, here’s where we get into the fun stuff, the stuff that doesn’t quite exist yet. The retina is the part of the eye way at the back, a thin layer of tissue that serves basically the same function as a piece of film in a camera. It requires a complex series of blood vessels to feed it, and that configuration of blood vessels is unique to each person.

A retinal scan blasts some low-energy infrared light into the eye. The blood vessels don’t reflect as much light as the surrounding tissue, so if you capture the image of the infrared reflection, you’ve got a unique map of the retina. It’s very accurate, basically impossible to fool, and delivers results pretty much instantly. It’s hard to fool with a fake retina; retinal scans can adjust to suit the movement of the retina upon getting blasted with the infrared light, so it’s not easy to fool with a handheld fake eyeball.

The downsides? Certain diseases, like glaucoma, can alter the pattern of blood vessels in the retina, as can eye conditions like astigmatism and cataracts. But those are minor problems. The real issue with retinal scanning is that it requires an infrared beam directed into your eyeball, which is invasive and not terribly convenient. Imagine having to stick your eye onto a scanner on the back of your phone every time you wanted to check your email. Not super fun!

Will Apple use it? Not yet. Retinal scanning requires extra hardware, which isn’t quite small enough yet to cram into a phone.

Scan Whoever You Want!

Iris Scanning: The iris is the colored part of the front of your eye, surrounding the pupil. The iris is also unique to each person, and much less likely to change over time than a fingerprint. It’s also easy to scan, requiring only a camera and perhaps a slight infrared illumination to make things easier. The tech already exists as an external case, but wouldn’t be too difficult to implement into a phone itself.

Iris scanning, though, can also be fooled by a photo. But it’s harder to take a super sharp, high-definition photo of an iris compared to a person’s face, which makes fooling an iris scanner with a photo relatively difficult. Still, it’s far from impossible.

Will Apple implement it? Probably not; it’s as yet unproven for mobile devices (without an external case, that is) and it’s sort of awkward to use to unlock a phone. (How do you aim it precisely at your iris if you can’t see the screen?) But the technology’s there, so we wouldn’t rule it out.

Electrocardiogram: According to a biometrics company called Bionym, your heartbeat is just as unique as your iris or fingerprint. The company very recently showed off its Nymi bracelet, which takes an electrocardiogram reading of your heart rate through your wrist. Then it uses Bluetooth to tell your phone to unlock.

It’s a super promising technology; it could be nearly impossible to fool or replicate, low-power (because it relies on an external sensor), and cheap to implement. The downsides? It might take longer than you’d prefer to actually measure your heart rate, and it requires a wristband, which people may not feel like wearing.

What This Means

Biometrics are almost certainly coming, in some form, to smartphones. Whether it’s this generation or an upcoming one, whether it’s Apple or Samsung or Motorola, someone is going to figure out how to implement biometrics in a way that makes sense. Face recognition is already here!

But given the uproar over PRISM, people may also find it objectionable to subject themselves to any sort of identification, even if it’s voluntary and even if it may assist with security. If you scan your retina to get into your iPhone, Apple has that data, Verizon (or whatever carrier you use) has that data, and we know from experience that if one of those companies has data, the government has access to it, too. And if the government has access to biometric data, that means they’ll be able to link your fingerprints, heartbeat, iris, or retina to your email address, your Twitter account, your Facebook, your YouTube, your Instagram. It would be very, very easy to create a huge database that properly associates physical identifiers to your digital life. And that’s pretty scary.

Are biometrics a good way to secure a phone? Sure, if you’re talking about merely stopping people from getting into your data when they physically have possession of the phone. But that’s not really how hacking is done these days; if that happens, both Android and iOS allow you to remotely wipe your phone of all its data. Biometrics could have the totally unintended consequence of making you much more vulnerable to hacking, simply by making your physical phone more secure.