A while back there was a story that caught a lot of attention. Apparently the FBI is unable to crack the Android pattern screen lock. A day before I heard about this story, a friend (who has a Galaxy S as well) was mentioning how easy it was to break the pattern lock. Clearly, something is amiss here, and I decided to put my friend to the test in a completely unscientific manner. Regretfully, explosives were not used.
Firstly, to explain pattern lock: You are given a screen with nine dots in a 3 by 3 square. You put your finger on one dot, then slide (swipe) your finger to another dot, then another, until you’re done with the pattern. You can only use each dot once, though you can pass over already used one. On the right you can see the unlock screen with the first pattern I tried.
So, to the test. I switched pattern lock on, using the pattern on the right. After about three unlocks I handed my friend the phone to see if he could unlock it. He did; after taking about two minutes to study the phone.
That night I changed the pattern lock to something more challenging, using all nine dots, connected by seven swipes. I used the unlock at least ten times before giving it to him the next day.
This time he was far less successful, though he guessed part of the pattern.
His method is to hold the phone at an angle, and study the marks left on the screen, indicating where swipes have been made. From there he reconstructs what he thinks the pattern is, and then has to work out what direction the swipes happen in.
One observation he made about my second pattern is that he couldn’t see any evidence that I’d made a horizontal swipe along the top three dots, and yet that was part of my pattern.
So, I began to wonder what a really secure pattern would be. Now, I’m sure there’s several theses (thesii?) worth of study here, but I do have a few thoughts.
I’m going to suggest that not only would a larger number of swipes help the security, as you’d expect, but retracing swipes or crossing over previous swipes is more likely to confuse the would-be cracker. Also, wiping the screen after every use helps, though if you’re like I am, you’ll forget at least every other time, so I doubt you should rely on this.
As a postscript to this, I had an idea this morning: Why not have the ability to record two (or more) patterns. One pattern will unlock the phone as it currently does. A second pattern would wipe any information you’d previously marked as ‘sensitive’. A third might give limited access to the phone (perhaps hiding said sensitive information).
It’s only an idea, but when you’re in the shower, what else is there to do but think of ideas? Well, yes, I could wash myself I suppose.