Lock Screen Widgets

Lock screen widgets work, and they work well – but there also are some troubling security concerns

Finally, we get our first real look at the new lockscreen widgets in Android 4.2. This is a feature that was teased at the outset, but our prerelease units have now been updated with them, and it's time to put them through their paces.

Actually, this update does more than just add the ability to add lock screen widgets. It changes the way you use the lock screen itself. Previously, you'd slide the unlock button to the left to quickly access the camera from the lock screen. That's gone. The camera app itself sort of serves as a widget. Slide one panel to the right, and there it is.

Also, we've now got a clock widget, free of charge. As we've already got the world clock enabled (see our clock app walkthrough for that one), it's visible on the lock screen by pulling down. Huzzah.

But the meat of this update is in the widgets you can choose to add. Calendar, Digital Clock, Gmail, Messaging and Sound Search. They're all there, ripe for the choosing. 

And that's where the big question of security comes in.

Here's how the lock screen widgets work with security set: You can view the widgets, and scroll them. That means you can view Gmail subject lines, and the first line or so of the e-mail. Same for the stock text messaging app. And that worries the hell out of us. Ditto for the calendar widget. You can't read the full text, but summaries are there.

Particularly troubling is that this exposes things like secondary verification codes from sources like Google's two-step authentication. Not the sort of thing we want to see happen.

Repeat: Subject lines and the first few words of an e-mail or text message are all visible in the widget even if you have a security lock set. Consider yourselves warned.

WidgetWidget
Oh, look -- there's my Google two-step verification code, easily visible by anyone. To say nothing of my inbox.

You can't add a new widget without first going through the security lock, so that's a good thing. You can, however rearrange the order of the widgets. So you can screw with your friends. (You also can take pictures with the camera without unlocking the phone. Even more fun to be had there.) A bit of good news here: If you try to swipe to the right from the camera app to get to the gallery (as you do in the camera app), you're challenged by security.

Google Now is accessed through that little ring at the bottom of the screen.

One other oddity is that while you can only add four widgets to the left of the main one, a screen with the "add" button remains at the far left, leading you to believe that you can add a fifth widget. But it simply doesn't work. That's an odd cosmetic blemish that we wouldn't expect to see in retail software, but there it is.

More on Android 4.2

 
There are 56 comments

Reader comments

First look at the lockscreen widgets in Android 4.2

56 Comments
Sort by Rating

I asked about that at work last week, our authentication is so much more heavy so this is like a uhhh.... wtf moment.

I recognize the security concerns with Emails, Calendar, and SMS...but the 2-step codes being exposed is not at all a concern...they're only valid for a few seconds anyway. Unless your phone is stolen within a couple seconds of you requesting the code, and the person stealing your phone already knew your initial password, and is also ready and waiting to enter it...you're still pretty secure.

That's the concern. If someone already has your phone, they can request the verification and get the code immediately.

Haha, it didn't occur to me that it would work that way cause I use the Authenticator app...which would be safe behind the security. Yeah...that would be a problem then=/

The whole point of 2 factor is to prove you have the phone (the second factor), the person holding the phone passes that test... If you were going to worry about that then you should already be worried as they can on previous and probably this release be seen "flying by" the status bar.

As for widgets no one is forcing you to add any particular one.

Saying no one is forcing you to use something is a poor excuse for a security laps that allows people to portions of read your emails.

If this was Apple, you'd be screaming.

Its an embarrassment that Google should be forced to address.

I don't see what is to be addressed here. If you choose to use a widget that let you glance at what's in your inbox without unlocking, then obviously anyone with access to your phone will also be able to glance at your inbox.
It's no more a security issue than allowing users to not use an unlock PIN / pattern.

Agreed. If you are concerned about the security issue, then don't use those lockscreen widgets, just the same as if you are concerned about security, use a pin. If they made it so that you couldn't see the information on the widgets without entering a pin, what would be the point of have the lockscreen widget? Unlock your phone so you can see information before unlocking your phone? derp.

Exactly. There are options as per your needs. Tons of people use a normal lockscreen on not just Android but every other platform. That's according to how secure you want your phone to be. If that's not a security lapse, how is this one? Do not put the GMail or SMS widgets there.. simple!

Personally, I don't use a lockscreen pin. Just the "swipe to unlock" so these really would cause any "security concern" for me. I find it easier and more convenient to simply never let the phone out of my sight rather than have to enter a code every time I want to check something.

"I find it easier and more convenient to simply never let the phone out of my sight" says every single person right before their phone is lost/stolen...no one ever intends to lose their phone. DERP DERP.

This is +++++ for me.

I love the new lock screen widgets. It is easier now to check new emails and messages without having to log in and enter the pin or password every time I want to check my phone

I hope to see facebook, twitter, etc implement this feature in their widgets soon. I am not very concerned about the security issue mentioned by Phil.

Very excited now about this update

The way I see it, if you are using the widgets, you shouldnt be using a security code or if you are using a security code you shouldnt be using the widgets... I mean whats the point of fast access to that info from the lockscreen if you have to put in your password? Just done use that feature.Maybe a patch should be sent so that if you elect to use a password you cant add widgets to the lockscreen.. that would make more sense to me I guess

So what happens with the old lockscreen music controls, like when you have something playing with Play Music?

No doubt just a matter of time before there is a Google music lockscreen widget. I'd imagine the current lockscreen music controls haven't changed.

I played some music and locked my screen. It AUTOMATICALLY adds another widget to the right of the clock widget (before the camera).

Which app is that? I see the lock screen music controls broken for both the Google 'Play Music' as well as Spotify after the 4.2 update.

The security workaround for this is pretty simple...if you're going to need to pin unlock your phone to see a lockscreen widget, then whats the point, just use the same widget on a homescreen after you unlock. The point of these is for quick swipe access to common things (gmail, calendar, sms) without unlocking the device. If you want to use security (not everyone does), just don't use these widgets. But something like this also makes you wonder what the point of a lock screen is in general if we're just moving content from our homescreens onto the lockscreen! (unless we want security, that is)

Security concern?! Are you kidding me?! Nobody force you to put your email widget onto the lock screen. If you worry that other forks will see it then put in in your home screen, man.
You have the right to get naked, but nobody force you to do so. Why take off your clothes and worry others will see your stick?! If you want to take off your clothes, then just happy to see forks poking at yours.
Don't you think, buddy?!

Just names of email senders on the lock screen would be sufficient. Most people aren't too concerned that others know who the communicate with, (unless they are running around on their wife or something).

But the content of the message is a whole different matter.

That you got an email from your boss is no surprise to anyone.
The content of the mail might well prove a surprise to your buddy who picks up your phone while having a beer after work.

Its an uncharacteristic security flaw on google's part that is bound to cause some unsuspecting person problems.

If you had no control over what widgets were there, and couldn't remove them, THAT would be a security flaw. This isn't. Still, people like to bitch about everything these days.

What are you on? If you have the type of 'buddy' who picks up your phone, scrolls over to your emails, and reads them without your wanting him to... THEN DON'T USE THE DAMN WIDGET.

At most, the failure is not having a little pop-up warning that people might see parts of emails without unlocking the phone... but anyone moronic enough not to realise that should not be using a smart-phone.

I agree, the "security concern" is totally over-stated. In fact, I see this as MORE SECURE for me.

I haven't bothered with lock screen security in the past, because I prefer to be able to access my stuff quickly. Now, I can see important stuff instantly, and still have a pattern unlock so people can't make calls or do anything on my phone if they steal it. And of course it's all optional so there is no "downgrade" in security unless you opt for it.

Of course, this is all theoretical because it seems they only allocated 10 Nexus 4 devices to Australia =(

I hate having to enter a pin or pattern every time I want to get into my phone. Just install "Android Lost Free" from the Play Store and set it up. Then, if you're phone gets stolen, you can get on any web browser and setup a lockout, turn on the camera, microphone, etc. There's even a feature that will make a message box popup on the screen and, when the person clicks 'OK', it takes a picture of them with the front-facing camera and sends it back to the browser so you can see who has your phone. It's a pretty cool piece of software, and it's free.

You really have no clue...if they dont have to enter a PIN they can go in and disable the security apps/features!!! Do you think they are going to walk around using your phone for days/weeks with your info on it? If they are after your account they will immediately take control and lock you out of it. If they just want the device then they will initiate a factory reset and your stupid software is worth nothing.

Benchmarks and battery tests. Just to see if it really was the old unfinished software that was lowing the test and getting the bad battery. Thanks

Can you control the Ringtone volume from the lockscreen (with or without pattern/PIN)? This is probably my biggest gripe with the 4.1 lockscreen, and one reason I flashed back to HTC Sense. If I want to silence my phone quickly, I don't want to have to unlock first. It's not a security concern, anyway.

You can put the phone in silent (or vibrate) from the lockscreen. Just hold the power button. At least it works on the Nexus S with 4.1.

I'm not sure about this addition and I felt the same when I first saw it in use.

It's turned a well designed lock screen where I had more than enough options to open after unlocking into needless gesturing for the same task.

Come on, do I really need to have a preview when I can unlock and use the app then press the power key to lock again.

It seems a fussy backwards step when they could have simply had an edge to centre swipe to launch the camera, one on the others side for Google now and the current system in the middle only now two options have been freed up.

Am I alone in thinking its odd to do an amazing job simplifying the camera and then to clutter up the lock screen.

Could it be patent related? The new lockscreen mechanics are completely new. Never used on another phone before. The previous mechanics are in use by virtually of the others... could it be that one of them is about to get a patent on it?

Not a bad feature when you are waiting for an urgent email. You unlock the screen only when it has arrived and not every minute when this feature was not added.

You shouldn't keep security concerning text messages in the first place. Whenever I receive such a text message (mobile tan for bank transfer, 2-step verification, etc) I will delete the message right after I have used it. There is no use in keeping them, but it exposes the security means you're using.

Since you have the consumer release, can you do me a favor and try this command in voice search? "Set timer for XXXX". Does it use the timer app or set an alarm?

I'm using the OTA for the GSM Galaxy Nexus. I tried the command and it still sets an alarm for X minutes. Hmm, disappointing, but doesn't make a big difference to me.

I have been using widget locker, in Google play, for a long time now. It has no limitations on the number of widgets or the widgets you can use. It is far more functional than this new feature.

I've never had sleep/wake issues with it, and the one time it had a battery issue the developer fixed it very quickly. It will sometimes make you put in your security code/pattern twice, but that's a very minor annoyance compared to the amazing functionality and customization you get with it. Perhaps it works better with some phones than others, but with my 18 month old Gingerbread device it works great.

How does this compare to the app Widget Locker? I've been using that and security of certain widgets is a concern there too. The nice thing is you can disable the notification bar in Widget Locker. The only widgets I have on that screen start and stop my music and tell me the weather. No security needed there really.

The technical term is "don'tbeadumbass". If you're worried about people seeing your gmail headers and first line, don't put the gmail widget on the lock screen. Seems simple enough. It's sad that we even need to talk about something so obvious.

smh i really dislike this new lock screen, are we able to disable it and use the old on for 4.1 & 4.1.2 ?

*edit.
i take this back my nexus 7 just got updated to 4.2 and the lock screen is okay-ish
still find not so needed

I lost my ability to add a lock screen widget after adding a second user. The new user is able to add lock screen widgets but the primary user (myself) can't. When I wake my phone, the only widget I have access to is the clock widget and I no longer have the left panel with the + symbol. Deleting the second user and rebooting my Nexus 7 does nothing.

What gives? Any one else experience this?

yeah im gonna go with the consensus here and say there really is no security issue on this one, but for me the change in the lockscreen music player took the most time getting used to