by Al Sacco

“Face Unlock” Feature Another Android Security Risk

Nov 11, 20112 mins
Data CenterMobile SecurityOperating Systems

The "Face Unlock" feature in Google's new Android 4.0 "Ice Cream Sandwich" OS can reportedly be "tricked" into unlocking a user's device with an image of the device owner's face.

facial recognition access identification biotech
Credit: Getty Images

A few weeks ago, shortly after Google officially announced the latest version of its Android mobile OS, Android v4.0 “Ice Cream Sandwich,” I wrote a story detailing the new Android features that could be valuable to businesses.

In that post, I spotlighted Android’s new “Face Unlock” feature, which lets users unlock their handhelds by simply staring into their devices’ front-facing digital camera lenses. I also questioned the security of Face Unlock, and today it looks like I was correct in doing so.

Based on a video post on an Android news site (see the clip below), Android 4.0 devices, like the new Samsung Galaxy Nexus, with the Face Unlock feature enabled can be unlocked using a simple image of the device owner. In other words, if you set up Face Unlock by snapping a picture of your own face, then hold up a similar photograph of yourself to your Android 4.0 handheld’s camera, the device will unlock itself. And a thief could also access data stored on your device in this way.

That’s obviously not good from a device security standpoint. Then again, Google never touted Face Unlock as a security feature, and I guess it simply should not be considered a secure way to lock your device.

But the problem is that many Android 4.0 users will want to use Face Unlock because they think it’s new, fun and cool—and it is all of these things. But those users may forego other security lock features, like alphanumeric passwords, so that they can use Face Unlock, therein reducing their overall Android security.

Android really isn’t designed to be a secure, enterprise OS, and that’s fine. But many consumers nowadays want to user their personal smartphones for work purposes, as well. And features like Android 4.0 Face Unlock make it difficult, if not impossible, for IT organizations to allow and/or support Android devices in the enterprise.

Bottom line: If you want your Android 4.0 smartphone to be as secure as possible, don’t use Face Unlock.