Lockscreen Bypass

An adversary with physical access to a mobile device may seek to bypass the device's lockscreen.

Biometric Spoofing

If biometric authentication is used, an adversary could attempt to spoof a mobile device's biometric authentication mechanism[1][2][3].

iOS partly mitigates this attack by requiring the device passcode rather than a fingerprint to unlock the device after every device restart and after 48 hours since the device was last unlocked [4]. Android has similar mitigations.

Device Unlock Code Guessing or Brute Force

An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing ("shoulder surfing") the device owner's use of the lockscreen passcode.

Exploit Other Device Lockscreen Vulnerabilities

Techniques have periodically been demonstrated that exploit vulnerabilities on Android [5], iOS [6], or other mobile devices to bypass the device lockscreen. The vulnerabilities are generally patched by the device/operating system vendor once they become aware of their existence.

ID: T1461

Tactic Type:  Post-Adversary Device Access

Tactic: Initial Access

Platform:  Android, iOS

Version: 1.1

Mitigations

MitigationDescription
Enterprise PolicyEnterprises can provision policies to mobile devices to require a minimum complexity (length, etc.) for the device passcode. Enterprises can provision policies to mobile devices to cause the device to wipe all data if an incorrect passcode is entered too many times. Both policies would mitigate brute-force, guessing, or shoulder surfing of the device passcode. If desired, enterprises can provision policies to mobile devices to disallow biometric authentication. However, biometric authentication can help make "using a longer, more complex passcode far more practical because you don't need to enter it as frequently."[7]
Security Updates
Use Recent OS Version

References