Transcript

Sandra 00:00:00 When we were developing and testing this feature there, we literally have colleagues simulating the situation, walking with unlocked phone and colleagues coming up from behind and snatching the phone in a runaway. And there are different scenarios that we learn from our market research and then we try to act it out and simulate it in a lab setting.

Voiceover 00:00:19 Welcome to the Made by Google podcast, where we meet the people who work on the Google products you love. Here's your host Rachid Finge.

Rachid 00:00:27 We just launched something new in Android. It's called Theft Detection Lock, which keeps your data safe. If someone snatches your phone to learn more, we're talking to Sandra Guo, a product manager on the platform Security and privacy team.

Voiceover 00:00:41 This is the Made by Google podcast.

Rachid 00:00:43 Sandra, have you ever had your phone stolen and did that make some sort of lasting impression on you?

Sandra 00:00:51 I have lost many phones and I'm not sure if it was stolen. It could have been or did I misplace it? I never quite know for sure and when it happened it was always a shock. It was like, oh, did I misplace it? And usually I go through the steps of trying to locate it. This also goes back to the time even before self location was available and I go through it and in the most recent cases I did find my device and I was able to locate the device in a parking lot and then heard about the more recent phone snatching cases in cities like London, in countries like Brazil made me very worried that if I were in that situation, what would I do?

Rachid 00:01:36 So hopefully we have something for all our fellow Android users. But let's start at the beginning. You're a product manager, you work on platform security and privacy and most recently phone theft protection that recently launched and also the new feature drop for our fellow Pixel users. But let's rewind the clock a little bit. You've been with Google for 14 years, which is an amazing tenure. Have you always been working on Android while you were at Google?

Sandra 00:02:03 No, I haven't always been working on Android, but I have always worked in security. I actually studied security as my specialty when I was in college. Then I interned on the security team at Google, so I joined the data protection team afterward and I worked in cloud security and worked in privacy and most recently Android privacy and security. So my entire career has been in protecting user’s security and privacy.

Rachid 00:02:30 So there is some sort of a transition going from let's say traditional cybersecurity into which I guess you could say is more physical security now in a way.

Sandra 00:02:39 Yes, exactly. It makes quite impact on me to think about my work directly impact the daily lives of the user in a very direct way. It's not theoretical, it's not cyber, it's not remote, it's actually physical protection of a physical device and the data that it holds.

Rachid 00:02:57 So let's start with that problem phone theft. I imagine if you're gonna design a feature to prevent issues when something like that occurs, you're probably gonna do research and see some sort of statistics on, you know, how often does this happen? What are the kind of numbers you can share there?

Sandra 00:03:12 The numbers are kind of horrendous. When we started researching this, we initially heard this from Brazil and the numbers that we found there was every hour close to a hundred cell phones were robbed or stolen and this number was in 2021 and it was only getting worse with every year passed.

Rachid 00:03:29 So if I were to leave my phone in a bar for example, for a thief to actually extract data from it, the thief would need maybe my pin code on my phone or it would need sort of the ability to replicate my face maybe or a fingerprint. So let's talk about theft detection lock, which is new. What kind of scenario did you have in mind where it would actually help against a thief being able to get stuff from my phone?

Sandra 00:03:55 Yeah, I think the foundation assumption that we have is if a phone has properly set up ping or decent quality of biometric sensors, if it's properly configured, it is safe once in a log state. However, the exploit that we have seen increasing globally is more targeting unlocked devices. So I give you a very common scenario that we've pieced together through user research in a metropolitan area. Let's say London, a user is walking around with navigation on the phone and he's like, you know, let me see where is Westminster Abbey, I wanna go look at it. And walking around with the phone running navigation and the attacker on a motor pad drives by just grab the phone from the user's hand and motor pads away. The phone is in an unlocked state. Now what do you do? And with access to an unlock device, the attacker can get into all sorts of sensitive surfaces. He can go in there to reset your bank password and then from there transfer money.

Rachid 00:05:02 Exactly. Because when I'm walking through London, I'm using navigation and someone snatches my phone, they would just swipe away the navigation app and then all the apps are, you know, they can make a phone call, they could open my inbox. All these kind of things are possible, right?

Sandra 00:05:17 Exactly. So what we heard is that when the thief swipes the phone unlock state, the immediate thing the thief does is try to do things like turning on the camera to try to keep the phone from automatically locking itself right up until this point, as long as the phone is in use, it stays unlocked and then the attacker would motor to a safe hiding spot and now he has time to exploit information on the phone and he may even be able to disable the Find My Device setting. Then even if the user gets to a portal to try to remotely log or wipe the phone, the phone is disconnected. And then from there the thief can reset bank password, go to the photo albums to see other photos of credit cards and passwords, uh, passports. I have all of my passports in my photos album, which is terrible. Identity theft, still bank information, see what saved password that user have in the password manager and go all into all those third party services to buy stuff. Well you may have heard like they buy things on Amazon and deliver to addresses that they can go pick up, order food delivery, which is ridiculous really. Yeah, it showcases the kind of widespread exploit that's available once the thief has an unlocked device.

Rachid 00:06:36 So let's talk about the solution now because in Android there's a new feature called Theft Detection Lock. How does Theft Detection Lock help in that scenario?

Sandra 00:06:44 Yeah, so we really have to help the user to lock down the device before the thief gets too far from exploiting the data on the phone. So how fast is fast, we realize that if we make it automatic, it can be immediate. Like even the phone is taken away from the user. If we're able to detect that, then we can just log screen and we know that log screen is in a safe state. When that happens, the information is safe. So that's why we looked at different ways to try to detect when a device is taken away from the user. And that self detection lock feature came to be, we talk with our activity recognition team and Android, that same team that developed the Car Crash Detection for detection, we brainstormed ideas, we're like, yeah, there should be signals that we can analyze to model the behavior when a phone is snatched away from the user. And then we use AI to automate that to make it really pretty accurate to say like here are the phone snatch scenario and this is behavior of various sensors on device and we use AI to build a model for that. And then we use that to predict the next time similar activity to happen and whether it's a snatch or not.

Rachid 00:08:00 So what kind of sensors are you looking at in order for the AI to understand what is a theft situation?

Sandra 00:08:07 We start with a motion sensor on device to try to detect the jerking motion when a phone is snatched away. And then there are additional sensors on device that we use to confirm the assumption that, was it a snatch or was it just someone clicking a phone into its holder or drop a phone on the ground?

Rachid 00:08:26 So let me get this right, I'm walking on the streets, I'm using navigation, someone rips the phone outta my hand. And then we have AI looking at all sorts of sensors on my phone to see if that motion was sort of someone, you know, grabbing that phone outta my hand. Maybe they're running away with it. It would detect that as say, hmm, this is suspicious and it will as a preventative measure lock my phone. And then you also had to build that in such a way that I guess pretty certain that it is a theft scenario because as you mentioned, if you, you get it wrong, most of the time people will maybe someone's dancing and then suddenly you know, it locks itself and people will turn the feature off. So you have to prevent that as well.

Sandra 00:09:03 There is an upshot of this that is because it's motion based usually when it fires, even if it's a false positive, and I will say that most of the triggering would be false positive, otherwise we live in a terrible, terrible world. Or just, I don't wanna caveat that, but because it's motion based, when it fires usually it corresponds to a natural break in a user's flow. It shouldn't be that interruptive. The user may not even notice it because average user lock and unlocks their devices like over a hundred times every day. So we try to introduce friction, we'll try to introduce friction in a way that's, you know, in Oculus.

Rachid 00:09:40 So it might be locking when I was putting my phone in my pocket anyway.

Sandra 00:09:44 It shouldn't matter if your phone drops on the ground, it locks. Right. It shouldn't be a big deal. Yeah.

Rachid 00:09:48 Because you mentioned some other features and I think it's important to highlight how Android can help before theft, during theft and also after theft. So that's sort of recovery options after a phone was stolen. So, could we walk through all three of those? Maybe start with before theft then what kind of protections do we have there in place for Android users?

Sandra 00:10:08 Before theft? We actually thought about that the best way to prevent theft is to just lower the incentive of theft. So the thief doesn't think it's worthwhile to steal our phone. And how do we do that? We already have this feature called factory reset protection. What it does is if someone resets the device without the proper credential of the previous account that was already set up on the device, then the device cannot be reset. If it cannot be reset, it cannot be resold because nobody's gonna buy a phone with someone else's account on it. So that's like first step, right? We cut down the incentive and once a theft scenario is happening, they will actually walk you through the journey of the victim. I was telling you that this person walking around London got his phone snatched and immediately at that moment before the user is able to react, the phone will try to lock itself or try to detect is there a snatch motion that just occurred?

Sandra 00:11:09 If we did, lemme lock myself. That is automatic. But what if thief takes the phone in a very non-conventional way, like slowly right? And then walks away, it may not fire. So the user still has to react quickly to make sure the phone gets logged. And when that happens, we know that time is key. We have Find My Device portal already the user can log in with your Google account to log your device, wipe your device or locate your device. So those are solutions that existing, but when we research why users are not using it quickly in the, in the separate scenario, we very quickly discover that first of all the user is in shock. Mm-Hmm . And also many users don't walk around with their laptops, they only have a phone. Yeah. Now you have to go borrow a device, maybe a friend, maybe a family, maybe a bartender's device and you borrow the device and now you have to enter your Google account credential to log into the find my device portal, right?

Sandra 00:12:08 That where the friction is without the assistant of a password manager. Many users can't recall their Google account credentials off the back of their head when they're in a panicking situation. They just got robbed and the phone just got stolen. And usually it takes several tries and they may have to go through account recovery in order to get back their credential. All of this is before they're able to react and to remediate the fact that device is lost and try to lock that device down, it takes too long before this whole recovery resolve. And that's where Remote Lock came to be. You go to android.com/lock and all you have to do is to enter the verified phone number, maybe a simple security challenge if you set, if you choose to set one up. But those are information that's very, very easy for the user to remember and input and you just click on secure.

Sandra 00:13:03 You can do this within minutes of the device go missing to remotely log securing of the device and we'll buy you time to explore how to get back your credentials so you can log into Find my Device portal to do more advanced remediation. I wanna stress that Find My Device portal is still the recommended place for users to go to locate, to wipe, to do any sort of advanced remediation for their missing devices. But Remote Lock gives user an option to react quickly to lock down the phone while they carry on those more advanced remediations 'cause time is of the essence here. So where are we in the thief’s journey? If the phone is taken, self detection log may or may not have fired the user, run to a bartender input his verified phone number in the android.com/log remotely logging of the device right now he can go maybe locate, maybe wipe the device if he's certain the device is, it's gone.

Sandra 00:14:08 Another one of the deterrent that we built in is the offline device log. So what that does is, again, it's based on a typical attacking behavior that we've learned from uh, thieves that when they get a hold of unlock device, they actually take it offline user get to, you know, remote log, get to Find My Device, they're not able to reach the phone 'cause the phone's offline, right? And now the thief has all the time in the world to explore the content of the phone. So that's why we created offline device log. It is that new in Android as well? It is. It's part of the protection suite. So the idea here is the feature would detect when a device goes offline, becomes offline for prolonged period of time. And when that happens it will off screen. Mm-Hmm it introduces a very simple friction to limit this amount of time after device becomes offline. The time window that someone has to explore its content before having to authenticate again.

Rachid 00:15:10 I imagine maybe thieves listening right now thinking, oh an Android phone is maybe not worth it to steal it because it's gonna lock itself anyway when I try and grab it when I'm on my moped. Right?

Sandra 00:15:20 Exactly. And then Android phones is too smart. the main goal right, for, for building in all of these protections is to make it so difficult for an unauthorized person to take advantage, exploit a device that in the thief leaves it alone.

Rachid 00:15:37 Now Sandra, going back to Theft Detection Lock, there is one question I've been dying to ask you and it's this, how do you test or in Google language, how do you dog food theft and how do you train that system to learn these scenarios?

Sandra 00:15:50 You know, Android beauty becomes a very dangerous place when we dog food is this feature

Rachid 00:15:54 [Laughter].

Sandra 00:15:57 We actually literally have colleagues when we were developing and testing this feature. They're, we literally have colleagues, you know, simulating the situation, walking with unlocked phone and colleagues coming up from behind and snatching the phone on a runaway. And there are different scenarios that we learn from our market research and then we try to act it out and simulate it In a lab setting

Rachid 00:16:19 You might be pinging colleagues like, Hey, does anyone have a moped? Because we need it for testing.

Sandra 00:16:24 Oh yes, there's, there's cars, there's moped, there's just good old fashioned running. There's quite a number of scenarios that we've tested. So you know, in the office and we say like, you know, let's try this outside, let's go outside for this . And then we open it up for what we call dog food within the company. And we turn on, we actually turned it on by default for everybody in the android security org at one point and to see whether introduces too much friction, whether user can live with and how accurate it is. And we have a lots of security minded folks in the team that give us many valuable feedbacks, also many valuable complaints that we've made improvements on. And then after that we also did a beta pilot program in the real world in Brazil over the summer we launched the three features to all users in Brazil, Google for Brazil back in June.

Sandra 00:17:22 And the features were available to the public in August. We got like real world test by users that live in a country that concern about theft and live with this feature and try this feature. And we got positive feedback from the market and we got very positive results as well. And were able to, uh, really observe what this feature is like in the wild, how often user engage with these features and what are the patterns that user interact with this feature and any improvement that we can make and that we made before bring this feature to the rest of the world.

Rachid 00:18:00 Well those are three amazing new features in Androids. Just send out quickly, anyone who now has theft protection features in their hands, where do they go to turn them on?

Sandra 00:18:09 Yes, it's very easy to find. You go to settings, Google self protection and all three features are there for you to enable.

Rachid 00:18:17 Well Sandra, thank you so much for introducing these new features to us on the Made by Google podcast and let the world know, and especially the thieves among them, better not steal an Android phone because it is definitely not worth it.

Sandra 00:18:29 That's correct. Thank you Rachid.

Rachid 00:18:31 Thank you Sandra.

Voiceover 00:18:32 Thank you for listening to the Made by Google podcast. Don't miss out on new episodes. Subscribe now wherever you get your podcasts to be the first to listen.