On last week s episode they were discussing the new Location based smart lock and the ability to ...

[G+_kenny maggic]

On last week’s episode they were discussing the new Location based smart lock and the ability to spoof the locations in order to gain access to the device. It was stated that you could connect a phone to your PC and use ADB to spoof a location, I have tested this and yes it is completely possible to spoof the phones location into thinking you’re at a trusted location, however it not super easy.

In order to spoof a location on the device you have to have a few things in your favor, not only must ADB be enables but so must Allow Mock Locations, then you need an application installed on the device that can spoof the locations as you cannot send spoofed location coordinates via ADB. 

Even if someone had ADB and Mock Locations enabled you would need access to their device (unlocked) to configure the app with the spoofed location and then enable it, at this point your are already in the device so you can do what you want anyways.

I tried using guest mode to circumvent this but guest mode does not have access to developer options nor does any users the owner sets up on the devices ONLY the device owner has access to the developer options to enable mock locations.

Google’s implementation of trusted locations is actually pretty secure from a spoofing stand point as it relies on GPS and not Wireless AP’s. I have not tested this but devices that use trusted Wireless APs is pretty insecure as you can spoof or tick devices into connecting to APs they have in their trusted / previously connected networks list by using a modified AP  or a PC running special software with an appropriate card.

Just remember that when you’re in a trusted location your device will be unlocked for anyone who picks it up unless you hold the lock icon to tell the device to require your pin code on the next unlock regardless of your trusted location, devices, or face.

Sorry for such a long post.

#Lollipop #trustedlocation #smartlock

[G+_Jerry Ham]

I remember thinking the same thing when I watched the episode. I was on the treadmill at the time and yelling at the screen "you can only do that if developer mode is on and USB debugging is enabled!" (I didn't realize you needed an app too though.)

[G+_Brandon Taylor]

Jerry Ham??? yes the app is to set the spoofed location but its mock locations that you really need enabled not adb so unless your a developer testing location based apps or you frequently spoof your location you most likely only have ADB enabled which means you location can't be spoofed ?

[G+_Paul Werner]

Nice post and I think this should be featured on one of the future shows.

[G+_Brandon Taylor]

Paul Werner Thanks!

[G+_Neil Sedlak]

The speculation also bothered me. If it's anything like the trusted Bluetooth device features that currently exist, it's necessary to unlock manually once before it activates, and it immediately locks the phone once the trusted device disconnects or goes out of range. It's a non-issue.

[G+_Brandon Taylor]

Neil Sedlak it does immediately lock once you leave the area however it does not require an unlock before activating when you enter a trusted location. Once you enter the trusted location it is unlocked.

That being said this is still a pretty secure method as it can't be spoofed with out unlocked access to it.

If you are truly security concerned don't use this and use a password only not a PIN code.

[G+_Neil Sedlak]

Brandon Taylor? That's unfortunate if it doesn't require at least one unlock, or have the option to require it.

[G+_Brandon Taylor]

Neil Sedlak unless its some sort of bug in the code, I set up and tested a trusted bluetooth device this morning and it didn't require a pin unlock the first time either i simply turned on my bluetooth speaker wait about 10 seconds or so an hit the power button on my Nexus 5 and my pin code was not required.

 

I agree would be very useful that Android requires authentication the first time the trusted device, or location was in range which gives it a little more security, but It is much more convenient to not require that as it is much more magical that way, plus if your really security concerned you wont be using Smart Lock anyway.

[G+_Neil Sedlak]

Brandon Taylor?? Are you sure you aren't testing with the phone already unlocked (screen on) and/or with a lock delay? My lock is set to immediate on screen off using a PIN. Turning off Bluetooth, turning it back on then turning the screen off immediately before it reconnects results in it requesting the PIN despite showing the trusted device icon in the status area. ?

[G+_Brandon Taylor]

Neil Sedlak? I have my phone set to lock at 15 seconds except when I hit the power button but I tested it with my phone set to lock immediately and same result

 

I have my phone on and connected to trusted device if I hit power to turn screen off then hit power again it is unlocked as it should be.

If I hit power and shut off screen then turn off my bluethooth device then hit power I have to enter my pin, in my testing I did not enter my pin I just hit the power button to shut my screen back off, then power on my Bluetooth speaker wait 5 to 10 seconds to make sure it is connected. I hit the power button and its unlocked by smart unlock

 

I can try and record a screen cast here in a bit demonstrating it?

[G+_Neil Sedlak]

Brandon Taylor?? I'm using a Moto 360 and a Droid Turbo, and my device remains locked after the 360 reconnects. I power cycled the 360 this time instead of Bluetooth on the phone. I can even pull data from the phone to confirm it's connected and it's still at the PIN input. I can only assume that Motorola has put together a better implementation, and I'd recommend you file a bug report for what Google has done. It's completely broken to not request an initial unlock. ?