So for those of you not in the know, Android phones didn’t come with a password you can set until the latest Froyo 2.2. update, that added support for alpha numeric pins, probably in order to avoid this very issue (Note: Most Android phone owners still use the password patterns). Nope, Google decided to create something unique which is a password pattern that the user makes with their finger that then unlocks the phone, as good as a password right, wrong. Have you ever heard of the “Smudge Attack”?
Penn State researchers managed to identify the pass code patterns on two Android smartphones (the HTC G1 and the HTC Nexus One), 68% of the time, using photographs taken under different lighting conditions, and camera positions.
In their report researchers noted that in one experiment; the pattern was partially identiﬁable in 92% and fully in 68% of the tested lighting and camera setups. Even in our worst performing experiment, under less than ideal pattern entry conditions, the pattern can be partially extracted in 37%of the setups and fully in 14% of them.
The experimenting took place using two different scenarios – the passive attacker, who operates from a distance, and the active attacker who has breached the physical security of the device, namely, has physical access to it. Even in the worst possible experiment conditions, they were still able to partially extract 37% of the setups, and fully in 14% of the cases, using residual oils on the touch screens.
The research recommends that “Android’s password pattern should be strengthened“. What this really means is that you should never trust the security of your mobile phone to some crazy pattern because as you see it’s pretty easy to compromise. Traditional alpha numeric pins may not be as “cool” as their new password pattern brothers, but they are still a formidable foe that normally will require physical access to the device and brute force attacks to eventually compromise it and short of biometrics that is a good as you can get, but biometrics is another story.
So after hearing this news, have you already, or are you planning to change how you unlock your phone? Or do you think this is just a bunch of fluff and are going to stick with the password patterns because they are just plain “cool”?