'Reverse smudge engineering' foils Android unlock security
Greasy finger traces can potentially reveal the pattern used to unlock Android devices. Typing a PIN is better, a Googler concludes.
- Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
Eat a lot of potato chips? Then consider avoiding one of the ways Google offers to unlock an Android device.
Google's mobile operating system lets people unlock devices by swiping a particular pattern across a three-by-three grid of dots. But Android evangelist Tim Bray raised a concern about "reverse smudge engineering" to figure out the unlock pattern.
"A couple of colleagues had my original Galaxy Tab and needed to use it for something, but I wasn't there. They managed to figure out my pattern by looking at the fingerprints on the glass, and it only took them a few minutes," Bray said in a post yesterday.
I suspect it's probably not a huge problem for those of us who keep phones in a pocket that will swipe the screen. But I can't help but notice that my unpocketable Galaxy Tab 10.1 has a lot of fingerprints on it right now and that sometimes I can tell what game was being played on the family iPad by the smudges.
And it only took about five peanuts and 10 finger swipes to produce the photo above. (No, that's not my real swipe pattern, but yes, that is real dust and scratches.)
The blog post got me thinking about what I think is a worse problem for the pattern-unlock feature: it can be very visible. On my Nexus S phone, the feature is sluggish enough that I have to trace the dots slowly, and the red track my finger leaves is very visible. Performance is better on the Galaxy Nexus, but judging by how fast my son figured out my pattern, it's pretty easy for the human brain to recognize the pattern.
For that reason, I recommend pattern-swipers head over to Android's security settings and uncheck the default "make pattern visible" option.
Bray recommends people stop swiping altogether and concludes that the numeric code option is the best for him: "The PIN has the huge advantage that it uses a nice big fat numeric keypad, and I can type it in really, really fast; I could do it right in front of you five times in a row and you'd have no clue, I bet."
Ice Cream Sandwich adds another choice: face unlock. Some have reported being able to bypass this security mechanism with a photo, which certainly poses a security risk. But I can't recommend it for a different reason: it doesn't work well enough for me.
Maybe Ice Cream Sandwich discriminates against people with beards. Or maybe I use my phone in the dark too much where the image quality is low. Whatever the problem, the mechanism fails as often as not for me, and that's too often.
It'd be a lot more convenient, of course, if there we didn't have to worry about unlocking phones at all. But the reality is that a modern smartphone can grant access to your personal and work e-mail, your Twitter and Facebook accounts, whatever files you have stored sites like Google Docs and Dropbox, your contacts list, and your photo and video collection.
Realistically, somebody unscrupulous who gets your phone is most likely to wipe it, then sell it, rather than pry into your affairs. And encryption and remote-wipe software can reduce the perils of stolen phones.
No security is perfect, but at least use some kind of secure unlocking mechanism so your phone isn't wide open.