Paper: Android's Graphical Passcodes are Insecure

Most Android phones allow users to protect their phones from unauthorized access by drawing a pattern on their device’s touchscreens. According to a team of researchers from the University of Pennsylvania, however, these graphical passwords are actually extremely easy to crack, as “oily residues, or smudges, on the touch screen surface, are one side effect of touches from which frequently used patterns such as a graphical password might be inferred.”

The team, which presented its findings during the Woot ’10 USENIX workshop in Washington, DC, found that by simply taking photographs of the screens with the right lightning and camera positions allows unauthorized users to guess a user’s security pattern.

If you think that just cleaning the screen regularly would prevent this, then think again. According to the researchers, “smudges are surprisingly persistent in time.” They found that “it is surprisingly difficult to incidentally obscure or delete smudges through wiping or pocketing the device.” In the team’s experiments, the pattern was partially identifiable 92% of the time and in 68% of cases, it was fully identifiable.

You can find the full paper here.