Some Stuff

because Engineering is not just a profession, it's a life philosophy

Android Unlock Pattern Security Analysis

Android phones are more than just phones, they are portable mini computers. They not only serve us to make calls but people also check email, access their social network and messenger services, browse the Internet, do banking and many-many more things on these devices. As a result they contain a lot of private and/or business information that must be protected from prying eyes (or at least highly recommended). For this reason the security of the locking mechanism of the phone has more importance then before.

Phone locking

On Android smart phones there are several options to lock the phone. Slide, pattern, pin and password.

  • The slide (or equivalent) option offers no security, it only prevents accidental actions on the phone just like the simple key combination on the old phones.
  • The pattern unlock screen contains 9 dots in a 3×3 matrix. In order to unlock the phone some dots have to be connected in a certain order. This is a new, previously unused method and protects the phone from unauthorized access.
  • Pin code is a number combination while the password is alphanumerical combination that has to be entered into the phone in order to unlock it. These also protect the phone from unauthorized access.

The math for the PIN/password security methods is well known, but except for the playingwithmodels blog, which has incorrect and incomplete calculations, I could not find anything meaningful on pattern security. Since, in my experience, people most often use either the slide or the pattern (including myself, until I did this analysis) to lock the phone and rarely the PIN. I just wanted to know actually how secure my data is. I will not take into consideration the password unlock here since it is too impractical for everyday use.

The Android unlock pattern

The Android unlock pattern has 9 dots on the screen organized in a 3×3 matrix. To unlock the phone a so called pattern has to be drawn on the screen, which means connecting certain points in a certain order. So how many valid patterns are there? For this let’s first observe the rules of pattern drawing:

  • at minimum 4 dots have to be used
  • at maximum 9 dots can be used
  • one dot can be used only once
  • the order in which the dots are connected matters (thus making it a directed graph)
  • dots are connected with a straight line meaning that all points on the path of the line get connected

The last rule introduces some conditional connection paths. When connecting two points with a straight line it is valid only if there is no unused point in the way. For example: you cannot connect points 1 and 3 unless point 2 is already is used. So by default drawing a line from 1 to 3 will result in the pattern 1→2→3. However if point 2 is used the transition 1→3 becomes valid, such as in 2→1→3, making a previously invalid transition valid (1→3).

Also what some people seem to omit is that connecting points in a slight diagonal is possible (especially on Android 4, since the dots became smaller) such as 2→7.

Pattern security analysis compared to PIN

To find out what and how many patterns there are I have written a small program. It also can be used to generate random patterns for you to use on your device the same way pwgen is used for password generation for computers.

Number of dots/numbers Number of possibilities Success rate for 20 tries Number of PIN tries for same success rate as for 20 pattern tries
Pattern PIN Pattern PIN
4 1624 1.00E+004 1.231527% 0.200000% 123
5 7152 1.00E+005 0.279642% 0.020000% 280
6 26016 1.00E+006 0.076876% 0.002000% 769
7 72912 1.00E+007 0.027430% 0.000200% 2743
8 140704 1.00E+008 0.014214% 0.000020% 14214
9 140704 1.00E+009 0.014214% 0.000002% 142142
Σ 389112 1.11E+009 0.005140% 0.000002% 57110

As you can see from the above table for a given number of dots there are much fewer combinations than for the same amount of numbers when used in a PIN code. However it is compensated for by limiting the speed and amount of tries. The phone allows 5 tries before suspending the lock screen for 30 seconds (both PIN and pattern). The limit for pattern tries is set to 20 before it locks the user out completely and asks for the Google account and password. For PIN I don’t see any limits or at least it is set to a high value (after 60 wrong codes I’m still not locked out).

The table also shows that by using patterns that are at least five dots long the random brute force success rate is well below 1%. Not taking into account other factors (e.g. smudge on the screen, frequently used patterns & numbers), we can say that the 5 dot long pattern is similar in strength to a 4 digit PIN combination and a 7 dot long pattern is similar in strength to a 5 digit PIN combination. However a 6 digit PIN is already more secure then all the patterns combined together.

However life is not purely mathematical so let’s consider factors not accounted for previously.

Most (all?) of the touch screens will retain a smudge from the fingers after usage. Sometimes it is just chaos but if the unlock pattern is used regularly the patterns path can be seen viewed from certain angles. This is also the case for the PIN mode, dots on the screen can be seen at the locations of the numbers. This will tell the attacker what dots/numbers are used.

In the case of the PIN code the attacker is helped out only a little since the length of the PIN is still unknown to him, so there are still a lot of possibilities (remember, one number can be used multiple times).

In the case of pattern however the situation is quite different. If the dots of the pattern are known, depending on the number and selection of dots the security can decrease dramatically. The table below also assumes, that if the PIN numbers are known then each number was used only once. Note that in real life the attacker cannot be sure about the latter so the numbers for the PIN are the worst case scenario!

Number of dots/numbers Number of patterns for worst choice of dots Number of patterns for best choice of dots Number of PIN codes (assuming each number was used only once)
4 2 24 24
5 12 96 120
6 32 512 720
7 612 3312 5040
8 7056 20944 40320
9 140704 140704 362880

In the above table as we can see even the best case scenarios for the pattern barely match the worst case scenario of the PIN code. In fact the worst case scenarios for the pattern unlock are so bad that if an attacker knows the dots then for 4 and 5 dots he can gain access for sure and for 6 dots with 62.5% probability. It also shows that, unlike the PIN, pattern based security depends not only on the number of used dots but actually on which dots are selected. Also remember in the above table we assumed the attacker knows that each number was used only once. Based purely on smudges this is not the case so in reality the number of possible PIN codes can be much higher and thus the chances of success much lower.

The diagram above shows the distribution of pattern counts against the number of dot choices that have that particular pattern count. As you can see a lot of the dot choices have a rather low pattern count associated with them. This also proves that if the attacker knows the dots in the pattern then he has a much higher chance for success.

Lets not forget that people are better at remembering patterns then PINs and this stands not only for the user but the attacker too. If someone sees the final stage of the unlocking, then in the case of PIN the attacker can see only the number of numbers entered in the form of dots, while for the pattern lock he can grasp the final pattern. Because of the above conditions it gives much more information into the hand of the attacker and thus higher chance of success.

Conclusion

The pattern unlock mechanism is an acceptable compromise between security and comfort of the user. Still it is much weaker then the PIN unlock, so if you have important and/or sensitive data on the phone I still suggest using the good old PIN method or password for the absolutely paranoid ones.

Those who use the pattern unlock should remember a few rules though:

  • Use longer patterns, preferably at least 6 dots long
  • Don’t use obvious patterns (L shape, etc.)
  • Wipe your screen regularly
  • Turn off pattern path visibility in settings

And finally just try not to leave your phone unattended thus reducing the chance of a successful attack by simply denying access to your device, no matter what lock screen you use.

Pattern generator program and more data

For those who are interested in the source code of the program, it is available on my Github page. It also includes a spreadsheet with more results and statistics. The program can be used to to generate all the patters, a random pattern for your phone or guess patterns if dots and/or edges are known.