Android unlock patterns vulnerable to shoulder surfing

Android users could be putting their data at risk by using unlock patterns – which can be guessed by as many as 60% of onlookers.

Researchers at the US Naval Academy and the University of Maryland Baltimore County looked into the phenomenon of ‘shoulder surfing’, where crooks watch smartphone users unlock their devices from a short distance, to see the code. Armed with this information, criminals who get hold of the devices can then access the data contained therein without difficulty or even any technical nous.

The study involved showing 1,173 people videos of smartphone users unlocking their devices from a distance of between 1.5 and 1.8 metres. Each video was shown twice and the participants were asked to replicate what they had seen after each showing.

Unlock patterns were found to be the least secure of all common options – and were correctly guessed by 60% of participants after they’d been shown it once. This number rose to 80% after a second showing.

Elsewhere, six-digit pins were replicated in just 11% of cases after the first viewing, and 27% after the second.

Of course, fingerprint and facial recognition protects against this sort of attack.

Researchers put the pattern’s ineffectiveness down to human ability to process and remember patterns much easier than strings of numbers. The shape is also much easier to see from a distance.

Choose longer PINs for greater security

Rather unsurprisingly, the researchers also found that longer passcodes are more effective, for both patterns and PINs. The report said: “PINs are the most secure [against] shoulder surfing attacks, and while both types of pattern input are poor, patterns without lines provide greater security. The length of the input also has an impact; longer authentication is more secure.”

Device owners who are worried about their security should change how their device unlocks under ‘Settings’. This allows users not just to stipulate how they want to unlock the device but how long each string of numbers or characters should be. There’s also the ‘erase data’ setting, which sets the device to “self-destruct” and restore everything to factory settings if an incorrect PIN is entered 10 times.