Your Android Phone's Pattern Lock Is Easy to Guess
Android's pattern lock, which lets you unlock your phone by swiping a specific pattern across the screen, may seem more secure than a password, but that's not always the case. While Android's pattern lock has a staggering 389,112 possible patterns — compared to 10,000 possible 4-diget pin codes — our tendency to go with simple, easy to remember patterns can make them easy to guess. The average number of nodes used in a pattern is five, meaning most pattern lock users are only picking their pattern from 7,152 possible combinations. (Dropping down to four nodes brings the number of options down to 1,624, which makes the simple pin code look positively high tech.)
A study in 2015 suggested that 44 percent of lock patterns start in the upper left (and 77 percent start in one of the corners), and most moved left to right and up to down, just like we'd read a book. The end result? Our pattern lock patterns are pretty predictable.
A new attack makes use of that predictability: there's now an algorithm that can guess 95% of pattern locks within five attempts. This bit of code analyzes video of people using pattern lock to unlock their phones, taken from about 8 feet away with a smartphone camera (or over 29 feet away using a high-quality SLR or DSLR camera). Even without being able to see the screen, the algorithm can watch your hand movements and predict your pattern.
You may think a more complicated pattern could throw off anyone trying to guess, but patterns that use more lines between nodes are actually easier for the algorithm to guess because they narrow down the possible patterns. The algorithm cracked 87.5 percent of complex patterns on the very first attempt — compared to only 60 percent of simple patterns.
The risk is that potential thieves may be able to easily snag your pattern lock code before pickpocketing your phone and helping themselves to all of your data. Because the algorithm can work from video taken on a smartphone camera 8 feet away, someone could pick it up discretely before picking up your phone.
Fortunately, pattern lock's vulnerabilities are easy to overcome: use your fingerprint instead. Android 6.0 Marshmallow added fingerprint authentication support in late 2015, and many Android phones have the hardware to support it. If yours doesn't support fingerprint authentication, however, go for a password or pin. Just be sure to make it a strong password, because "123456" is easier to guess than your Z-shaped pattern lock.