New study indicates Android’s lock patterns may be strikingly predictable

BY Evan Selleck

Published 21 Aug 2015

Android Pattern lock2

Security has become a big focus for the mobile industry, and with fingerprint sensors to help keep devices safe, other, older unlocking methods may be taking a back seat. But, according to new data, that might not be a bad thing.

According to a report recently published by Ars Technica, and citing a study conducted by Marte Løge, a 2015 graduate from the Norwegian University of Science and Technology, the pattern lock offered by Android for years now may not be all that secure, thanks to how predictable it might be. Løge spoke at this year’s PasswordsCon that took place in Las Vegas, and the publication was able to catch up and talk about the study’s findings, and dig a bit deeper into the results of the pattern lock’s predictability.

Løge cataloged and analyzed over 4,000 pattern locks as part of her master’s thesis, and found that 44 percent of those users started in the top-left corner of the pattern lock’s display. Moreover, 77 percent of those within the testing began in one of the four corners. Løge also figured out that the average number of nodes touched within the pattern was about five, which means that there are only around 7,152 combinations to choose from.

More striking, is that a significant number of those only used four nodes, which drops the number of possible combinations down to 1,624.

Humans are predictable,” Løge told Ars last week at the PasswordsCon conference in Las Vegas, where she presented a talk titled Tell Me Who You Are, and I Will Tell You Your Lock Pattern. “We’re seeing the same aspects used when creating a pattern locks [as are used in] pin codes and alphanumeric passwords.

Android pattern lock data

The study offers several different looks, suggesting that a malicious individual could quickly whittle down the possibilities of a pattern lock simply by knowing important information about the owner of the device, or even knowing those close to the owner. While a pattern lock might seem like a more secure way to lock down a device, the study indicates that based on the predictability of people, that’s not inherently the case.

The best possible method of staying safe: Keep the pattern lock complex. Choose between 8 and 9 nodes to touch, and use a pattern that has swipes that repeat, or go over another previous entry. This will make it harder for someone looking at your phone to figure out the complex pattern.

The full analysis can be read below. It’s certainly an interesting look at an aging locking method.

Do you still use the pattern lock?

[via Ars Technica]