The approach that the average user uses the composition of a pattern for locking / unlocking of Android phones is the same one used to create passwords and pin: laziness user still has the upper hand.
The computer security incidents occurred in the world in recent years have highlighted that many users do often use very simple passwords. As we had already had the opportunity to encounter with this news, the most commonly used passwords are often simple combinations of characters along the lines of ” 12346 ” , ” 0000 ” or ” password “.
With the debut of Android in 2008, Google introduced the system ” Android Pattern Lock “, a grid of nine knots arranged in 3×3 configuration, which allows the user to choose instead of a normal password or a pin, a path that touches four to nine knots to lock and unlock the phone.
The purpose of the fund is to make available to a system simple to use but, which offers a high-potential complexity in the creation of paths, or pattern, more or less complicated to keep the phone less vulnerable to intrusion attempts.
However, this system also seems to follow a series of predictable behaviors and very often have to rely on a limited portion of the complexity that is able to offer. The use of Android Pattern Lock is relatively recent and it is not possible to have specific data about, but research conducted by a student at the Norwegian University of Science and Technology suggests that the predictability of patterns might sooner or later make them prone to the same type’s attacks which are subject passwords.
In preparation of his master’s thesis Loge has collected and analyzed about 4,000 ALP finding that a relatively important share, about 44%, has as its starting point the upper left corner of the screen and that 77% will start in one of four corners. On average, they are used pattern to five nodes, which respond less than 9000 possible combinations.
A significant percentage of pattern is composed instead of just four nodes, reducing the available combinations just 1624. Following a diagram human alarmingly predictable patterns develop much more frequently from left to right and from top to bottom. Even left-handed users, surprisingly, tend to use the same starting points of the right-handed.
” Human beings are predictable. In creating a pattern lock, we found the same patterns that underlie the creation of the pin and alphanumeric passwords, ” said Loge at the PasswordCon Las Vegas presenting a speech entitled Tell Me Who You Are, and I Will Tell You Your Lock Pattern.
As previously mentioned, the ALP may contain a minimum of four nodes and a maximum of nine nodes, thus offering the possibility to compose 389 thousand different combinations. Loge has asked the subjects of his study to create three ALP: one that would protect a fictitious shopping app, one for a fictitious banking app and one to unlock the smartphone. The pattern to 4 nodes were the most widely used, followed by those at 5 knots. The analysis also shows how the female users is more inclined to choose a pattern of short and simple composition.
It is not only the number of nodes affected that determines how an ALP may fall under the blows of an attack like-bruteforce. The specific sequence of nodes affected is another important element that adds complexity to the pattern. Assuming assigning the same numbers to the nodes of a normal phone keypad, the combination 1236 has a lower complexity compared to 2136 where there is a change of direction of the pattern.
Already in 2014 a group of researchers had determined a scoring system to describe and assess the complexity of a pattern lock: fixed in 6.6 and 46.8 the minimum and maximum extremes of the scale score, the study conducted by Lodge has occurred as the average score is 13.6, while the highest score recorded was 44.4. However, it should be noted that a pattern characterized by a high score of complexity can be difficult to remember.
Another interesting aspect that emerges from analysis of loge is the trend (10% of cases) to compose the pattern lock so that memories and a letter of the alphabet that often corresponds to the initial user’s name or an individual next to him (husband, wife, son, and so on). ” It was fun to see that a pattern to remind people to use the same strategy used to remember a password. You see the same type of behavior, ” said Loge.
In the light of these aspects, cybercriminals may be a grim way to gather a large number of ALP and build a mathematical model to improve the ability to predict and guess a pattern lock. To try to make sure a lock pattern is the same approach that you would normally use with a pin or password: developing one of adequate complexity, avoid obvious sequences, make as many nodes as possible and enter intersections, a practice that makes it harder the identification of a pattern lock to prying eyes.
In this regard it is advisable to deactivate also the graphical display of the pattern that makes it more difficult attempts of ” shoulder surfing ” or spying the actions of the person standing behind him.