The ability to display widgets within the locked screen was present through Android KitKat. Sadly, this useful feature is not in the latest Android OS.
Security and functionality have always had a tenuous relationship. In order to be absolutely functional, a system must allow everything. To make a system truly secure, it must allow nothing. The most secure server is one disconnected from all network connections and buried in a hole. Obviously, that is unusable, but remains soundly secure.
The newest Android version (at the time of this post) has opted for security over functionality in many features. These devices are locked down beyond the control of the user, which is largely fine. I personally have been guilty of allowing an app to have vastly more permissions than it needed simply to listen to my music or play my game.
One instance where security has been enforced over functionality is on the locked screen. Vulnerabilities found in the lock screen functionality allowed users to bypass security controls and gain access the phone’s data. Despite usage of pattern, PIN, password, or face detection on a locked screen, previous versions of Android OS were proven to remain vulnerable to these types of attacks. By exploiting lock screen vulnerabilities, full access to the device may be obtained, even if encryption is enabled on the device.
Therefore, functionality has been removed by preventing apps from having access or displaying data on the locked screen.
For me, this added steps to my daily routines. The last thing I do before going to bed is check to make sure the alarm on my phone is set. In Marshmallow, I am forced to unlock the phone, browse to the alarm app, and scroll down to see which alarms are on or off. Having a multi-step process to check an alarm is not convenient. There is a small icon in the top right of the phone to indicate than an alarm is set. Note that the stock alarm app has an icon in the corner of the screen. Not all alarm applications allow this functionality, nor are they all recognized by the phone as alarms and displayed on screen. Additionally, from that icon alone I cannot know which alarm will go off, or when.
Widgets and Screensavers
One solution is to download a widget and apply it as a screensaver. I found the free widget, DashClock, containing the desired features, namely the ability to display the next alarm that will sound. Previous versions of Android allowed customizations of the locked screen by sliding the screen. This is not an option with Marshmallow. To apply the workaround of displaying the widget as a screensaver, go to:
Apps > Settings > Display and Wallpaper > Screensaver
Turn this option on and choose the widget to apply. In my case, I selected DashClock Widget. I also selected to use the screensaver both while the device is docked and when it’s charging. On the Display and Wallpaper menu, I set the Screen Timeout to 30 seconds and wait for the widget to appear.
At this point the phone is locked, requiring anyone to press the power button and unlock my phone before use. The way screensavers work in Marshmallow, the power button must be hit once to be taken to the blank screen or the Always On Display, depending on how the phone is configured. Then, the user must press the power button again to be taken to the unlock screen. This is still preferable to fumbling through multiple screens in the dark to get to the alarms.
This method is an alternative to achieving the desired functionality. The locked screen is still present and cannot be bypassed. The only difference is a new layer, in the form of a screensaver, appears over the locked screen. Touching any button, except the power button does nothing. Pressing the power button once, turns off the phone screen. Pressing the power button again brings the phone to the locked screen. In this overly secure mode, it is more difficult to for a vulnerability to exist that may grant a user full access to the phone.
Other Alarm Apps that work, sort of
Google’s Clock app and Timely Alarm perform a similar feature as the above widget. They allow for alarms to be set and then display the time at which they will go off within a screensaver. Google’s Clock app does have the nice ability to go into a “Nighttime Mode” in which it puts the phone to sleep and displays the screensaver. Assuming the alarm is set, simply plug in the phone and wait for the device to go into sleep mode and display the screensaver. Otherwise, I must open the app, set the correct alarm to on, plug the phone in, and then let it go into screensaver mode. The multistep process defeats the purpose of using the simplified app.
Is there an easier way?
After a few failed attempts to change the lock screen within Android, I landed on the Echo Notification Lockscreen, Hi Locker, and NiLS Lock Screen Notifications apps. These placed an additional lock screen in front of the existing lock screen. The apps have the ability to display pushed notifications, such as weather or new messages, and calendar events. However, the apps could not display the alarm time in Marshmallow. Newer versions may resolve the issue.
Security: 1. Functionality: 0
I am usually in support of implementing strong security over functions and features.
In this case, I think the hindered user experience is not necessarily worth the tradeoff. Most of these lock screen vulnerabilities require a combination of physical access, time, and misconfigurations. For me, the risk will be low, as I know where my phone is at all times. It is never out of arm’s reach or beyond my line of sight. While I may not be the norm, there should be customizable security options to reduce these annoyances and allow the user to accept some risk for their desired features. I am comfortable with an OS that warns me of such risks. I just want the option to choose and to have my tools working as efficiently as possible.
2 thoughts to “Security vs Functionality in Android Marshmallow: Locked Screen Apps”
Ben: Thank you very much for a good reading and the time it took me to finish, save it pdf for later friendly discussion. This its my first time in this site, worth the reading and with pleasure with share it over the social media I currently interact with. I am from Cuba, working in IT and I am a proud, hungry minded GNU/Linux and Android user. Must say, this article was nicely written, well pointed about security over functionality. Not many people care about these little details nowadays. For me I just found not only a nice, clean article to read, but also some tips and good reasons to stay sharp, when it comes to secure the device. There are thousands of apps for locking the screen and the good thing about some of them is that, in fact they lock the screen and won’t allow anything else to show up. (those sound good to me) other apps I have seen/tried, they lock the screen, somehow they have tons of useless switches and buttons to enable, disable many things on your device, and yet they sound functional and even handy, for a person with many things to do and for someone who gives its phone a higher value over the rest of its life and over the rest of whats good to be looking at… Here is my situation: on Android 6.0 the lock screen will always allow , (when you swipe down the screen, even if locked!) to change some of these controls (Data Wifi, Bluetooth, Sound,…) from the Quick Settings which are related to System UI Tuner, and I just find it not very secure and really annoying, am serious, now, if you change/remove some of these controls, or all of them, by editing its settings at the System UI Tuner, it will only show the brightness control and nothing more, Its not what I really wanted, but its close to something safer, happened to read your article and now would like you to do some tests, if you see what I mean, you are welcome to come back to me and we can talk about it, for now I don’t know if its a bug or if there is something wrong with Android 6, I have seen other/earlier and it doesn’t work like that. Thank you for taking your time and reading it.
Thank you for your support on the article. I believe the ability to reach the dropdown menu for Quick Settings on a locked device is considered to be a user feature. During my tests, I was not able to bypass the password entry by manipulating the settings. There have been bugs on the locked screen in the past though, so this may just be a matter of time until a new one is identified.
Reducing the options available on your phone to only control the brightness is a good policy by limiting the potential attack surface. However, I am not sure how much additional security you are gaining. Toggling the WiFi or Flashlight might allow someone with physical access to drain your device’s battery faster. However, the bulk of the phones features, apps, and files remained hidden behind the locked screen.
A worst-case security issue involving toggling the WiFi and getting the phone to connect to a malicious access point where background functions may be intercepted does not seem feasible to me. In any case, thank you for your support and your solution to Quick Setting functions being available while the phone is locked.