I got an idea the other day when I was looking at my co-worker’s <a href="//gzht888.com/tagged/iphone-x" target="_blank">iPhone X</a> sitting on a desk. I thought that I could have mistaken it for my own phone, since iPhone X comes in two colors and you have a 50% chance of having the same phone color as any other person. I was thinking that if I did mistake it as my phone and entered my passcode, I’d basically be transmitting the key to all of my personal data.
Companies Mentioned
I got an idea the other day when I was looking at my co-worker’s iPhone X sitting on a desk. I thought that I could have mistaken it for my own phone, since iPhone X comes in two colors and you have a 50% chance of having the same phone color as any other person. I was thinking that if I did mistake it as my phone and entered my passcode, I’d basically be transmitting the key to all of my personal data.
That led me to think about how hard it would be to reproduce the iPhone X’s lock screen and spoof one of my own. It turns out that with some experience with iOS development, it’s not that hard. Thanks to the iPhone X’s Super Retina display, a screen full of black pixels is indistinguishable from a device that’s asleep. And thanks to the omission of the home button, and a public API for disabling the swipe to go home gesture, I was able to make a pretty convincing copy of the iPhone X’s lock screen. Your mileage may vary if you’re trying to spoof other iPhone X models.
Oh also I just decided to call it “DeadRinger” because I was inspired by security exploits like that basically have their own marketing departments. I wanted my app to have a slightly scary and trendy name as well.
On the left is the app, on the right is the real lock screen.
I uploaded the source code to a which has a pretty good README file but I’ll go into a bit more detail about some interesting code implementation for the rest of this post. If you want to watch the full demo video, you can watch it below:
Usage
I’m not suggesting you actually use this app but here’s the theoretical attack vector. You would load this app on to a phone that you supply (you’d have to be okay with losing it). The only change you would probably need to make is to the wallpaper image which should match the target’s phone. Swap your phone with the target’s phone and then wait for them to try to unlock their device. If the target has a case I guess you’d want to get the same one or swap it when you swap phones. You could theoretically write some networking code to transmit the entered passcode and then use it to unlock the real phone which you have in your possession.
The app works by entering the inactive state, which just shows a black screen and mimics the phone being asleep. Upon raising to wake the phone or tapping on the device, the lock screen will show up, then the passcode entry view will appear shortly afterwards. The user can cancel back to the lock screen and if they want they can tap to get back to the passcode entry mode. The app isn’t sophisticated enough to handle things like pressing the physical lock button but that’s considered outside the scope of this proof of concept. The app does intercept swipes up from the bottom which would normally take the user back to the home screen.
Implementation
Probably the most interesting part of the project is disabling the swipe to go home gesture. You can find documentation about the iPhone X methods for deferring system gestures . Here’s my implementation below, found in a UIViewController.
This prevents an initial gesture but if the user tries again then they’ll go to the home screen and your app will be defeated. Your target will also probably be really confused. There’s also code in the app that handles the visibility of the home indicator, since you want it hidden on the “inactive” screen but visible on lock screen.
With the home indicator logic out of the way, there are a few other tasks like making sure the phone doesn’t really go to sleep. This has been possible since iOS 2. The line of code to accomplish that is
UIApplication.shared.isIdleTimerDisabled = true
To recreate the tilt to wake feature, I use a CMMotionManager to sample the device’s pitch. I just guessed that 0.5 would be a good value but it could probably be tweaked a bit. If the device is put back down, it will go to the inactive state, but not while a user is entering the passcode. The real device also seems to wake on a delay so I used a Timer to handle that state change.
TODO
I’d say my recreation of the lock screen is just about good enough to convince most people that they’re using the real thing, but there are a few nitpicks and details that I didn’t get to in the interest of time (since I’m not actually going to use this app to steal anyone’s passcode).
The camera and flashlight buttons on the lock screen have a cool 3D Touch effect that requires you to push with force to get them to fire. I didn’t implement these because I don’t want my target to take a photo, I want their passcode. The flashlight one would actually be simple enough to implement though.
iOS 11.2 has a special control center indicator on the lock screen that I haven’t implemented yet. I would just need to do a check on the OS version and add the view if I’m on iOS 11.2 or higher.
There are some cool transition animations in the keypad when going into the passcode entry mode in the real view that I haven’t recreated yet. The buttons animate on a slight delay from the bottom up and have a slight zoom animation in. The average person is not going to notice the difference, though.
There isn’t a way to get the real notification center items from a user’s device and put them on another device so I’m not going there. For some people I guess the lack of a billion notifications would signal that something is fishy.
Possible Solutions
I think there are a few ways to solve this “vulnerability” (which I put in quotes because it doesn’t seem too terrible to me). One solution would be to include a “personal security image” like banks do on their login screens. It’s also pretty easy to defeat, though, if you know the target’s image. Plus it’s probably too tacky for Apple to implement.
Another solution would be to add a hardware feature like an LED that lights up when you’re entering something into an OS control. There’s precedent for this like how the MacBook camera causes an LED to light up when it’s on. This would also mitigate some that have popped up. As long as everything is replicable in software there’s always a way to spoof it.
As a user you could also immediately cover your phone in stickers or something easily identifiable. Or keep your phone really dirty. Or find some other way to .
As our phones become the center of our universe, it makes a lot of sense to treat security as a top priority. Hopefully Apple can do something to make our lock screens more secure from spoofing!
Disclaimer
Please don’t use this app to steal someone’s passcode. That’s not cool.
Conclusion
I made this app solely as a proof of concept, and I had a lot of fun figuring out the solutions to some technical problems as outlined above. It was also fun trying to get the design of the app as close to the real lock screen as possible. I learned quite a bit about supporting some new iPhone X features and hopefully you’ve learned something from this article as well! Check out my for more details and feel free to contribute if you’re able to tackle any of the TODOs listed above.