Lock screen

AOSP's default implementation of the Lock screen with affordances to unlock it (keyguard) appears only on the primary display. In Android 9 (and lower), secondary screens supported a single locking window on a single external display. In Android 10, the Lock screen is expanded to all public secondary displays. The Lock screen remains simple and doesn't support unlocking from secondary screens.

Figure 1. Lock screen on secondary display

Device manufacturers can implement their Lock screen for secondary displays, provided the fundamental security requirement is fulfilled. When the device is locked, information should be securely concealed on all displays. There's no built-in policy or control over what content should be shown or hidden when device is locked. Therefore, the only secure way of implementing restricted access is to hide all content behind the Lock screen and locking windows. The only exceptions are apps that have explicitly opted in to be displayed on top of the Lock screen using the R.attr.showWhenLocked or Activity.setShowWhenLocked() methods. Otherwise, there is strong potential to leak information from public and private displays.

While displays can be placed in to different states (ON/OFF), the locked state is global for all displays. As with any device implementation, it should be obvious to a user when a device is locked (or unlocked). For example, pressing a power button typically locks a mobile device. A power button should also lock all internal and external screens.

Because the locking window is owned by SystemUI, it won't be placed on private displays. Owners of the private displays are responsible for hiding the windows and protecting content when a device is locked. The default system implementation only hides activities on private displays by changing visibility.

Implementation

The locking window on secondary displays is implemented as a Presentation window in KeyguardDisplayManager. Android 10 changed KeyguardDisplayManager#mPresentations to an array that holds all locking windows for all secondary screens. KeyguardDisplayManager also has a display-change listener to respond to changes to the available displays and secure all screens. It's important to immediately lock all connected displays at any given time so that attackers can't extract user data even with physical access to the device.

The locking window is displayed on all public secondary displays (see KeyguardDisplayManager#isKeyguardShowable()). Owners of private displays are responsible for securing the content when a device is locked.