207 comments

[ 3.6 ms ] story [ 336 ms ] thread
Privacy is important. But why not just avoid keeping weird stuff on your phone? Keep it somewhere else. Or say, "hold on let me log out of my bank app" or something.
Because the 'phone' is just a small subset of my iPhone. I would be curious to see my most used apps, but I imagine the phone app would be about an 11, with skype at 10.
> But why not just avoid keeping weird stuff on your phone? Keep it somewhere else.

My girlfriend texting me about medical issues isn't "weird", but I still don't want my mom to read it if I happen to hand him my phone for a few minutes.

My mom emailing me photos of my childhood self taking a bath isn't weird, but I wouldn't want my friends to see them.

My friend asking me if I'll be showing up to the Atheist Association meetup isn't weird, but I wouldn't necessarily want my boss to see the message.

My friend asking me if I'll be showing up to the Atheist Association meetup isn't weird, but I wouldn't necessarily want my boss to see the message.

Wow. I'm glad I don't live in a country where that would even be an issue. It would never occur to me as something anyone would need to be private in any country(until now).

(Or do you work for a fundamentalist religious organisation?)

That was actually hypothetical - none of my current or past bosses would care. We did have a lot of religious clients at my old job, but they probably wouldn't care, either.

There are, however, places where it would definitely lead to a change in the work environment.

> It would never occur to me as something anyone would need to be private in any country

Even in countries ostensibly ruled by sharia law?

Being from the UK the whole idea of having an atheist organisation seems a little odd. Most people are technically christian but don't go to church and their beleif is fairly skin deep.

Religious apathy is sort of the default and religion doesn't really dictate public policy very much so having an atheist society would be a bit like having a society for heterosexual people.

Are atheists really marginalized enough in the US that it becomes necessary to band together?

not sure why the downvotes here?
I didn't up- or down-vote, but probably because the conversation is rapidly heading off-topic.
"Hold on, let me log out of my Facebook app, my Messenger app, my Twitter app, my WhatsApp app, my Path app, my Yammer app, my LinkedIn app, my Evernote app, ... And disable all my email accounts and iMessage and clear my text messages and web history. Here you go."
>keep it somewhere else

Where? Keep my naked girlfriend pics in a recipe box? Wtf are you even saying?

I'd rather not turn into a dull prude just because apple is too lazy to implement a guest account on their unix OS.

I'm trying to imagine how dull and colorless your life must be. I took the pictures with my phone. The obvious place to keep them is on my phone.

There is an app for that. :) Seriously. But agreed, a guest account for iOS would be awesome.
So the civil answer to my question "why not just avoid keeping weird stuff on your phone?"

is: "I keep naked girlfriend pics on my iPhone. I don't think that's weird, but I don't want someone to see them."

I see your point. I apologize for using the word "weird." I assume that's what the downvotes were for.

Civil answers are overrated. I'm really sick of corporate leaders (e.g. You) telling me I should change my life to suit them. Their job is to accommodate the customer regardless of how weird my hobbies may be.
"corporate leaders (e.g. You)"

I'm honored, and confused, that you would consider me a corporate leader.

Like I said, I see your point. And if you look at my comment, it was in the form of a question, not an imperative.

My bank sends me summary of my account every once in a while. I don't want a random person to see it pop up.
The "two PINs" idea would also be great for when a police officer pulls you over and asks you to hand over and unlock your phone. With the proper encryption you could even have plausible deniability.
Haven't people suggested this with regards to TrueCrypt's hidden volumes, with "rubber-hose cryptography" being the most common answer, and "yeah, well, prove that this is your REAL phone unlock code" being the second most common.
Prove that it isn't, officer.
No cellphones are allowed in top secret military locations in the US, because all can be remotely signalled to start recording audio. We know they'll turn a phone into a bug if they need to, so it's foolish to assume they wouldn't be able to get the real PIN.
Do you have any evidence that indicates that this is the reason?

A much more likely explanation for the policy involves abuse by the user, either intentionally or unintentionally. Cameras and USB sticks are similarly restricted.

Yeah, I'm sure that the Princeton, TX police department has access to CIA-level technology, and will use it to prove that I was texting while driving.
With that, you've just admitted that you're aware of the possibility of setting up multiple profiles with different unlock codes. Be careful what information you leak when you're trying to look innocent!
How so? The officer was the one that suggested the possibility in this scenario.
Yes, but the answer shows that you were aware of it before, which means you have already come in contact with the concept, leading to a higher probability for you to actually use it.
Then again, a tech savvy user that encrypts his drive and claims he/she haven't a slightest idea what the officer is talking about is probably in many cases way more suspicious. At least to an officer that is informed enough to bring that up.
Depends. How closely linked are the concepts of simple encryption and plausible deniability encryption? If you start researching the topic a bit you will stumble upon both, but if, say, a friend installed it?
I don't think that it does. I think the most it can be said to demonstrate is that you are aware of how the burden of proof is supposed to work in the United States.

In other words, it's his job to prove things, not yours.

Yes, but it implies much more than just that; defiance for example. You don't want to egg them on, do you?
Rubber hose cryptography isn't a valid response to plausible deniability, because it applies equally to a volume that's encrypted normally (i.e. the cops just see junk data). At least you have a chance to throw them off with your fake unlock. Anyway, if it comes down to torture, you're screwed no matter what (unless you're trained to withstand torture); plausible deniability is more for "civilized" courts because they can't possibly prove that you're withholding anything. Personally, I think the 5th amendment in the USA should mean you can't be compelled to decrypt your data anyway, but that's not how the courts see it.
I think you mean rubber-hose cryptanalysis.

I am amused by the idea of rubber-hose cryptography though - beating on the data until it encrypts itself!

Actually, an actual example would be cutting out someone's tongue to prevent them from speaking.

(Obviously this only worked for illiterates.)

That wouldn't be cryptography (hidden writing). It would be cryptology (hidden speech, from "logos" rather than "graphos") or alogy (lack of speech).

/pedant

(sorry)

(comment deleted)
This is also why any app that handles sensitive information (including, arguably, the photo and video galleries) on a phone should have at least the _option_ to set an in-app PIN that's required before it opens up.

Lots of folks hand their smartphone to their kids to play games and even if there's nothing sensitive on there, they might have things they don't want deleted like treasured photos and videos.

It's not only about deletion. There's also the issue that you might want to restrict who can see what photos. (I.e. PINs on subsets of your pix)
Hell, I'd be happy if iOS had a way to lock down the Springboard so my kids can't screw up my home screen every time they get their hands on a device. Does anyone else come back to find all their apps dragged into countless random folders?
At work we're required to have a PIN lock on our phones if we have our email or calendar synced to it. Majorly inconvenient to have a system-wide lock, why not just give the option to set a PIN before the email accounts can be opened?
I'm more bewildered to why no tablets seem to have multi-user functionality. In my experience, tablets get shared far more often than phones.
I work for a tablet manufacturer, and I spoke to an Android product manager at I/O last year about this.

According to him, this is a feature that pops up once in awhile, but they have a long list of stuff to do and this is just one of those things that always gets bumped out.

From my perspective as a platform dev, I'd like to get into some of the technical problems with changing this, but I could end up breaking some NDAs or something. I'll just say, when you start mucking around with adding login code, file system changes, and the current dmcrypt encryption, you hit lots of fun design problems.

>you hit lots of fun design problems.

Single user login is a design problem! When I hand my tablet off to someone they have access to my gmail, gtalk, facebook, twitter, imap email, browser sessions and dropbox.

And that's just what I can recall on the fly.

There are two your account and the hidden root account ;)
I think the concerns are the interactions between user accounts. I don't think anyone is too worried about the hidden root account having access to your user account data.
Maybe the encryption doesn't matter? By default in Windows users are hidden from each other stuff but the files aren't encrypted so only the FS permissions are stopping them from reading each others home folders.
> I'm more bewildered to why no tablets seem to have multi-user functionality.

That's the first thing I wondered about when Apple released the ipad: from the start, this looked like a family/eminently shareable device (and within a month you had reports of it being used as a shared family device, picked and left on the living room table for quick sessions of browsing or game), it felt weird that all the tablets were single-user, and the more time passes the weirder it is.

But if the whole family could share it, they might only buy one instead of four.
Speaking as a father of a 3-year-old, a separate profile for him would save me an immeasurable amount of frustration. "Figure out which folder the program I want is in" becomes really tiring after about the 600th time.
Spotlight could save you that frustration already.
Not really. Having to start typing the name of an app that's already somewhere on your homescreen feels incredibly inefficient.
If that were the right solution, why does iOS have homescreen icons at all?
If you're on Android then Famigo Sandbox sort-of solves this.

It only lists a subset of apps (automatically adding child-friendly ones it finds, but then editable) and prevents access to the phone functionality, redirects ad links etc.

My Android phone and I thank you!
My iPad app does something like this: http://switchapp.net/

It's not full user accounts, but a multi-user web browser. You can protect your bookmarks, logins & web history and it also has a guest mode.

much easier to sell every family member their own tablet :-)
Again this might be the simplicity issue, tablets are sold partly on the idea that they are simpler than PCs.

Once you start adding stuff like login systems, seperate file permissions you start becoming a PC with a touchscreen.

"Why Don’t Smartphones Have A Guest Mode?"

Because dealing with multiple profiles and/or different profile types is a fucking huge giant pain the ass and a monumental amount of work! Xbox has local, guest, live silver, and live gold accounts. Dealing with all the different profiles and switching between is a nightmare. Urgh, no thanks.

Wasn't this a solved problem... 40 years ago? At least?
Sure. If you're willing to log out of your smart phone context, and restart any needed tools in the new guest context whenever you hand over your phone.

Oh, I'm sorry, you wanted instantaneous user switching? That's a smidgen harder than the 40-year-old solutions :)

I mean fast user switching on a resource-constrained portable device. There's a bit of a difference in terms of how to do it. (See also my above post listing some of the issues)
Current gen mobile phones are already more powerful than my first Windows XP desktop. I don't think computing resources are a limiting factor here.
And your XP desktop actually worked well with fast user switching? On an XP minspec machine? Or even recommended specs? There was a reason it was Powertoys only.

Not to mention that your XP machine had a HDD as a backing store for virtual memory. You could safely page out an entire session. Not so for phone OS's, AFAIK. (I know iOS doesn't have a backing store. Haven't checked Android, but I seriously doubt it)

Not to mention we've only very recently reached specs that make this doable. The iPhone 3GS (not that old) did have a 600MHz processor and 256MB of RAM. That's pretty close to an XP recommended spec, IIRC.

Given that your XP machine wasn't running on a battery, and wasn't busy in the background doing phone-y things, you can see where resources are getting tight.

Phones are just getting there, spec-wise. I'm sure sooner or later we will see a guest mode. The 'when', IMHO, hinges more on solving the UX issues, since specs always march on.

> Oh, I'm sorry, you wanted instantaneous user switching? That's a smidgen harder than the 40-year-old solutions :)

These OS have been able to run multiple concurrent user sessions for 40 years, and fast user switching has been a feature of all desktop OS since Windows 9x went the way of the dodo.

There are specific issues (core services of these systems are probably — sadly — coded with the idea that a single user is running), but nothing which should be hard to fix.

I thought that iOS and/or Android gave each App its own user account in order to sandbox permissions between apps, so that they can't overwrite each other's files. If all of the user data for an app is owned by that app's uid, then wouldn't this allow someone else running that app to somehow gain access to user data from another 'actual' user?

E.g.

App1 has uid 100 User1 has uid 101 User2 has uid 102

If all userdata for App1 is owned by uid 100, User1 or User2 could potentially used App1 to gain access to the other user's app-specific user data.

(I'll admit that I'm not an iOS or Android programmer, so I may be a bit out of my depth here.)

This is a good example of how HN has gone down the tubes. I've been downvoted to -1 based solely on a post where I raised a possible security concern. I admitted that I wasn't fully versed, but I expected someone to correct my if I was wrong. Instead, I'm downvoted, but no one has bothered to actually post useful information. Am I wrong? Did someone just 'not like the tone' of my post for some strange reason? Who knows? No one is talking.
Ephemeral voting noise is not going down the tubes.
You are right, and I upvoted you.

On Android, uids are used for apps, not for users. Supporting multiple users on Android is thus not as simple as one might think.

The biggest issue is resource limitations - multi-user systems require an abundance of resources that phones don't have.

What about the memory overhead of concurrent sessions?

Who gets to run background processes, and when are they terminated? Because neither CPU nor battery life exist in abundance.

What happens to incoming calls/e-mails/texts/notifications? (Especially for the guest account, where you don't have a second phone number for that account)

What happens to e.g. alarms set by user1 if user2 is logged in?

Which settings are shared, which aren't? And if your phone storage is encrypted, how do you handle shared settings? What about privacy? Can user1 e.g. record GPS signals even if user2 is logged in? If not, what about "Find my phone" features?

Sure, conceptually it's a solved issue. Practically, there are innumerable details to be figured out.

Nope. While on Windows, Linux, and OS X you can have two remote users logged in and independently using tty windows, they all must share the same GUI window.
Er, what? I regularly use Windows remote desktop and have my own full GUI session, independent of other logged in users. This has been around for many years.
That isn't true for Linux and Windows.

X (the service commonly providing the *nix GUI) was pretty much built with this in mind; Linux has had an implementation of X that has provided this since at least the mid-90s.

Windows has had this on the server since at least Windows Server 2003, and has also introduced it to the "consumer" market in Windows 7.

(I'd be happy to find out whether OS X supports this or not.)

I tried to do this couple years ago for Linux, asked around, and was told this was not possible for Linux. Apparently I was misinformed. I'm happy to be wrong about it. Can you point me to instructions for doing it for Ubuntu?

I have Windows XP, and have had 2000, NT, 98, 95, etc., and none of them could do it.

I'm glad to see that finally this "40 year old technology" is getting onto desktops in the last year or so.

Thank you. I will give it a try.
Do note that there are 2 ways to share a graphical user interface on X.

The first way is by remotely running a program on your own Xserver. The programs' processes occur on the remote connection and are sent down the SSH tunnel and show up on your display. This is the common way in Linux.

The second way is by an older program from the Windows world: VNC. VNC takes a local, running display (example: my gui) and allows someone else to view/control it at the same time I do. In this method, you both fight over the mouse and keyboard inputs.

There are several others as well. There are a couple different ways to make a "multi-head" setup in linux, which is what it sounds like. Multiple monitors/keyboards/mice all attached to the same computer allowing multiple people to run X at once independently.
VNC (at least TightVNC) also lets you set up a display for yourself, if you want.
At least two of the three most prominent smart phone roms are backed by operating systems that have long histories of (more or less successful) profile switching. It might in fact be a difficult problem, but it's one that has serviceable solutions and has for some time.
No, difficult for the users, not the operating systems.

Operating systems have had user switching for years. But I'll bet only a small minority of Mac users even know this is possible, and even fewer have ever used it.

What's the third? Blackberry or wp7?
IOS is really a stripped-down Unix-variant (BSD). You know, Unix, the world's most ubiquitous operating system, that supports multiple user accounts out of the box.
And whose name, in fact, stems from "uni-plexing" -- it was an operating system designed to support two users, so that Dennis and Ken could play Space Travel. A weak pun on "Multics" (multiplexing operating system).

http://cm.bell-labs.com/who/dmr/hist.html

That looks like a completely different issue... Are the local, live silver and live gold account all yours? If they are, that does look like a nightmare...

It's for different people, not for you that an account should be created. I also would like that in all the *pads. I'd like to split the history and logins of each person using my touchpad. It's a mess when 2+ people start using it.

Somewhat related: I've long wondered why ATM cards don't have something similar.

1234 is my regular PIN. 1235 is my help I'm being robbed PIN -- it dispenses the cash, calls the cops, and tags the video.

Probably because the SIM standard has no provision for two local PINs.
Lock doesn't have to be from the SIM side, can be from the OS side.
On ATM cards? Is that a joke?
Will people change banks for it (compared to say, vague promises of better customer service)?

Will people pay a premium for it (compared to say, offering more air miles)?

I'd be willing to bet that for most people it simply isn't worth the investment for them.

Will people remember to use 1235 ONLY in an emergency? And never accidentally use it? And never use it when they feel "threatened" by the scary looking hipster hanging out by the ATM?

I would tend to guess it would cause more problems than it solves.

Exactly! I would just be repeating what you say, but I'll say it anyhow. False positive rate must be considered before putting such a measure in place.
Sounds really cool, but I'm not sure what problem it actually solves. Typical ATM robbery today probably ends with the cash coming out of the machine and the robber running away, hopefully without injuring or killing their victim. Victim calls police, they take a report, get the video from the ATM cam, bank refunds the stolen cash, done.

In the scenario that you're proposing, the only advantage is that police are called about 30 seconds sooner. But my guess is that in the vast majority of cities in the US, that 30 seconds won't be enough to catch the criminals.

Not to mention that if this became widespread (and therefore known) you've now given the victim a crude weapon that the robber may feel warrants more violence to convince the victim that they better not type in their duress code.

"the only advantage is that police are called about 30 seconds sooner"

Unless the thief takes off with the victims phone as well. Additionally there are sadly instances where the theft at the ATM is just the start of other crimes towards the victim.

Unless the thief takes off with the victims phone as well.

I was thinking of the best case scenario. So the robber takes the phone as well, and the person calls it in 15 minutes later when they get to a phone. When the average police response time is about ten minutes, the difference between a call being placed 30 seconds after the robbery and 15 minutes after is pretty much nil.

Additionally there are sadly instances where the theft at the ATM is just the start of other crimes towards the victim.

True. So maybe the advantage here is that the police are alerted to the fact that a crime is taking place. But let's say the victim is kidnapped or something at this point. Are the police going to be able to do anything? They'll show up 5-15 mins after the emergency call and find an empty parking lot. What then?

I guess this might be helpful for situations in which the robber takes the money but then hangs around the ATM to beat or rape the victim. But I doubt this is terribly common. And as soon as it becomes commonplace for people to have duress codes, they'll start taking the victim elsewhere instead of staying near the ATM. Or they'll just kick the shit out of the victim to impress upon them the foolishness of using such a code.

Actually, that's an interesting thought experiment. You're held up at gunpoint (or knifepoint) at an ATM. You have a duress code (that you remember). The criminal knows these are common and threatens you not to use it. Do you?

You do because for the criminal there is no way to know if you used a duress code or not.So if you cant really get into a better position in the eyes of the criminal by not using it,you might as well use it and get cops to know you are in trouble.

Not to mention that cops will potentially have a live video feed of the crime scene as the crime is being committed!

If they're part of a gang with a mole in the police they'll know - and who are you to say they aren't?
Or better yet, what if it's an elaborate CIA plot to convince you that the moon landing was real? Plotted by intelligent elephants, who breathe fire and crap diamonds! They're a part of the deBeers cartel, and when you're asleep, they rearrange your underwear!

How deep do you want to make your conspiracy theory go?

That's always a risk anyway, in the UK we have an anonymous crime reporting phone number. You are never going to know for sure whether someone in their telephony department is somehow logging information from all the calls and handing it over to the mafia etc.
The problem then is people entering the duress code by accident (if it's similar to the pin) or forgetting it (if it's too different).

Also a criminal might see somebody fumbling with the keypad slower than usual and assume they are entering a duress code.

I generally enter my PIN very quickly , because the movements of my fingers on the keypad is stored in muscle memory.

Do you?

Yup!

> But let's say the victim is kidnapped or something at this point. Are the police going to be able to do anything?

They'll know that I was in distress RIGHT NOW, instead of two hours later when I fail to show up for that party I told my fiance I'd meet her at - and even then, she would have to wait 22 hours before filing an official police report.

The possibility of kidnapping elevates this to a whole new level.

Perhaps the fake PIN would only show a preset of money in the account (and still call the cops)? If the robber didn't know the victim, they might buy it.
Not sure the situation in other countries, but in the US you aren't liable for any money lost in an ATM robbery. So this would be helpful to the banks, but not the victim.
Just the knowledge of this would discourage ATM robberies from happening. If you knew that you'd only get x bucks, and that the police would be called as the transaction was happening, you'd be less likely to try this technique.
Well, I think you'd have fewer ATM robberies, but the ones you did have would be more violent, because now the victim is effectively armed with a crude weapon. So the robber is going to be more violent to intimidate the victim into NOT using that duress code.
"Punch in the real code or I'll shoot you."
I think that's the far more sensible option.

Sure, they might get more violent and say 'use the real pin', but honestly, how are they going to know that there isn't only 67.87 in the bank?

Eh, I just have two bank accounts and only keep a few hundred in the one I use for debit card payments/withdrawals. If I need more, my smartphone app is right there.
Ah... this is a good benefit to having multiple accounts. I am always confused by those with only one bank account. My current account never goes above 2K, mostly sitting at around a few hundred. This gives me a perpetual feeling of not having very much money, so I don't spend too much.
If you've got some armed psychopath (or maybe more than 1) holding a weapon to you or threatening you on a dark night your probably not going to be thinking rationally.

All sorts of stuff is going through your head like "should I use the duress PIN?" , "can I remember the duress PIN?" , "will they know if I use it?" , "how could they know?" , "What if they somehow DO know, is it worth the risk?"

Calling the police 30 seconds later may be typical in the US, but not the rest of the world. Latin America is filled with stories of people who took a dishonest taxi and were basically kidnapped and forced to withdraw the maximum every day until their accounts were emptied. Here in Colombia, it's known as the Paseo Millonario. Everybody's different, but I'd be incredibly interested in having a distress PIN, as it could be quite some time until somebody gets worried enough at not having heard from me to alert the authorities.
That would be an excellent idea in countries where people are taken hostage to empty out their bank accounts overnight to get the maximum withdrawal over 2 days.
I remember ATMs were turned off overnight to stop these kind of crimes in big cities of Brazil. Don't know if it's still relevant.
It's a nice idea but wouldn't work in practice. If the "help" PIN is always 1 higher then there would be too many false alarms due to pressing the wrong button. Or if the "help" PIN is totally different then victims will forget under stress.
Also, robbers would know there is such thing as a "help" pin, therefore rendering it useless. It's not a good idea in practice.
It wouldn't render it useless if the behaviour of the machine was identical (other that sending a silent alert) and still dispensed the cash.
I think the double-PIN makes sense in the ATM case (because you don't want to alert the robber to your scheme), but in the phone case I think multiple PINs is far too complex.

Why not just have e.g. "swipe left to unlock to guest mode" or something similar? Then you can still have it be locked, but with the same old PIN; it will be far more attractive to users.

My girlfriend worked at bank that did this. The alert PIN was your PIN backwards. I don't know if they still do this or not.
Out of curiosity, do you know what happened if the pin number was a palindrome? Did they restrict your selection to prevent that?
Yes, they restricted the selection. They also encouraged each number to be unique.
That's a funny requirement. Requiring uniques reduces password strength.
Bank PINs aren't really about password strength though. To prevent brute force, they simply block access after n tries (usually n = 3). They are just a way of preventing access to the card in case of loss or theft. So as long as there are enough combinations to make the chance of a successful brute force after three tries small enough, it doesn't really matter how strong the password is.

For online banking, there are usually added security schemes and the PIN isn't used at all.

For the interested: enforcing no palindromes and unique digits reduces the number of possible PINs by about a factor of 2, bringing it down to 5040 4-digit combinations.

[JS code] http://pastebin.com/3A46BP1C

If the digits are unique then there are no palindromes. Therefore there are 1098*7 = 5040 combinations.
The formatting ate your *'s but I understand. That's definitely the better way to reason the problem. In my defense it was late (after a trip to the bar) and my code is basically stream of consciousness.
(comment deleted)
Dang, no palindrome PINs then, eh?
I would forget the emergency pin. Maybe if they recognized a backward PIN, but I would probably be so flustered while being mugged that I couldn't enter it backward.
You should change your pin to something more difficult. Just saying.
Bank machines have this.

Diebold ATMs could be configured to send a "distress signal" when their safe was opened and the last number of the combination lock was off by 1. The option was off by default, because it required additional hardware hook-up (for the signaling), but it was there.

People have trouble remembering one PIN, memorizing two would be too much for many.
Several of the PIN-activated access control systems I've used have a similar concept, usually called a duress code or such. Your normal PIN would be 1234 but if you are being forced to enter under duress you put in 1235, and a silent alarm is set off.
Seems to me a better idea is that you put in a code, which locks your account for a few hours and displays a "this ATM is broken" message, taking it offline for a few mins.
This is known as a "Duress Code" and it's sometimes found in alarm systems as a code which will disarm the alarm and still call the police.

http://en.wikipedia.org/wiki/Duress_code

cool. someone here is publishing an idea, and there is wikipedia page for it. ironic. :)
I used to intern at a company that manufactured credit cards. If I recall correctly, this actually is in place in South American countries. Due to relatively low fraud rates, credit and debit card security in the US is far behind the rest of the world.

Edit: Somewhat replying to a sibling comment. In countries with less effective police, they originally put withdrawal limits on the cards, but this just caused muggers to hold their victims until the victim's account was drained.

Further Edit: I couldn't find any online sources for this information, so I could be remembering incorrectly.

What about simply having an emergency gun dispenser inside the ATM?
there are at least a few big companies already doing virtualization with android to separate business and personal modes so that corporate email and other apps can be quarantined off with a secure password, leaving personal email and games to run in a separate environment that may not require as much security to unlock.

presumably the same technology could be used to provide "normal" and guest environments.

https://www.youtube.com/watch?v=ydXJjCN2G-A

Better yet, why hasn't anyone created an app that just simulates a guest mode? A launcher with two sets of home screens would be perfect. Or, you just disable your preferred launcher when handing your phone to a friend, revealing the mostly barren stock screens. It's as simple as hiding icons, since the apps might as well not exist if the icons aren't there (access doesn't actually need to be explicitly forbidden, per se).

Maybe I'm missing something important here, but it seems many apps on the Android market are just a few tweaks away from doing this already?

Not all games have a separation of user data. Some games basically only have one save slot, so that starting a new game wipes out the save data.
This caused me to be beat upside the head with a Gameboy repeatedly when I was young when I hit "new game" on my cousin's Pokemon Red.
If you were my cousin who did that to me, you wouldn't exist today, to put it lightly.
This was done to me by cousins and brothers maybe 4-5 times (with very well developed games before each time). I understand the frustration (although what you describe sounds a bit full on) particularly as I'm pretty sure you had to start a new game then save.
As far as I'm concerned the only 'Guest Mode' I need on my phone is the emergency call screen. I'm totally willing to be the 'weirdo' who won't let someone use his phone.
I was thinking of something related to this earlier today. One thing I'd really like from the emergency call screen is to allow me to tag several of my contacts as emergency contacts. That way if my phone is stolen, or I am hurt in an accident, the list of proper people to notify is very apparent.
a phone in guest mode would be totally useless.

case 1: no apps. guest has to install apps. will guest have a itunes/android market account? does he enter his Credit card to buy paid ones he want to use?

case 2: apps with no data from real user. He opens up foursquare/yelp to look for a restaurant... has to create profile

Looking at the mocked-up screenshots in the article, he's proposing that the user customize which apps are available. Note "Configure Guest Access" in Settings.app.
"""case 2: apps with no data from real user. He opens up foursquare/yelp to look for a restaurant... has to create profile"""

And that somehow makes it totally useless?

He can: talk on the phone, check his email on the web browser, surf to anything he likes, use any other app that doesn't require a profile, play a game, ..., ..., ...

Even calling case 1 "totally useless" is retarded. He can still do tons of stuff (call, browse, use as calculator, ...) except run apps.

These guys are kind of working in this: http://www.famigo.com/

Their approach is targeted at kids though, I'd love to see someone tackle the general purpose approach.

Sounds like a great project for someone with a lot of free time. I rememeber hearing that the guy who came up with what is currently the ios notification style was hired by Apple after his jailbroken hack.

The void is wide open for someone to solve this well and be rewarded for it

I have heard many, many times from parents whose kids play with their iPhones, iPads, etc. that they would like to have this mode where only the current app is active, WiFi is disabled, etc. Kids are quick to figure out how to buy extra stuff from within the app.
Interesting idea, but I don't see many use cases.

Are people really handing their phones out that often?

I only hand my phone to someone else when:

* I've asked them to take a photo of me.

* They're riding shotgun in my car and need to call a contact or navigate with info readily available on my phone.

Neither situation is risk for people snooping around.

It happens to me often enough. Maybe it's just if you have friends who are interested in gadgets, but they will usually say things like, "Oh, you got a new phone? Can I see it?", "Oh, you installed a new ROM? Can I see it?", "Oh, I was wondering how this worked on that phone, can I try it on yours?" All of these are generic requests that just involve tapping around a lot to get a feel for the device, and they're all totally valid requests that one wants to fulfill to help his friends experience more stuff.

Also, some people just don't consider their phones private and don't understand why anyone else would. My parents or siblings sometimes want to flip through Gallery to see the newest pictures of my children, friends, or co-workers.

A couple misplaced photos can be quite the liability in a situation like that...

The guest mode is a great idea. But for now, if you have very private stuff on your Android phone, you can lock down on an app-per-app basis. This could be a little inconvenient, though, and either you always keep them password protected, or you have to remember to protect them before you give the phone to someone.
Probably for the same reason a lot of other good features don't get implemented: there are higher more impactful features to be implemented first, a bigger bang for the company's buck.
The reason I don't log on someone else's phone is not because they don't want me to, is because I don't want to! Just the same reason why I usually don't log in on an untrusted computer.

Maybe just for browsing the internet it would be allright, but I won't hand over my passwords. Isn't there any keylogger yet for android/ios? You don't even need to go by the store/marketplace, just local, developper stuff and there you go. Do you want to log on my machine?

I'd benefit from a "Driving Mode" on my phone. If John, Rachel, or Stan calls, auto-text them: "I'm driving, can't talk". Everyone else goes straight to voicemail. If they send me a text within 5 minutes of that call (must be serious), make the font huge so I can read it in .5 seconds on my console. Hide all other texts.

I'd like to be truly responsible and just turn my phone off, but I don't to allow for those few times when there actually is something important.

Siri is already the "Driving Mode" feature on the iPhone.

Hooking it up to the stereo system makes it feel like it is part of the vehicle. Some day, when I am feeling adventurous, I will wire the otherwise useless OnStar button to trigger it to complete the "factory look."

And this is why me and my family get way more use out of a Chromebook rather than our Android tablet.

Please make Android grow multi-user capabilities or give me ChromeOS in a tablet format.

The MIUI rom for Android sort of does this. It has a privacy mode which hides calls and text messages and locks down the homescreen.
i love that almost everything in this thread would be added shortly if we had control of our phones. why isnt there a bigger open hardware phone movement? how about a new GPLv4? GPLed software can only be shipped on GPLed hardware. it can be installed later but the user gets to see an ad explaining what they cannot do with their phone, and possibly alternate carriers that support open hardware.
Hell, I want a guest mode on my computer. Instead I need to just have netbooks available for when company wants to check their email.
What kind of computer do you have that doesn't have a guest mode? Windows, Mac/UNIX and Linux have all been multi-user either from the beginning or for decades.
Yeah, but then I have to have a "guest" log-in. My computers are always on, so people never feel bad about asking to use them, and I feel it's unnecessary and unsmooth to log out.

Since I've already been perfectly demanding|whining about a feature I'd like to have, what I _really_ want is to just click a program that boots up a vm with the same OS, but only the browser ready to go with a fresh lack of cookies, history, etc.

IS THAT REALLY SO MUCH TO ASK? </overdramatic>

How about using Opera kiosk mode - it appears to meet your requested features.

Also FastUserSwitching doesnt require logout IIRC.

Ubuntu already has a "proper" guest mode, only accessible when unlocked by a regular user, wiped clear each time and only providing access to the guest sandbox. It's available from the system menu, so two clicks to activate when logged in already, or a couple of clicks and a password if the machine is locked (and in that case you don't have to go through your regular desktop to get to it).
why would you log out?

In Windows you'd hit Windows-L, which would take you to the login screen, and then they'd click "Guest" (or whatever alternate login you've set up). You'd still be logged in, and when they were done (or were giving it back to you for five minutes) you press Windows-L again and choose your own login to switch back to your still-running programs.

I'd be astounding if Linux didn't have an equivalent.

No kidding. I really need to dig into Windows 7 and find a way to restrict VLC's history. Browsing history is of course also risky. I suppose I could make a guest account, but I really just want a one click solution that authorizes basic web access for ten minutes.

This is primarily a problem on my laptop which lumps to much diverse media together.

apparently we have similar friends.
This is something I've wondered quite a bit also. ChromeOS already has this feature -- it's the idea of the device simply acting as a terminal, with all user data stored in the cloud.

Also, I'm a bit afraid implementing full-featured multiple user sessions (similar to a desktop OS) would lead to a lot more bloat.

Yes, yes from a guy who has to nervously hope that as his Dad looks up something on his phone while having family dinner, he doesn't end up in my SMS or Photos app. It'd ruin the dinner. And some.
I was going to write a tweak for iOS to do something like this, with behavior similar to that of the built in Camera shortcut from the lockscreen.

1. You are using an app

2. You activate 'Guest mode' using a button press, swipe, tap, etc. (configurable)

3. If the user hits the home button, it redirects to the lockscreen instead of the homescreen (much like the Camera application does in lock-mode)

4. Instead of the camera icon on the lockscreen when you double tap, it is the icon of the locked-in application. (You can tap it to resume use of the locked-in application)

5. To disable this guest mode, you simply unlock the device with your passcode.

So, when a friend asks "Hey can I check my email?", you can open Safari, enable this guest mode, and hand the phone to him, no worries.

What do you think?

> So, when a friend asks "Hey can I check my email?", you can open Safari, enable this guest mode, and hand the phone to him, no worries.

can you provide a sandboxed environment? he can't have access to any of my persistent Safari data (autofill/bookmarks/history/cookies/dbs/etc.), and any he creates should be wiped, probably on return to the lockscreen. all other forms of app switching (e.g. open a pdf url, then "open in" iBooks/goodReader/whatever) will need to be blocked as well. will also have to block the app tray, the notification center, pop-up/banner notifications, Siri, and possibly the phone. (could experiment with blocking badges and alerts but not sounds, since that only reveals the fact that an email/text/etc. was received, not any specific information about it.) might conceivably need to block all background app network traffic, tho i'm not sure if that's snoopable from inside safari.

basically os x guest mode

That would be the only issue with something like this. The number of system features is finite and they can be disabled each in their own respect, but partitioning a guest from a user's data in an arbitrary application would prove challenging.
yeah, by the time i got to the end of the list, it was pretty clear how hard it would be to do it right....