[liberationtech] cellebrite report

[Tom Ritter]

The Passcode section of the report is blank, I guess indicating the
user did not have a passcode?

The article does mention passcodes:

> All modern smartphones can be locked with a PIN or password, which can slow down,
> or in some cases, completely thwart forensic analysis by the police (as well as a phone
> thief or a prying partner). Make sure to pick a sufficiently long password: a 4 character
> numeric PIN can be cracked in a few minutes, and the pattern-based unlock screen
> offered by Android can be bypassed by Google if forced to by the government. Finally,
> if your mobile operating system offers a disk encryption option (such as with Android
> 4.0 and above), it is important to turn it on.

The iPhone has a class of data that is encrypted when the device is
locked, and decrypted based off a key derived in part by the passcode
when unlocked.  I think this, combined with separate passwords for FDE
and screen unlocking would be good classes of improvements we can make
in all mobile platforms (not just phones).

I'd also love to see some research into alternative, higher entropy
but simple-to-use screen unlock systems.  At first I was thinking
something akin to a pattern unlock, but a path through a 3D maze: your
password is a series of turns, but even presented with five choices
five times the keyspace is too small.  What keyspaces present a large
number of easy-to-parse options that fit nicely on a phone screen?
Maybe a map?  I've seen a few attempts[0,1, and others] but I've not
been convinced they wind up with an order of magnitude more choices
that the baseline 10000 of a 4-digit passcode.

-tom

[0] http://www.youtube.com/watch?v=kHBjzlFalvA
[1] http://clam.rutgers.edu/~birget/grPssw/authSueE.pdf