Your Android unlock pattern sucks as much as your password did


#1

Originally published at: http://boingboing.net/2015/08/20/your-android-unlock-pattern-su.html


#2

But so what? I know it’s heresy, but most of us just don’t need strong passwords. I wonder how many times anybody has actually tried to guess mine? Most likely it’s zero. Or maybe I got an intruder warning one time on AOL, in the late 80s.

My work phone is protected, because HIPAA, but there really aren’t any enemy agents trying to get in. If my PIN was 1234 it would make no difference.


#3

Hmmm interesting.

The android unlock pattern is enough to deter mischievous friends doing things to your phone, but i wouldn’t trust it to be secure.
The biggest fault IMHO is that if you don’t wipe the screen after unlocking it (say to check for a message) the pattern will be clearly visible on the screen in finger marks.


#4

My unlock pattern is there as a trivial bit of protection against casual snooping. That is, if I left my phone out somewhere (my desk at work, for example), you wouldn’t be able to simply swipe it open to have a look at my thoroughly boring pictures of my kids. If somebody has unlimited physical access to my phone, well, I’m already fucked regardless of my unlock pattern, so who cares if it’s easy or hard to guess?


#5

There was a security-centric Android distro a while ago, sadly seemingly abandoned, that addressed that (for numeric pins, not swipe patterns). Whisper Systems, the folks behind the TextSecure encrypted messaging program, developed it, as far as it got.

The number pad was arranged vertically - a single column, not a grid - and after entering the PIN, you had to swipe from the top of the keypad to the bottom, which would at least mostly erase the fingerprints from typing the PIN in the first place.

It seems like a no-brainer to incorporate in every phone OS, but apparently the design hasn’t taken hold.

(edited to complete the last sentence, thanks @moosemalloy)


#7

That kind of defeatism…

Seriously, Apple specifically is doing a lot a lot a lot of good work on making their iPhones secure. A non-jailbroken iPhone with a strong unlock code / password is surprisingly secure. They’re doing all this work - so we can go “meh, why bother, if someone has my phone they’ll get in anyway?” Nooooo! Don’t make their work be a waste of energy.

Android is much more of a mixed bag (of course), and harder to make any kind of pronouncement about. Every major vendor has their own builds, and lots of it is abandonware the moment that phone stops being manufactured. Which is very frustrating, because I prefer it for other reasons, even though something like 95% of Android devices are probably significantly less secure than an iPhone, and how is anyone supposed to identify the other 5%?


#8

I’ve actually wanted a longer pattern but the android unlock screen only supports a certain number of nodes. Also i would love to have an unlock screen that can support having to succesfully swipe two separate/different patterns. Seems like overkill, i don’t really have anything sensitive on my phone but it’s a functionality i would actually enjoy having. Also something that really kills me is that you can tell the unlock screen not to display your swiping pattern but it’s not on by default. So anyone looking at your phone can figure it out. But even if you hide your pattern from showing there’s no way to hide the INCORRECT pattern from showing. If you were to mess up by accident it’ll display the pattern, which again… wtf. I don’t want to broadcast what pattern i’m attempting to swipe, just tell me i messed up instead.


#9

Does it bother anyone that the gesture diagrams for “N” and “O” in the header image are ambiguous?

</pedantry>


#10

My unlock pattern would be pretty guessable just by looking at the smudges on the screen…


#11

On an old android phone I had running Cyanogen, there were two nice modifications to the pattern unlock: you could choose how big the grid of dots was, and you could revisit the same dot more than once in your pattern. I really wish those were available in the standard distribution.

Edit: It looks like there’s an Xposed port of the functionality that lets you increase the number of grid points. I may have to try it, since it looks like Xposed has been updated for Lollipop. Doesn’t help users who don’t want to go through rooting and such, though.

Edit2: Well, darn, didn’t work on Lollipop for me. I had hopes for a bit there.


#12

If the number pad posistioned numbers in a different random order each time that would stop people being able to shoulder surf the code as easily. Also remove the affectiveness of looking at screen smudges.


#13

I’ll go one better: I didn’t have any security for years, and only added a simple swipe pattern because every once in a while the screen would unlock and pocket-dial. The major point of security is that I don’t leave it sitting on a surface except in my house. Since all the time is spent in my pocket or in the same room as me, I have much bigger problems if someone is able to lay hands on it.


#14

The disadvantage is that you cannot have the unlock code in your muscle memory, which can get annoying.


#15

Also stop drunk people ringing taxis.


#16

Heh when I was making mine I was thinking on how to fool my smudge marks so it didn’t look obvious.


#17

Stock android doesn’t show the incorrect pattern when you have the pattern turned off. At lest my nexus 6 doesn’t.


#19

Yeah, its a lightweight password.
Just to stop a casual user of your phone.

It’s not a problem.


#20

I have a Galaxy S3, i suppose there might be reason for the difference then.


#21

Aren’t the most significant snooping and stealing risks from third party vendors with bundled root access to users’ phones?

No unlock pattern needed.


#22

This is exactly how I cracked the code on a few friends’ phones. Just follow the grease marks.