How Google Chrome ID Check will soon keep your data safe

Android smartphones can store large amounts of sensitive personal, medical, and financial data, making them prime targets for thieves. That’s why you should enable Google’s just-announced anti-theft feature to prevent thieves from leaving your phone unlocked after stealing it. However, even if Android’s anti-theft features can’t lock your phone after it’s stolen, there’s still a chance it can protect your data. Apps like Google Chrome can protect your data even if a thief with a screen lock steals your phone.

Now, if a thief peeks over your shoulder and sees you entering your phone’s lock screen PIN, pattern, or password and then steals it, not only can he unlock your phone at any time, but most You can also access many sensitive apps. This is because many apps that require you to authenticate yourself before accessing certain data allow you to enter your lock screen PIN, pattern, or password instead of using biometrics like your face or fingerprint. Not all apps do this, but those that do can be cracked by thieves who shoulder surf before stealing your phone. This is an issue that is expected to be resolved by Android’s upcoming ID checking feature.

Identity Check is basically the Android version of Apple’s Stolen Device Protection. When ID checking is enabled, users are forced to use biometrics to unlock apps, even if they normally only allow a lock screen PIN, pattern, or password. Masu. Last week, Google announced Identity Check, which enables the use of biometrics to “access important Google account and device settings, including changing your PIN, disabling anti-theft protection, and accessing passkeys from untrusted locations.” He said it would be mandatory. Google didn’t provide further details, but it did provide evidence that ID checking will protect some sensitive data in Google Chrome for Android as well, and that the feature will only work in the next release of Android 15. I confirmed.

Last month, frequent Chrome post Leopeva64 discovered a series of code changes in Chromium Gerrit tagged “idcheck.” He discovered that one of the code changes added a new Chrome flag that “enables Android ID checking for targeted features.” The flag’s description says, “This feature requires biometric re-authentication before entering a password or any other action that is or should be protected by a biometric check. ” is stated. After learning that these code changes were tagged with “ID Check,” we decided to dig a little deeper to see if these Chrome changes were related to the Android ID Check feature we discovered a week ago. I made it. As it turns out, the Google Chrome team is preparing to support the exact same feature.

With one code change, the Chrome team added new code. GetBiometricAvailabilityStatus method that returns kRequired If ID checking is turned on (that is, biometrics are required), kAvailable If biometrics are available but optional, kAvailableLSKF If biometrics are not available, and kUnavailable If there are no device authentication methods available. This method has been added to various parts of Chrome’s codebase, including the code for Chrome’s password autofill feature. It has also been added to code related to payment methods, sync settings, and incognito mode, so Chrome requires biometrics to access these settings even when your phone is outside of a trusted location. suggests that it is possible.

The new Chrome code confirms that ID checking is only available on devices running the upcoming December 2024 release of Android 15, or Android 15 QPR1. One code change explicitly mentions: MandatoryAuthenticatorControllerImpl “Only instantiated in Android version V and higher.” (V refers to vanilla ice cream, the dessert codename for Android 15.) MandatoryAuthenticatorControllerImpl This is useful for setting “required authentication bits that should limit fallback to pin or pattern for biometric prompts”, and the comment therein says “ID checking is enabled if the build is not V-QPR1+”. It is explicitly stated that “No.” ” Therefore, ID checking will only be available on Android 15 QPR1 and later. This is consistent with our original report on this feature.

Google hasn’t confirmed that Identity Check requires Android 15 QPR1, but all signs point to it being a possibility. It has also not been revealed how the feature will work, but as far as we know, Google has rolled out a server-side update to the Google Play Services app that includes a new “Required Biometrics” setting. They are planning to add it.

Turning this on will enable ID checking and the app will only accept biometric authentication. Google Chrome is preparing to add support for ID checks, but it won’t be rolled out until a “required biometrics” setting is available. This will likely happen in December, coinciding with the release of Android 15 QPR1.