Android lock patterns

News you can use if you have an Android phone (or are trying to break into one):

She found that a large percentage of them—44 percent—started in the top left-most node of the screen. A full 77 percent of them started in one of the four corners. The average number of nodes was about five, meaning there were fewer than 9,000 possible pattern combinations. A significant percentage of patterns had just four nodes, shrinking the pool of available combinations to 1,624. More often than not, patterns moved from left to right and top to bottom, another factor that makes guessing easier.

H/T to Bruce Schneier.

I’m a little surprised that brute forcing would be viable on Android phones. Windows phones will require significant delays after (IIRC) three failed attempts to log in. Then after a few more failures the phone will reset.

Share

7 thoughts on “Android lock patterns

  1. Android has the lockout, too.

    It CAN be disabled in settings, though. I’d assume that a windows phone could also have the lockout changed or turned off.

  2. What does “will reset” mean? Reboot, so you have a delay? Nuke your data? If the latter, that seems like a bad idea, that amounts to a trivial denial of service attack.

    • Factory reset. Yes. Nuke all your data.

      If someone has physical control of your phone, then yes, they can deny you access to your phone even if you were to recover it later. The information is also periodically stored “in the cloud” so you can recover most of it if your phone is lost or destroyed.

      • Only if you trust the cloud, which I emphatically do not. Well, I might if the data were encrypted before it leaves the phone.

        The problem with this sort of denial of service attack is that it dramatically raises the cost of a brief slipup. It might even be one that doesn’t cause any real risks, like a young child playing with the phone you left on the coffee table (or even the cat — depending on how hard it is to cause the unlock screen to appear).

  3. Androids can also be remotely locked / reset / wiped, if you’ve enabled the functionalities through Google.

    There are, of course, a number of apps that will help you with that, but it’s a native feature these days too.

Comments are closed.