When a smartphone is stolen, the consequences go far beyond the loss of a device. Suddenly, not only highly personal data but also access to bank accounts or credit cards may fall into the hands of criminals. For this reason, Google, Apple, and others are deploying ever stronger security mechanisms intended to prevent the worst outcomes while not overly disrupting the user experience. Both industrial research and academic work play a role in the continuous development of these mechanisms. In a blog post on the latest Android security updates, Jeremiah Cox, Senior Security Engineer at Google, explicitly references relevant academic studies. Among them is a 2021 paper co-authored by CISPA-Faculty Dr. Maximilian Golla—who at the time was conducting research at the Max Planck Institute for Security and Privacy—together with colleagues from Ruhr University Bochum and George Washington University.
In their paper “On the Security of Smartphone Unlock PINs,” the researchers examined how well established protective measures actually perform under realistic conditions. Their results showed that standard measures such as longer PINs or banning common number combinations alone are often insufficient to meaningfully impede attacks. Instead, the researchers found that one factor in particular is effective against guessing attacks, in which attackers systematically try different PIN combinations: allowing fewer failed attempts. “With our research, we show which security mechanisms are not only theoretically sound but also practically strong. We are pleased when insights make their way from research into real-world applications and thus improve security for everyone,” says Golla.
Expanding Biometrics to Sensitive Areas
The researcher also takes a positive view on the further development of Android’s “Identity Check”—which extends biometric authentication for certain locations to third-party apps and other sensitive actions. Similar conclusions and a clear recommendation to companies were reached in another empirical study from his research group. In the user-centered study “Understanding How Users Prepare for and React to Smartphone Theft” (2025), CISPA researcher Divyanshu Bhardwaj, together with colleagues and supervised by Maximilian Golla and CISPA-Faculty Dr. Katharina Krombholz, investigated how people prepare for smartphone theft and how they respond after an incident.
The interviews revealed that in an emergency, those affected are primarily driven by stress and fear of data misuse and try to quickly regain control. In doing so, they rely mainly on basic protection mechanisms such as screen locking. However, such security measures often fall short because they do not cover attack scenarios like shoulder surfing to observe a PIN. Accordingly, study participants described crowded everyday situations—such as concerts or public transportation—as particularly unsafe and expressed a desire for additional security measures in these contexts. One recommendation from the researchers was therefore the introduction of a temporary high-risk mode that would require biometric authentication for sensitive actions in such situations—not only at the system level, but also for particularly sensitive content such as private photos or third-party apps with sensitive or financial data.
Smartphone Theft from the Perspective of Affected Users and Researchers
Both studies make clear that comprehensive empirical studies are needed. Research that does not examine security mechanisms in isolation, but rather in combination with real-world attack scenarios and actual user behavior. Only in this way can we determine which measures truly provide protection in everyday life.
In our podcast CISPA TL;DR, we spoke with Divyanshu Bhardwaj about smartphone theft, ranging from real-world attack scenarios to the challenges of recovery after an incident. The episode can be found here:
