Android's Pattern Codes

You know those fun Android pattern locks? You know the ones I’m talking about:

A lot of Android users have probably used this as an authentication method at some point or another. Here are the basic rules:

1. At least 4 and at most 9 connected contact points.
2. Each point can be used at most once. 
3. An intermediate point between two connected points must be included (ex. if you connect the top left and bottom right points, then you need to also include the middle point), unless already used.

Unfortunately for us Android users, it turns out that this isn't as secure as you might think.

“But Francesca,” you tell me. “There are 389,112 possible combinations that can be created using the pattern lock screen. How can that be insecure?”

Firstly, props to you on your combinatorial counting skills (unless you cheated and happened to watch this Youtube video 😏). Secondly, people are busy. We’ve all been there at some point and it is, thus, crucial that this be considered when choosing your passcode to be both strong and usable.

This blog post will be divided into three main sections: one that discusses the predictability of swipe patterns, one that discuses a 2010 USENIX paper on smudge attacks, and another that tries to conclude with some of my observations.

Predicting Swipe Patterns
We access our phones several times a day, and it can become quite burdensome to enter a long passcode every time we need to check our e-mail or send a text. Moreover, a passcode is pretty useless if you make it long, but can’t remember three days later. As a result, many people default to using very simple and memorable swipe patterns. See below: photo taken from Android Authority.

Those are some of the most common patterns people use to lock their phones. The simplicity and predictability of these common patterns is part of the reason why pattern locks are not that secure. As we'll see in the next section though, a more complex pattern may not be the solution!

Smudge Attacks
The seminal paper on smudge attacks was the Smudge Attacks on Smartphone Touch Screens by Aviv, et al. It was also the primary inspiration of this blog post. The paper explores how smudges left by oil residues from fingers can be used to try and recover partial or complete Android swipe patterns. Here is a photo taken during the study:

My first reaction was “gross…I’m putting all those nasty smudges up to my face,” followed by “wow, I can probably log into my friend’s phone knowing this.” (Not that I ever would, of course. This is all totally hypothetical).

In experiment 1, they considered 4 types of phones and password entry:

• Phone A: HTC G1 phone with the pattern entered using “normal” touches
• Phone B: HTC G1 phone with the pattern entered using “light” touches 
• Phone C: HTC G1 phone with the pattern entered after the phone has been held in contact with a face, as would happen after a phone call
• Phone D: HTC Nexus 1 phone with pattern entered using “normal” touches

Descriptions taken verbatim from Smudge Attacks on Smartphone Touch Screens (2010).

The results are somewhat shocking. In figure 4, you can actually see that Phone C (aka the phone with the pattern entered after it was held up to the face) actually resulted in the highest retrieval rating. It turns out that facial contact emphasized the contrast between the finger pattern smudging and the rest of the screen.

This is especially cause for concern, because Phone C is very representative of how people use phones: you make a phone call, your phone times out while you’re talking, you hang up, and then you enter your passcode again to access another app. (Then again, maybe this isn’t a common scenario, because everybody knows that millennials don’t actually make phone calls with phones anymore. Right? Just kidding, I digress.)

The study also found that taking photos of the screen at a 60 degree angle yielded a perfect or nearly complete retrieval of the pattern in 80% of the time. When using their phones, people tend to touch the screen for multiple reasons beyond authentication. Aviv, et al. simulated this usage in experiment 2, by considering the creation of smudge dots i.e. when you press something and smudge streaks i.e. when you swipe your finger across the screen, in addition to holding the phone up to the face. Dots tended to have less of an impact than streaks, but in most cases partial retrieval was possible. In 5/16 scenarios they tested in experiment 2, perfect retrieval was possible.

The last experiment they ran was intentional and inadvertent smudge removal. Sometimes people wipe down their phone screens. Other times, people put their phones in their bag or pocket. In all cases the smudge pattern was perfectly retrievable. Yikes. This despite the fact that information about the smudge, such as directionality, was being lost.

My Take on these Findings

Throw your phone away. Keep your phone as clean as possible, be cognizant of findings like this, and stick to using strong alphanumeric passwords (the details of which are best left for another day). I’m by no means an expert in the realm of usable security, but there are some key ideas that I thought of.

Not only is the password space of alphanumeric passwords much larger than that of the pattern lock, but as long as you aren’t swiping your password in one continuous stroke (something that certain keyboards allow), then it’s a lot harder to figure out the order of the characters even if the dot smudges of the characters are visible. Suppose you have an 8 character password and those unique 8 characters are easily retrieved from observing dot smudges. There are 8! possible permutations. My phone currently wipes all the data on my phone after 10 failed attempts at authentication. Assuming that the 8 characters don’t form a common word, I can conclude that my data is reasonably safe from a smudge attack compared to the pattern passcode. This is imperfect in and of itself, but that’s also what makes authentication an interesting and active area of research!

Thoughts? Criticisms? Ideas? Comment bellow!