Everybody who owns a smartphone or a tablet has to think about the lock method of the device. Android offers an alternative to the usually used PIN code: the lock pattern. I have to admit that swiping fast and rather wildly over the screen is a cool way to unlock a phone. But is it secure?
The short answer is yes. As long as we are speaking of a cleaned screen and the attacker has no information about the lock pattern whatsoever. Unfortunately, the long answer is no, as most people tend to actually use the devices they lock. So they like to have a look at a map while they’re jogging or users may wish to change the song they listen to while they’re eating a sandwich. In these (and similar) cases, the fingertips will add clearly visible traces on the screen both for the unlocking process and for the actual usage. As tipping the screen is more common than swiping over it, you may retrieve the lock pattern by analysing the fingerprints on the screen. This should be easy, as android does not change the position of the unlocking window except for specific rotations on tablets. In the following, I will assume that an attacker was able to find the pattern and, hence, knows the n lines out of the 28 possible ones are part of the lock pattern.
For those of you who do the math: there are more than 28 connections, but they are only allowed under certain circumstances. If you have three buttons in a row, you cannot connect the first one to the last one without having used the middle one in the lock pattern already. We will exploit this “feature” later on.
Normally, you have to specify a lock pattern that
- consists of at least one connection
- can be drawn in a single stroke
- is only valid in one direction
For mathematicians, you select one Eulerian path in a connected graph. As you are not allowed to close your path (using the same node twice is forbidden), our attacker will only need to do two guesses for most cases: one for each direction in the user-specified pattern. Hence, we need something better than simple graphs.
Even if you consider tricks like using a T-shaped pattern, the number of possible combinations is low. What I suggest here, is drawing a “star”. Starting with any of the eight outer buttons, you select the middle button as second one and then decide on an arbitrary order of the outer ones. This way, you slightly exceed the android default security level (four digit PIN) when you use all eight outer buttons. This way an attacker has to select the right out of 8!=40320 possible combinations. If you omit only one of the outer buttons, the number of combinations drops to 7!=5040.
From the security aspect, the lock pattern can be hardened against an attacker having a close look at the surface of the screen. From an usability perspective, I would stick to a PIN code. On a normal day, I unlock my tablet for some 40 times. And we all know from our childhood that drawing stars this way takes much longer than representing the whole sky with only a few dots…