Android Jelly Bean Face Unlock ‘liveness’ check easily hacked with photo editing

by: J. Angelo RacomaAugust 4, 2012


Google improves Face Unlock on Jelly Bean by requiring users to blink, but even this can easily be spoofed through image editing.

When Android Ice Cream Sandwich was released, one of the much-touted features was Face Unlock, which supposedly made the smartphone more friendly in terms of user experience. The phone unlocks just by “seeing” the owner’s face. Unfortunately, this was found to be insecure, as the Face Unlock feature recognized even static photos of the owner.

With profile pictures easy to access through social networks, Face Unlock could easily be circumvented, which defeats the purpose of securing the lock screen in the first place.

Jelly Bean adds another layer of security, which supposedly ensures “liveness” by checking whether the person is actually moving. For this purpose, the software checks for a blink after the initial scan. After you blink, off goes your phone’s lock screen.

Again, though, this system has been easily circumvented. This time, it will require a bit of photo editing on the hacker’s part. Because the user is supposed to blink to prove he or she is the real deal, Jelly Bean will have to be fooled to think that a blink has been done with simple photo editing.

  1. First, find a fairly recent image of the smartphone or tablet owner. Facebook should be a great source.
  2. Using photo editing software, paint over the eyes with the same color as the surrounding skin tone.
  3. Flash the photos alternately to simulate a blink.

It seems Jelly Bean cannot differentiate between a real blink and one that involves some image editing. While we wait for Google to fix these issues, the Face Unlock feature is likely to remain just a novelty on Android, and we don’t recommend using it if you keep sensitive data on your mobile device. Use a PIN, password or pattern unlock instead. And if it interests you, other platforms also have innovative ways of securing lock screens, such as Windows 8’s picture password feature. It’s also rumored that Apple may include fingerprint scanning on iOS devices, after it acquired AuthenTec in July.

Check out the video below for a sample of how Jelly Bean’s face unlock feature can be tricked.

  • well obviously this would end up being “hacked” but if someone is willing to go trough this procedure om pretty sure there a isn’t anything that would stop them. You know, you can also fool a fingerprint reader..

  • If a person has a good photo of you and steals your phone the user is usually in bigger trouble than that.

    The thing people should not do if they have face unlock enabled is to put the owner information into the lock screen. THEN the thief would be able to get a useful picture out of the social networks. But without the thief usually wouldn’t have a photo or know the name I guess.

  • Angelos

    Yeah but the thief is not going to know what my face looks like and starts looking for my photos through Facebook or whatsever, Dude!

  • perfectlyreasonabletoo

    It’s not intended to secure Fort Knox, people…

  • People who steal aren’t as smart as people in these communities. Unless it’s music :P