Android unlock patterns are a boon for shoulder surfing attackers

The “swiping” unlock patterns typical for Android devices are considerably easier for attackers to discern than PIN combinations.

In fact, after only one observation of a user entering the pattern, 64% of shoulder surfing attackers will be able to reproduce it, a group of researchers from the US Naval Academy and the University of Maryland Baltimore County has found.

android unlock patterns

In comparison, only one in ten attackers could make out a six-digit PIN after one viewing.

The research

The researchers tested the security of PIN/pattern mobile authentication schemes by showing videos of users unlocking different phones to 1,173 subjects recruited via Amazon Mechanical Turk. Then, to confirm the validity of the results, they later recruited 91 participants from their institutions.

The unlocking was recorded from different angles and distances. The participants were asked to view a video of an authentication, then to attempt to recreate it.

“Analyzing the results, we find that in all settings, Android’s graphical pattern unlock is the most vulnerable, especially when feedback lines are visible; a single observation successfully attacked the pattern 64.2% of the time with 79.9% for multiple observations of a 6-length pattern. Shorter patterns were even more vulnerable,” the researchers noted.

“Removing feedback lines during the pattern entry improved the security, finding 35.3% successful attacks with a single view and 52.1% success with multiple views for 6-length patterns. PINs, however, proved much more elusive to attack than anticipated. A single observation was sufficient to attack just 10.8% of the 6-digit PINs, degrading to 26.5% after two observations.”

Improve your security

Many mobile device today can also be secured and unlocked via biometrics (fingerprint or face), but that option can fail, and the devices fall back on PINs and patterns.

If you’re an Android users and you still prefer swiping unlock patterns instead of a PIN, you could make them more difficult to distinguish from afar by turning off the feedback lines – the option is usually available under the device’s Settings (Lock screen and security > Secure lock settings).

“These results support what we as a community have believed to be true anecdotally, and further demonstrates that current authentication methods provide stronger security against shoulder surfing than one might expect,” the researchers concluded.

“These results suggest, for users, that 6-digit (or longer) PINs provide the best security from shoulder surfing.”