I am a real small dude that runs a real small SaaS app for a living, but I won't fix 1-2 customer requests a week. I don't do it for fun, and I know they are really important to the user that asked for them. But at some point you have to have vision for the direction of a product, and build features for that product that get you in that direction.
Some PM at Google decided that a panic PIN was not worth coding. I am guessing they say all the bad cases of it (my toddler typed 1234 and my phone bricked), and decided they would outweigh the good features. It seems a reasonable decision?
Does apple have a panic PIN? If so, I am not aware of it...
In other words power + volume up means the key to unlock your phone is in your head, not at the end of your finger or your face.
Apple does not have a panic wipe pin.
Personally I think a wipe pin is reasonable, just be VERY sure you don't type the wrong pin in by mistake.
Also, I wonder... would it even work? How long would it take to wipe 64gb or 128gb of flash? securely?
That's not relevant to the specific request that was linked here (and that's why I think Google was right to close it, this is for one very specific use case and one very specific mechanism of solving it that may or may not actually work):
"In my country (Russia, if you interested) policy try to force political activist unlock their smartphones for collect more evidence. They use tortures and threats of tortures for this. If you you can`t unlock because it wiped they don`t have motivation to use tortures."
That is, the phone already doesn't have biometric auth, and the police will (allegedly) happily torture you until you reveal the unlock PIN.
If you care about this data then you would encrypt it at rest. Having encrypted it at rest there's a key, let's say it's a 256-bit AES key. So now when you throw away the 256-bit AES key the rest of the data is garbage, exactly as worthwhile as if you'd wiped it, but instantly.
A factory restore might take quite a lot longer, but as soon as that key is forgotten the data is gone.
In the thread they mention that this would be a user-selectable option, so this case is covered. The audience would also be people with very special safety needs (whether truly activists or other professions), who certainly don't hand their phone to kids.
Disclosure: I work at Google, but my views are my own.
@ parent, it doesn't really seem like the title is "misleading" given we know the feature does not exist. although some might wonder if it did, so /shrug.
> It would be great to have the possibility to set second pin code which wipe your device without confirmations. [...] In my country (Russia, if you interested) policy try to force political activist unlock their smartphones for collect more evidence. They use tortures and threats of tortures for this. If you you can't unlock because it wiped they don't have motivation to use tortures.
My mental model of law enforcement in the US is that they don't become less inclined towards illegal violence if you anger them. If anything, I'd expect a "clear this subset of data, but go ahead and unlock the phone anyway so it looks normal" feature to be more useful.
(So I guess I think that this feature request needs more detail/discussion in order to be useful.)
What Eric meant is, implementing features isn't a coin toss decision. The effort of adding even the very simplest feature, and then testing it, and documenting it, and supporting it, is enormous, so all of that weighs against any potential feature from the outset. If your feature should go on the list that's because it scores "plus 100 points" against those considerations.
with Qualcomm, if I'm not wrong, it should suffice to, with FDE, (transparently, on entry of pin), nuke the DEK (random key generated by Keymaster), and force a device reset; this does seem like an interesting usecase for custom firmware and/or magisk
[1] http://bits-please.blogspot.com/2016/06/extracting-qualcomms...
albeit, if this does end up being implemented in some manner, wouldn't the fallback be a "confiscate electronic devices first for forensic" approach?
How deep do you want menus to go? Do menus 10-15 levels deep really help the end user?
The old MS blog post about "minus 100 points" is a good analysis of this: https://docs.microsoft.com/en-us/archive/blogs/ericgu/minus-...
- The use case is consider too 'niche'.
- There is some concern that users will wipe their phones by accident and raise support tickets and/or engage in any other activity that causes additional work/cost for google.
- 1st party support might step on various governments toes by shipping this by default.
Building a feature like this would be tempting fate given the current climate at the AG's office IMO.
