Device Unlock

The unlock screen is hidden to prevent accidental access:

1. Long-press the bottom-left corner of the screen (200dp area) for 600ms
2. Tap 6 times rapidly (anywhere in the bottom-left area) within 3 seconds
3. The unlock screen appears as a fullscreen overlay

1. Hold the technician's NFC unlock card near the device's NFC antenna
2. The app reads the ECDSA-signed payload from the card
3. Validates:
   • Signature (ECDSA P-256 with SHA-256)
   • Expiry timestamp (exp field)
   • Scope must be "unlock"
4. On success: device exits Lock Task mode

Card Payload Structure

The NFC card contains 2 NDEF records:

• Record 0: JSON payload
• Record 1: Base64-encoded ECDSA signature over canonical JSON (sorted keys)

{ "v": 1, "scope": "unlock", "exp": 1735689600, "iss": "...", "tid": "..." }

Generating Unlock Cards

Unlock cards are generated via the technician dashboard:

1. Open "Unlock Card" screen in the technician role
2. Select expiry duration (default: 30 days)
3. Tap "Generate" → hold an NTAG215/216 NFC tag to the phone
4. Backend signs the payload with ECDSA private key
5. App writes signed payload to the NFC tag

1. On the unlock screen, tap "Use PIN instead"
2. Enter the 6-digit PIN
3. PIN is verified against a BCrypt hash stored in EncryptedSharedPreferences

The fallback PIN is set during device provisioning (generated server-side).

Every unlock attempt (success or failure) is logged as a telemetry event to the backend:

This provides a full audit trail of who unlocked which device and when, visible in the fleet monitoring dashboard.

Once unlocked, the device exits Lock Task mode. You can:

• Access Android Settings
• Install/uninstall apps
• Connect via ADB
• Re-provision the device

To re-lock, either:

• Reboot the device (auto-locks via BootReceiver)
• Or navigate back to the kiosk app (it auto-locks on resume)