Phone vibrates during password entry

Recently it was reported a bit that a malicious smartphone app could use the phone's front-facing camera to watch the reflection in your eyeballs of your fingers typing in passwords. It's not news, really, but it was reported. Anyway, that's easy to fix: cover the camera.

A less-known method of stealing a password is to analyze the motion of the phone. Every smartphone has an accelerometer, and many have gyroscopes too nowadays. Typing on the phone's keyboard (whether a physical keyboard or an onscreen one) imparts small motions to the phone, which these sensors can detect. The motions, because they're slightly different for each key/screen location, can then be interpreted into keystrokes by machine learning or other methods. Many apps have motion sensor access, and you're not notified when they're using it in the background, so any of them could steal your passwords without your knowledge. So could the baseband, if it has motion sensor access.

One way to thwart this is to disable the motion sensor access during password entry (or even turn the sensors off in hardware to prevent access by the baseband), but a more fun (and conversation-about-security-starting) way is to run the phone's vibration motor randomly during password entry. You might as well do both, actually, if you can. You should disable/cover the back camera too, because it could also be used to detect the motion (like the visual microphone, but at a much lower frequency).