I've heard that even the FBI has been unable to crack an Android pattern screen lock. With the rise of bring your own device in the enterprise environment, is it time for IT departments to look at pattern screen locks as a viable alternative to traditional passwords on enterprise mobile devices? Also, how complex should a pattern screen lock be to ensure security?
Given the amount of data and personal information most people keep on their mobile phone, setting them to automatically lock when not in use is vital for mobile security. However, most users choose weak passwords or easily guessable PINs for their unlock codes. Android lock patterns can be a more secure method of locking Android devices.
Ask a question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email at email@example.com.
The Android lock pattern is a display of nine dots arranged in a three by three square. To unlock the device, the user must trace their personal unlock pattern -- a series of connected dots -- with their finger. If the pattern traced (or swiped, in Android terminology) matches the pattern previously set by the device owner, the phone unlocks.
The Android unlock pattern has the following constraints:
- it must use between four and nine dots;
- a dot can only be used once;
- a dot cannot be crossed unless it has already been used; and
- a line between dots can be horizontal, vertical or diagonal.
Swiping a lock pattern, sometimes called a touch-gesture recognition method, is certainly quicker and easier than typing in a password, where the user has to switch keyboards back and forth to access numerals and letters -- assuming the user has bothered to choose an alphanumeric password. Like a password, the security of a lock pattern is directly related to the number of data points it contains. For example, a six-character password is more secure than a four-character one; similarly, a pattern connecting six dots will be harder to crack than one that connects only four dots.
Good Android lock patterns are complex. For example, a simple pattern such as an L-shape has the same weaknesses as an easily guessable password. I recommend creating a lock pattern that is non-linear and also crosses back on itself at least twice to create multiple possible endpoints. This is important because one of swiping's weaknesses is the smudge trail it leaves on the screen. If somebody picks up a phone, they can retrace the user's pattern by following the smudge trail. If the pattern has multiple endpoints, then the start and finish points of the trail will be less obvious.
A user should not rely on lock patterns alone to ensure the security of their Android device. For example, Android devices require a Google email login and password to unlock the phone, so the user's Google password still needs to be strong. Also, any sensitive data stored on the mobile device should be encrypted and a remote wipe option enabled as someone may attempt to take the phone apart and extract data from the physical components inside.
This was first published in August 2012