Android Pattern Unlock Insecure

When I first saw the pattern unlock feature in Android phones I thought: Cool!

And I used it on my Nexus One.  Until I realized that it is a really stupid idea if I want my phone to be secure.  Don’t do it.

The problem is that the phone screen gets smudged.  And when you unlock your phone you will leave a new smudge trail revealing your pattern.

Here is how to read it: With the phone turned off hold it up to a bright light, but angle it so that so that it reflects something dark.  The smudges will be obvious.

Turn the phone on, note where the pattern dots are, turn it off and see what smudges align with the pattern dots.  Turn in on, turn it off, and you will be able to see the pattern.  (At least if the phone wasn’t used much with dragging gestures on top of the pattern area.)

New smudges will write on top of old smudges, they will be “in front”, so to reproduce the pattern in the right order start with the smudges that are “behind”, and trace towards the “front”.

It is tempting to wipe off the screen to clear the smudges of your unlock pattern, but beware: A clean screen is even easier to read than a dirty screen, so if you ever forget to wipe it after entering your pattern, your unlock pattern will be very readable.

This doesn’t mean your pattern lock is completely insecure always.  If you unlock your phone and then use it a lot with plenty of dragging gestures in the pattern area, then turn it off, your unlock pattern will be very hard to read.  But do you ever turn on your phone, maybe just to check the date, and then turn it off?  If so, your lock pattern is not hard to read at all.

So the unlock pattern is cool, but a bad idea.  Instead you should use a unlock code number.

“But wait!” I hear you say.  “Can’t those smudges be read too?”

Yes.  But they are taps not drags, so the order is hard to read.  And, this means a 4-digit PIN is not so good.  If someone can figure out what the 4-digits are, there are not that many combinations to try.  Only 24 (4×3x2×1, or 4 factorial).  Increase your PIN to 5-digits and the number of combinations are 57, not great, but a lot better.

I suggest you make up a truly random PIN of, say, 6-digits.  (Have a spinner from a board game?  Maybe use that.) then fill in the other digits in, say, left-to-right, top-to-bottom order.  If the person who finds your phone can see your PIN uses all ten digits (with no repeats), that narrows it down to 3,628,800.  Because your phone limits how fast PINs can be tried, that is pretty good, and you only have will have a PIN that is pretty easy to remember.  A PIN with repeated digits is cool, but the smudges might show which digit is repeated, diminishing its value somewhat.

The only catch is that it takes a moment to enter a long PIN each time you turn on your phone.

If, however, more and more of your life is in your phone, it might be worth it.

-kb, the Kent who tried to figure out how to photograph the smudges of an unlock pattern lock, but it is tricky to get the lighting right.

©2011 Kent Borg

Tags: , , ,

Leave a Reply