X

Smudges on your Android touchscreen could give away your password

Another security scare that Android users should be aware of has been exposed in smudges made from swiping a password, which can be photographed and used to break into a device

Asavin Wattanajantra
2 min read

We all know how annoying fingerprints on touchscreens can be, but now researchers believe they can actually leave your mobile phone susceptible to hacking.

University of Pennsylvania researchers tested the Google Nexus One and HTC G1, both of which use a graphical password system to unlock the phone that works by swiping a set pattern on the touchscreen.

Unlocking your phone in this way leaves oily residues on the screen that can remain even if you wipe it. "Latent smudges may be usable to infer recently and frequently touched areas of the screen -- a form of information leakage," warns the article.

Using standard cameras and lights, researchers took pictures of the touchscreens and analysed the images with simple photo-editing software available on most home computers.

The study found that in ideal lighting conditions, researchers could find the pattern password of a phone more than 90 per cent of the time, simply by increasing the contrast of the photo.

People swipe on their smart phones all the time, so you'd think it would be impossible to distinguish which patterns had been used for passwords, and which were the marks of everyday browsing. Apparently not.

The minimum number of positions you have to swipe to unlock Android phones, if you use the feature, is four. Using more positions and swiping in more than one direction would presumably make it harder to crack.

This shouldn't suggest that graphical passwords are any less safe than traditional alphanumeric passwords, either. Going to the effort of stealing a device, photographing the screen and analysing the image at high contrast seems almost as tricky as trying to decipher a four-digit password -- especially as many people tend to use easy-to-crack pins for their mobile phones.

If anything, pins and alphanumeric passwords could be considered less secure than graphical passwords, because people tend to use the same code for all of their devices.

It hasn't been the greatest week for smart phones and Android security. Only yesterday the first SMS malware was found on Google's mobile platform.