An adversary with physical access to a mobile device may seek to bypass the device's lockscreen.
If biometric authentication is used, an adversary could attempt to spoof a mobile device's biometric authentication mechanism[1][2][3].
iOS partly mitigates this attack by requiring the device passcode rather than a fingerprint to unlock the device after every device restart and after 48 hours since the device was last unlocked [4]. Android has similar mitigations.
An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing ("shoulder surfing") the device owner's use of the lockscreen passcode.
Techniques have periodically been demonstrated that exploit vulnerabilities on Android [5], iOS [6], or other mobile devices to bypass the device lockscreen. The vulnerabilities are generally patched by the device/operating system vendor once they become aware of their existence.
| ID | Mitigation | Description |
|---|---|---|
| M1012 | Enterprise Policy |
Enterprises can provision policies to mobile devices to require a minimum complexity (length, etc.) for the device passcode. Enterprises can provision policies to mobile devices to cause the device to wipe all data if an incorrect passcode is entered too many times. Both policies would mitigate brute-force, guessing, or shoulder surfing of the device passcode. If desired, enterprises can provision policies to mobile devices to disallow biometric authentication. However, biometric authentication can help make "using a longer, more complex passcode far more practical because you don't need to enter it as frequently."[7] |
| M1001 | Security Updates | |
| M1006 | Use Recent OS Version |